Federal Court of Appeal found Facebook Breached Privacy Law

On September 9, 2024, the Federal Court of Appeal (“FCA”) released its decision of the Privacy Commissioner of Canada’s (“Commissioner”) appeal of the Federal Court’s decision that the Commissioner failed to show that Facebook had breached the consent and safeguarding requirements under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). In this paradigm decision, Canada (Privacy Commissioner) v. Facebook, Inc.^[1], the FCA overturned the Federal Court decision and found that Facebook breached its obligations under PIPEDA. Specifically, the FCA emphasized the necessity for corporations to turn their minds to the “reasonable person” when obtaining consent and safeguarding user data.

Background

Following the launch of Facebook’s “Platform”, a technology that enabled third parties to build applications that run on Facebook, as well as the subsequent launch of “Graph API” that allowed these apps to receive user information, Facebook implemented various privacy measures. These measures included platform-wide policies, user controls and educational resources.

The adequacy of such measures was called into question in 2015 when media reports revealed that one of these third-party applications, “thisisyourdigitallife” (“TYDL”), was obtaining user data beyond what it needed to function and selling that data to a corporation called Cambridge Analytica and a related entity. Importantly, it was obtaining not only user data but also the data that belonged to the friends of the users. Upon subsequent investigation into Facebook’s compliance with PIPEDA, the Commissioner concluded that Facebook failed to obtain valid and meaningful consent for its disclosures to third-party applications, such as TYDL, and failed to safeguard users’ information.

In 2021, the Commissioner commenced proceedings in the Federal Court alleging that Facebook’s practice of sharing its users’ personal information with these other third-party applications was in breach of PIPEDA.

The Federal Court’s Decision

The purpose of Part 1 of PIPEDA, which the Federal Court interpreted as balancing a user’s right to protect their information and “an organizations’ right to reasonably collect, use or disclose personal information”^[2], formed the basis of the Federal Court’s decision. The two issues the Federal Court dealt with were whether Facebook failed to:

(1)   Obtain meaningful consent from users and Facebook friends of users when sharing their personal information with third-party apps; and

(2)   Adequately safeguard user information.

The Federal Court held that the Commissioner had failed to discharge its burden on both allegations due to insufficient evidence. The Federal Court also held that Facebook’s safeguarding obligations end once information is disclosed to third-party applications, and that a data breach does not necessarily mean an organization has inadequate safeguards.

The FCA’s Decision

In allowing the appeal, the FCA found that there were three overriding errors in the Reasons of the Federal Court: (1) the Federal Court premised its conclusion largely on the absence of expert and subjective evidence; (2) the Federal Court failed to inquire into the existence or adequacy of the consent given by friends of users who downloaded third-party apps, not just the installing users themselves; and (3) it did not engage with the evidence pertaining to the content of meaningful consent under clause 4.3 and section 6.1 of PIPEDA.

Dealing with the issue of evidence, the FCA clarified that “subjective evidence does not play a role in an analysis focused on the perspective of the reasonable person”^[3]. The meaningful consent clauses of PIPEDA along with its purpose “pivot on the perspective of the reasonable person” in asking whether an individual could have “reasonably understood” how their information would be used or disclosed.^[4] The reasonable person standard is an objective standard, not a subjective standard. While it will of course require the court to consider surrounding circumstances, it is the responsibility of the court to define an objective, reasonable expectation of meaningful consent. The FCA made it clear that if the Federal Court found that the reasonable person would not have understood what they consented to, no amount of reasonable efforts on the part of the corporation could have changed that conclusion.

The FCA pointed out considerable probative evidence before the Federal Court, which should have been considered in their decision. For example, transcripts of Facebook’s CEO Mark Zuckerberg claiming that he imagined that most people do not read the entire Terms of Service or Data Policy, as well as the fact that Facebook allowed TYDL to continue accessing and installing the data of users’ friends, even despite the red flags.

Turning to the issue of consent, the FCA found that Facebook failed to obtain meaningful consent from friends of users to disclose their data, and thus breached PIPEDA. Key to this point in the FCA’s analysis was the fact that simply obtaining consent from the installing users was not enough. The FCA also found that Facebook’s Data Policy, the only information that friends of users were given regarding the sharing of their information, was too broad and did not contemplate large-scale data scrapping, which occurred in this case. The same conclusions were reached regarding the actual installers of the applications themselves. Again, the question of the reasonable person has to be asked – and Facebook failed to do so.

Finally, on the issue of Facebook’s safeguarding obligations, the FCA found that the Federal Court failed to consider relevant evidence relating to Facebook’s inaction when TYDL requested unnecessary user information, as well as Facebook’s failure to review in detail the privacy policies of the third-party apps. Further, having created the opportunity for the data breach, the FCA held that “Facebook cannot contract itself out of its statutory obligations”.^[5]

Takeaways

This decision serves as a reminder that:

(1)   Organizations need to ensure they obtain meaningful consent from its users directly. One way to obtain meaningful consent is to develop privacy policies that are clear and concise.

(2)   Organizations need to safeguard personal information when sharing that information with third parties, including third-party applications. 

For more information, please contact Roland Hung of Torkin Manes’ Technology and Privacy & Data Management Groups.

The author would like to acknowledge Torkin Manes’ Articling Student, Yasmin Thompson, for their assistance in drafting this bulletin.