On April 13, 2023, the Federal Court of Canada (the Court) issued its decision in Canada (Privacy Commissioner) v Facebook, Inc., 2023 FC 533, in which it dismissed an application brought by the Privacy Commissioner of Canada (the OPC) alleging that Facebook Inc. (Facebook) breached the Personal Information Protection and Electronic Documents Act (PIPEDA) when sharing Facebook users’ personal information with third-party applications hosted on the Facebook Platform. The allegations followed after an investigation of a PIPEDA complaint by the OPC, as previously reported by the E-TIPS® Newsletter here.
The OPC launched an investigation following a complaint that was brought in light of reports that a third-party application, “thisisyourdigitallife” (TYDL App), obtained data through the Facebook Platform and subsequently disclosed it without proper consent to Cambridge Analytica Ltd., a research firm.
The OPC argued that Facebook failed to obtain meaningful consent from users before disclosing their information to the TYDL App, and that Facebook’s reliance on app developers to obtain meaningful third-party consent did not constitute valid consent under PIPEDA. The OPC also asserted that while Facebook verified the existence of privacy policies and Facebook’s own policies required third-party applications to disclose the purposes for which information would be used, it did not manually verify the content of these third-party policies. Facebook argued that its combination of network-wide policies, user controls and educational resources constituted reasonable efforts under PIPEDA.
The Court found that there was no expert evidence presented as to what Facebook could feasibly do differently, nor was there any subjective evidence on Facebook users’ privacy expectations or evidence that any user did not appreciate the privacy issues at stake when using Facebook. The Court commented that despite such evidence not being necessary, it would have enabled the Court to better assess the reasonableness of meaningful consent in the matter.
The Court also found that the OPC did not use its powers under section 12.1 of PIPEDA to compel evidence from Facebook. Although the OPC explained that this was due to Facebook likely not complying or having anything to offer, the Court held that it is the OPC’s burden to establish a PIPEDA breach on the basis of evidence and the OPC could have contested Facebook’s refusal to provide disclosure.
Ultimately, the Court found that the OPC failed to discharge its burden to establish that Facebook breached PIPEDA and dismissed the application, awarding costs to Facebook.
Summary By: Sharan Johal
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.