A recent decision of the Federal Court of Appeal, Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140, overturned the Federal Court’s trial decision which dismissed the Commissioner’s application to order Facebook (now Meta) to fix several breaches of the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”).

Background

In 2013, Facebook launched a technology enabling third parties to build applications that run on Facebook and can be installed by Facebook users. The third-party apps could ask installing users to access information about the installing users themselves and the users’ Facebook friends. One of these apps included “thisisyourdigitallife” (“TYDL”).

The proceedings began with the Privacy Commissioner’s investigation of Facebook collecting user data using TYDL and selling it to a third-party, Cambridge Analytica Ltd. (“Cambridge Analytica”), for psychographic modelling purposes. Psychographic modelling involves using data to better understand the psychological makeup of customers and tailoring marketing strategies accordingly.

The Privacy Commissioner argued (1) that Facebook breached PIPEDA by failing to obtain meaningful consent from users for disclosure of their data; and (2) that Facebook failed to adequately safeguard user data.

Federal Court Decision

The Federal Court dismissed the Commissioner’s application based on a lack of evidence. Specifically, the Court concluded that the Privacy Commissioner did not provide enough subjective evidence of Facebook users’ expectations and understandings of privacy to establish a lack of meaningful consent, and that the Commissioner did not provide any expert evidence outlining what Facebook could have done differently. In terms of Facebook’s safeguarding obligations under PIPEDA, the Court held that Facebook’s safeguarding obligations ended once the information was disclosed to Cambridge Analytica, and even if they did not, the Commissioner did not provide enough subjective and expert evidence to determine whether the procedures Facebook had in place at the time were adequate safeguards.

Issues

The two issues on appeal were:

1. Whether Facebook failed to obtain meaningful consent from users; and
2. Whether Facebook failed to adequately safeguard user data.

Analysis

The Court of Appeal overturned the Federal Court’s decision, concluding that Facebook did indeed fail to obtain meaningful consent, and that Facebook failed to adequately safeguard user data.

Meaningful Consent

The Court of Appeal held that the Federal Court made two overarching errors in reasoning: (1) premising the analysis on the absence of subjective and expert evidence; and (2) conflating the consent from installing users with consent from friends of installing users.

Under PIPEDA, the inquiry into whether a person gave meaningful consent to the disclosure of their data is objective. The Court determined that subjective evidence does not play any role in an objective analysis. There was enough evidence before the Federal Court to determine whether the users gave meaningful consent from an objective point of view. Among other evidence, the Federal Court had access to Facebook’s Terms of Service and Data Policy, Mark Zuckerberg’s testimony that he would not imagine most people read or understand these policies, and statistics showing that 46% of the third-party app developers did not read Facebook’s privacy policies. The Court of Appeal held that the Federal Court erred by declining to engage with this evidence to define an objective expectation of meaningful consent.

The Federal Court also erred in failing to ask whether each user whose data was disclosed to Cambridge Analytica consented to such disclosure. The circumstances of consent for installing users differed from friends of those users. Only installing users reviewed and directly consented to TYDL’s data usage. Despite having this opportunity, meaningful consent was missing. Facebook’s Terms of Service and Data Policy together described the information collected and how that information would be used. On a literal reading, the user may have been warned of the associated risks. However, the Court held that terms that are only superficially clear do not translate into meaningful consent. Clarity of terms can be lost in the length and complexity of a document, and where this is the case, there is no meaningful consent. Friends of installing users on the other hand did not have the opportunity to review and consent to TYDL’s data usage. The Court of Appeal held that upon signing up to Facebook, friends of installing users were effectively agreeing to “an unknown disclosure, to an unknown app, at an unknown time in the future of information that might be used for an unknown purpose” and that this was not meaningful consent.

Safeguarding

With respect to Facebook’s safeguarding obligation, the Federal Court once again failed to engage with the evidence before it. There was evidence that Facebook did not review the privacy policies of any of the third-party apps installed on its platform and that Facebook did not act on a request from TYDL for unnecessary user data, which should have been a “red flag”. By failing to read any of the third-party policies, Facebook failed to monitor and enforce privacy protection. Therefore, the unauthorized disclosure was a direct result of Facebook’s choices and Facebook failed to safeguard user data. Facebook’s conduct following its disclosure to Cambridge Analytica was irrelevant.

Implications

It is likely that Facebook will appeal this decision to the Supreme Court of Canada for a final determination on the matter. The outcome will significantly impact data collection in Canada by determining the scope of meaningful consent and data safeguarding practices.