Facebook Breached Canada’s Privacy Laws Says Federal Court Of Appeal

On September 9, 2024, the Federal Court of Appeal of Canada (FCA) in Privacy Commissioner of Canada v. Facebook Inc., 2024 FCA 140, unanimously held that Facebook Inc. (Facebook) breached Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) between 2013 and 2015 by failing to obtain meaningful consent from its users and to appropriately safeguard users’ personal information.

In 2018, the Office of the Privacy Commissioner of Canada (OPC) launched an investigation into Facebook’s disclosure of its users’ personal information to third-party application 'thisisyourdigitallife' (TYDL) hosted on the Facebook platform, which was later used by Cambridge Analytica for targeted political messaging. The OPC found that Facebook contravened PIPEDA, yet Facebook refused to implement the OPC’s recommendations to bring itself into compliance with PIPEDA. Subsequently, the OPC brought an application to the Federal Court of Canada (FC) alleging Facebook breached PIPEDA by disclosing its users’ personal information to TYDL. The FC dismissed the application and concluded that the OPC failed to meet its burden to establish that Facebook breached PIPEDA, as previously reported by the E-TIPS® Newsletter here. The OPC appealed the FC’s ruling.

On appeal, the FCA found that the lower court erred in its analysis of meaningful consent and safeguarding under PIPEDA. Specifically, the FC erred when it premised its conclusion exclusively or in large part on the absence of expert and subjective evidence given the objective inquiry under PIPEDA. The FCA ultimately held that Facebook’s practices between 2013-2015 breached (i) clause 4.3 of Schedule 1 of PIPEDA which requires an individual’s meaningful consent prior to disclosure of their personal information to third parties; (ii) clause 4.7 of Schedule 1 of PIPEDA requiring an organization to safeguard personal information they collect; and (iii) section 6.1 of PIPEDA, once in force, providing that the validity of an individual’s consent depends on that individual’s understanding of what they are consenting to.

In a statement welcoming the FCA’s decision, the OPC stated that “[t]his landmark ruling is an acknowledgement that international data giants, whose business models rely on users’ data, must respect Canadian privacy law and protect individuals’ fundamental right to privacy”.

The parties must report back to the FCA within 90 days on whether an agreement on the terms of a remedial order has been reached. The OPC stated that it expects Facebook to bring proposals on how it will ensure that it complies with the FCA’s decision.

Summary By: Anna Troshchynsky