Federal Court of Appeal rules that Facebook’s practices breached Canada’s federal private-sector privacy law
The Federal Court of Appeal concluded in a recent decision that Facebook breached the federal Personal Information Protection and Electronic Documents Act (PIPEDA) by failing to safeguard user data and to obtain meaningful consent from users prior to data disclosure.
Background
The Privacy Commissioner of Canada commenced proceedings in the Federal Court in response to Facebook’s practice of sharing users’ personal information with third-party applications hosted on the Facebook platform.
The issue arose specifically from the Commissioner’s investigation into a third-party application, TYDL, that collected user data and later sold it to a corporation. The data of 727 Canadians who had installed the app, as well as the data of their Facebook friends, was potentially used to develop psychographic models and create targeted political messages. In total, the data of over 600,000 Canadians may have been disclosed during a period of time between 2013 – 2015.
The Court’s decision
The Federal Court had found that the Commissioner had failed to discharge its burden of proof with regards to the allegations. However, the Federal Court of Appeal rejected this analysis and held that the Federal Court made a palpable and overriding error in its conclusion that there was no breach of PIPEDA. With respect to the issue of meaningful consent, the Court examined the issue of consent given by friends of users who had downloaded third-party apps separately from that of installing users. These friends could not have known or understood the purpose for which their data was being used. The Court found that this amounted to a lack of meaningful consent, and therefore to a breach of PIPEDA, as the legislation requires each user to consent to data disclosure.
The Court also concluded the same for the installing users, finding that viewed contextually, they could not have provided meaningful consent. The Court held that the language of Facebook’s Data Policy is too broad to be effective in ensuring a user understands what information will be public and how it will be used. Factors such the length of a document, over 9,000 words in this case, and the complexity of its terms mean that while a policy may be on its face superficially clear, it does not automatically lead to meaningful user consent. The Court thereby concluded that no meaningful consent was given to data disclosures by Facebook in the relevant period.
The Federal Court had also focused on the lack of expert and subjective evidence as to expectations of privacy. The Federal Court of Appeal found that the absence of such evidence was weighed too heavily, as subjective evidence is not required in an analysis of the perspective of the reasonable person. As well, it found that the Federal Court erred when it declined to define an objective, reasonable expectation of meaningful consent and instead relied on the absence of subjective and expert evidence.
With respect to the safeguarding obligation in PIPEDA, the Federal Court of Appeal found that the Federal Court erred when it failed to engage with the relevant evidence on this point. The Court concluded that Facebook breached its safeguarding obligations during the relevant period by failing to adequately monitor and enforce the privacy practice of third-party apps operating on its platform.
The Federal Court of Appeal issued a declaration that Facebook’s practices in the relevant period breached PIPEDA. The parties have been given 90 days to discuss a consent remedial order, in the absence of which further submissions will be invited on the issue of remedy.
Significance
This decision acknowledges, and emphasizes, the obligations on international technology companies to protect individuals’ rights to privacy, as well as to respect national laws. This decision is likely to have an important impact on ongoing privacy litigation against Facebook in other jurisdictions, notably in Australia. Clarity has been provided as to companies’ safeguarding obligations and as to the meaning and the necessity of of meaningful consent in a digital world, where lengthy and complex terms and conditions are imposed onto users:
“Consent requires active, affirmative choice, not choice by default”
Peter Engelmann and Colleen Bauman represented the Privacy Commissioner of Canada in this appeal.
Lawyers
Colleen Bauman, Peter Engelmann