Roadmap: Federal Court of Appeal Finds Facebook’s Practices in Breach of Canada’s Private-Sector Privacy Legislation

  • 04 octobre 2024
  • Steffi Tran

INTRODUCTION

On September 9, 2024, the Federal Court of Appeal in Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140, found that Facebook Inc., now Meta Platforms Inc., (Facebook) breached Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in failing to obtain meaningful consent from users and appropriately safeguard user data.

This decision constitutes the most recent update in a series of events resulting from the Office of the Privacy Commissioner of Canada’s (OPC) investigation into Facebook’s practices, which commenced in 2018.

ROADMAP

2018-2019: OPC Investigation and Findings

In March 2018, the OPC commenced a joint investigation in response to a complaint relating to Facebook’s compliance with PIPEDA in the wake of revelations about its disclosure of certain users’ personal information to a third-party application, “thisisyourdigitallife” (TYDL). Media reports had revealed that user data obtained by TYDL was sold to Cambridge Analytica and used for the purpose of targeted political messaging. The OPC’s investigation focused on the time period between November 2013 and December 2015 (i.e., when the TYDL application was active on Facebook’s platform).

In the following year, the OPC published a joint Report of Findings, which concluded that Facebook failed to obtain valid and meaningful consent from certain users, had inadequate safeguards to protect user information, and failed to be accountable for the user information under its control.

The OPC also described Facebook’s failures as “particularly concerning”, given that Facebook previously refused to accept the OPC’s recommendations to address certain deficiencies in response to a separate investigation into its practices in 2009.

2020-2023: OPC Application to Federal Court and Resulting Decision

Following the results of its investigation, the OPC filed an application with the Federal Court (“FC”) in February 2020, seeking an order requiring Facebook to correct its privacy practices in accordance with PIPEDA.

On April 13, 2023, the FC dismissed the OPC’s application in Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533. The FC considered two central issues: (i) Consent: whether Facebook failed to obtain meaningful consent from users and Facebook friends of users when sharing their personal information with third-party applications; and (ii) Safeguarding User Information: whether Facebook failed to adequately safeguard user information.

The FC held that the OPC failed to discharge its burden on both allegations, ultimately finding that there was insufficient evidence to establish that Facebook breached PIPEDA.

Consequently, in May 2023, the OPC appealed the FC’s decision, stating that the matter “raises important questions with respect to the interpretation and application of privacy law in Canada that will benefit from clarification by the Federal Court of Appeal.”

2024: OPC Appeal of Federal Court’s Decision – Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140

On September 9, 2024, the Federal Court of Appeal (FCA) overturned the FC’s ruling and ultimately found that Facebook failed to obtain meaningful consent from its users and appropriately safeguard users’ personal information.

On the issue of consent, the FCA determined that Facebook failed to obtain meaningful consent from friends of users to disclose their data. To illustrate, only users who installed the third-party applications (and not their friends) were given the opportunity to directly consent to the third-party applications’ use of their data. Friends of users were therefore unable to review such applications’ data policies and could not know or understand the purposes for which their data would be used, as required by PIPEDA.

Following an analysis of Facebook's policies and installing users’ expectations in light of these policies, the FCA further determined that Facebook also failed to obtain meaningful consent from the direct users or installers of the third-party applications.

On the issue of safeguarding user data, the FCA concluded that Facebook breached its safeguarding obligations during the relevant period by failing to adequately monitor and enforce the privacy practices of third-party applications operating on the platform. The FCA rejected Facebook’s assertion that it was entitled to rely on the good faith performance of the contracts it had in place, stating that “Facebook cannot contract itself out of its statutory obligations” (para 116).

The FCA also engaged in a discussion surrounding purposive balancing under PIPEDA, stating that, in contrast to the FC’s reference to an organization’s “right to reasonably collect, use or disclose personal information”, PIPEDA’s purpose refers to an individual’s right of privacy, and an organization’s need to collect, use or disclose personal information (para 121). The FCA further clarified that an organization has no inherent right to data, and its need must be measured against the nature of the organization itself.

Lastly, on the issue of remedies, the FCA declined to issue the order sought by the OPC to require Facebook to implement certain remedial measures. The FCA held that absent further submissions or fresh evidence, it was not in a position to decide whether the OPC’s requests relating to Facebook’s current conduct would be reasonable, useful, or legally warranted.

The FCA therefore allowed the appeal and granted the OPC’s application in part, declaring that Facebook’s practices during the relevant time breached Principle 3, Principle 7, and Section 6.1 of PIPEDA.

MOVING FORWARD

The FCA has required the parties to report back within 90 days of the date of the judgment as to the status of an agreement on the terms of a consent remedial order.

In a statement issued on September 9, 2024, the OPC welcomed the FCA’s decision, describing it as a “landmark ruling” and “acknowledgement that international data giants, whose business models rely on users’ data, must respect Canadian privacy law and protect individuals’ fundamental right to privacy.” The OPC also expects Facebook to bring forward proposals on how it will ensure that it complies with the FCA’s decision.

It currently remains to be seen what remedial measures, if any, may be implemented by Facebook, or whether Facebook will file a notice of appeal.

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.