On April 13, 2023, the Federal Court handed down its decision in a case brought by the Office of the Privacy Commissioner of Canada (the “OPC”) against Facebook Inc. (“Facebook”).[1] The case centers around Facebook’s obligations with respect to third-party applications’ data protections. It also provides helpful insight on the interpretation of “consent” under Canadian private-sector privacy law, commenting specifically on what constitutes meaningful consent in the social media context where third-party applications collect information. The Court decided against the OPC, ruling in favour of Facebook, which could have a significant impact on the interpretation of “meaningful consent” in the digital age.
The Joint Investigation into Facebook
The proceedings before the Federal Court arose from a complaint received by the OPC in March of 2018 which raised concerns about Facebook disclosing information to a third-party application, “thisisyourdigitallife” (“TYDL”), without obtaining meaningful consent. TYDL was an application launched by a Cambridge professor on the Facebook platform that allowed users to fill in a “personality quiz” about themselves and their friends. TYDL was given access to Facebook profile information of everyone who installed the app as well as information about their Facebook friends.
The OPC and the Information and Privacy Commissioner for British Columbia (“OIPC”) conducted a joint investigation to determine whether Facebook’s actions constituted a breach of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and BC’s private-sector privacy law, the Personal Information Protection Act (“PIPA”).
On April 25, 2019, the OPC and the OIPC issued its Report of Findings which concluded that Facebook failed to obtain valid and meaningful consent from app users and their Facebook friends when sharing information with TYDL. It also found that Facebook did not adequately safeguard user information.[2] The information collected by the TYDL was then sold to third-parties, most notably to Cambridge Analytica, the consulting firm known for its involvement in targeted messaging during U.S. political campaigns.[3] Facebook estimated that the 272 installations of the TYDL led to a potential disclosure of personal information of more than 600,000 Canadians.[4]
The Federal Court proceeding
However, under current privacy legislation, the OPC does not have order-making power and is unable to issue penalties. Under sections 14 and 15 of PIPEDA, the OPC may, in certain circumstances, apply for a hearing before the Federal Court of Canada in respect of any matter referred to in the Commissioner’s report of findings from an investigation.[5] Pursuant to these provisions, the OPC commenced an application at the Federal Court of Canada to have the court make the same determination and issue orders against Facebook. This is a de novo hearing meaning that while the Report of Findings can be entered as evidence, it is not owed deference.[6]
The Federal Court considered whether: (1) Facebook breached PIPEDA by failing to obtain meaningful consent; (2) Facebook failed to adequately safeguard user information; and (3) if Facebook breached PIPEDA, whether it is protected by estoppel or officially induced error on the basis that in the OPC’s 2008-2009 Investigation of Facebook, the OPC approved Facebook’s processes.
The OPC did not meet its burden with respect to obtaining meaningful consent
The Federal Court found that the OPC had not proved that Facebook failed to receive meaningful consent for the collection of personal information.[7] In particular, the Federal Court negatively commented on the fact that the OPC did not use the broad powers under section 12.1 of PIPEDA to compel evidence from Facebook. The OPC stated that they did not exercise these powers because Facebook would not have complied; however, the Federal Court found the burden to establish a breach of PIPEDA rests with the OPC and speculation and inferences would not meet this burden in the absence of material evidence.[8] The Federal Court notably stated that they were in an “evidentiary vacuum.”[9]
Moreover, in discussing whether meaningful consent was obtained, Justice Manson asked “whether Facebook made reasonable efforts to ensure users and users’ Facebook friends were advised of the purposes for which their information would be used by third-party applications.”[10] He went on to state that the lack of evidence made it difficult to assess the reasonableness of meaningful consent in “an area where the standard for reasonableness and user expectations may be especially context dependent and are ever-evolving.”[11] This comment has impacts for meaningful consent under PIPEDA. In particular, it suggests that as technology evolves, the rights of individuals surrounding the protection of their data may change.
Facebook adequately safeguarded personal information
Additionally, Justice Manson did not agree with the OPC’s argument that Facebook failed to protect user data.[12] Although Justice Manson agreed with the OPC that Facebook is required to protect their users’ data, Justice Manson did not agree that Facebook was obligated to continue its protection once the users agreed to download and use the TYDL app.[13] The Federal Court decided in favour of Facebook that it was no longer required to protect the data of individuals when that data was in the hands of the app and not Facebook.
The 2008-2009 OPC approval
Facebook’s Granular Data Permissions (“GDP”) process required app developers to display an installation screen listing categories of information that the app would receive and provide a link to a privacy policy. Facebook argued that the OPC had approved their GDP process in the 2008-2009 investigation, citing the approval as a defence to any breaches of PIPEDA that allegedly occurred.
The Federal Court did not address this issue as Facebook was not found liable for breaches of PIPEDA; however, it will be interesting to see whether OPC approval of processes can be waged as a defence to breaches of PIPEDA in the future given changing conceptions of privacy protections and privacy reform.
What’s Next? Bill C-27 and the Canadian Privacy Landscape
PIPEDA is currently undergoing significant reform. Bill C-27 will introduce three new pieces of legislation. Two of the three acts, the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPT”), were previously proposed in Bill C-11 and aim to establish a new enforcement regime, which will impose stricter privacy regulations on corporations and empower not only the Commissioner with new powers but also establish a new tribunal geared to resolving privacy complaints.[14] As well, Bill C-27 introduces the Artificial Intelligence and Data Act (“AIDA”), the federal government’s first attempt to regulate AI.
Borrowing from the enforcement regime in the EU’s General Data Protection Regulation, if passed, Bill C-27 will place Canada’s privacy laws as some of the most punitive amongst the G7 countries[15] as the Bill introduces new enforcement powers for the OPC, empowers a specialized tribunal to handle privacy complaints and institutes a broad private right of action for privacy breaches.
Importantly, the CPPA will grant order-making powers to the Commissioner who can also make recommendations to the Data Protection Tribunal to impose fines of up to 5% of the revenue of the non-compliant company or up to $25 million, whichever is greater[16] and administrative monetary penalties of up to 3% of revenue or $10 million, whichever is greater.[17] If enacted, the OPC would not have to commence an application before the Federal Court to issue orders against Facebook.
The PIDPT will set up a new data protection tribunal, the first of its kind in Canada, to hear appeals of findings and orders made by the OPC, and determine whether the penalties recommended by the Commissioner are appropriate.[18] The tribunal will be held to a stricter standard of review compared to the current standard in federal court appeals under PIPEDA.[19]
In light of the Federal Court’s finding in this case, it will be interesting to see what evidentiary standards the OPC and the Data Protection Tribunal implement in enforcing breaches of PIPEDA.
The CPPA also introduces added exceptions to knowledge and consent. In particular, Bill C-27 enables the collection and use of personal information without knowledge or explicit consent if the collection or use is made for the purpose of an activity in which the organization has a “legitimate interest.” It will be intriguing to see how this exception will work in the context of third-party applications on social media platforms.[20]
If Bill C-27 had already been enacted, the consequences for Facebook would likely have been very different. If the legitimate interest exception was found not to apply, the strengthened enforcement regime would have allowed the OPC to issue orders and recommend fines against Facebook, without assistance from the Federal Court. In light of privacy law reform, organizations need to ensure compliance with existing privacy laws and be aware of reform initiatives coming down the pipeline.
To better understand your obligations and avoid liability, feel free to contact our Miller Thomson Cybersecurity group.
[1] Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533.
[2] Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, PIPEDA Findings #2019-002.
[3] Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533 at para 38.
[4] Ibid at para 37.
[5] Personal Information Protection and Electronic Documents Act, SC 2000 c 5, s 14 and s 15.
[6] Ibid at para 49, citing Englander v Telus Communications Inc, 2004 FCA 387 at paras 47-48.
[7] Ibid at para 79.
[8] Ibid at para 72.
[9] Ibid at para 71.
[10] Ibid at para 63.
[11] Ibid at para 71.
[12] Ibid at para 86.
[13] Ibid at para 91.
[14] Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, 1st Sess, 44th Parl, 2021. (“Bill C-27”)
[15] Government of Canada, “Consumer Privacy Protection Act” (March 3, 2023)
[16] Bill C-27, s 128.
[17] Ibid, s 94, 95(4).
[18] Ibid, Personal Information and Data Protection Tribunal Act, s 16.
[19] Ibid, s 103(2).
[20] Ibid, Consumer Privacy Protection Act, s 18(3).