Case Comment on Privacy Commissioner of Canada v Facebook, Inc [2023 FC 533]

Facebook is once again scrutinized for privacy concerns, but this time the Federal Court sides with them.

While a great opportunity to shed more clarity on the meaning of “meaningful consent” in the Personal Information Protection and Electronic Documents Act (PIPEDA), this case was decided in favour of Facebook based on a lack of contextual evidence. On the issue of Facebook’s safeguarding obligations, the court agreed with Facebook that their duties end once the information is disclosed to third-party applications (apps).

The Privacy Commissioner of Canada (the “Commissioner” or the “OPC”) requested a Federal Court hearing following an investigation into Facebook’s practice of sharing users’ personal information with third-party apps hosted on the Facebook Platform.

The Facebook Platform allows third parties to build apps that run and are integrated with Facebook, which receive user information when users interact with them. Prior to releasing an app on the Platform, these third parties must agree to Facebook’s Platform Policy, which includes features such as:

• Third party app will only request the data needed to operate the app,
• Third party app will have a privacy policy informing users of what data they use and how,
• Third party app will require explicit consent from the user for information other than basic information,
• Third party app cannot sell or purchase any data obtained from Facebook.

Prior to using a third-party app, users are provided among other things, a link to the third-party app’s privacy policy, and can choose whether to accept or deny requested permissions. Facebook however, does not verify the content of the third-party app’s privacy policy, nor does it ensure that it meets the requirements of their own Platform Policy.

Did Facebook fail to obtain meaningful consent?

Under the above framework, an app titled “thisisyourdigitallife” (the “TYDL App”) launched on Facebook. Its developer gained access to the personal information of users who installed the TYDL app and agreed to its privacy policy, and the personal information of the installing users’ Facebook friends. They then proceeded to sell this information to Cambridge Analytica.

While the Commissioner argued that Facebook failed to obtain meaningful consent from users before disclosing their information to the TYDL app, the Federal Court asserted that “it finds itself in an evidentiary vacuum”.^[1] The Court highlighted that there was no expert evidence provided regarding what Facebook could have done differently, no subjective evidence as to the level of privacy users expect, no evidence that the users did not understand the privacy issues at stake, nor did the Commissioner use its powers to compel evidence from Facebook. Ultimately, the Court held that the OPC failed to discharge its burden of proving that Facebook failed to obtain meaningful consent.

Did Facebook fail to adequately safeguard user information?

The Commissioner argued that Facebook retains control of the personal information disclosed to third-party apps, and that it failed to adequately safeguard that information. However, Facebook contends that its safeguarding duties end once a user authorizes them to disclose information to a third-party, but that even if its duties remained, their contractual agreements with app developers and their enforcement practices were sufficient.

Once again, the Federal Court sided with Facebook. After reviewing the state of the common law and the context provided by other provisions in PIPEDA, the Court held that the safeguarding principle was with respect to “internal handling” of information and that once a user authorizes Facebook to disclose information to an app, their safeguarding duties under PIPEDA end.^[2]  The Federal Court went a step further and asserted that even if safeguarding obligations applied to Facebook after the transfer of information, the OPC had failed to provide evidence of the inadequacy of Facebook’s contractual agreements and enforcement practices.

While this case does not clarify “meaningful consent” in the context of PIPEDA, it provides a good reminder for organizations to have proper agreements in place when transferring information to third parties. The case also brings to light the evidentiary burden on the OPC when bringing an application to the Federal Court. It will be interesting to see whether this burden is lowered under the pending Consumer Privacy Protection Act and the proposed Data Protection Tribunal.