{"id":18056,"date":"2024-09-19T09:46:51","date_gmt":"2024-09-19T13:46:51","guid":{"rendered":"https:\/\/www.millerthomson.com\/?post_type=insights&p=224463"},"modified":"2026-04-01T16:45:28","modified_gmt":"2026-04-01T20:45:28","slug":"federal-court-of-appeal-pipeda-compliance-lessons-facebook-consent-failures","status":"publish","type":"post","link":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/federal-court-of-appeal-pipeda-compliance-lessons-facebook-consent-failures\/","title":{"rendered":"Facebook failed to obtain consent and safeguard personal data: Federal Court Appeal clarifies PIPEDA compliance"},"content":{"rendered":"\n

Introduction<\/h2>\n\n\n\n

On September 9, 2024, the Federal Court of Appeal (the \u201cFCA<\/strong>\u201d) issued its decision in Privacy Commissioner of Canada v Facebook Inc., <\/em>2024 FCA 140<\/a>,[i]<\/a> overturning the Federal Court\u2019s decision[ii]<\/a> and declaring that Facebook, Inc. (now Meta Platforms Inc.) had violated the Personal Information Protection and Electronic Documents Act<\/em><\/a> (\u201cPIPEDA<\/strong>\u201d) by improperly sharing users’ personal information with third-party applications (“apps<\/strong>“) on its platform.[iii]<\/a> Specifically, Facebook breached the requirements for obtaining meaningful consent[iv]<\/a> and did not adequately safeguard user data.[v]<\/a><\/p>\n\n\n\n

The FCA\u2019s decision serves as a helpful reminder that PIPEDA is designed to strike a balance between the privacy rights<\/em> of individuals and the legitimate needs<\/em> of organizations to collect and use personal information. The FCA\u2019s analysis of meaningful consent emphasizes the need for organizations to be specific and transparent regarding the uses and disclosures of personal data, especially in the context of third-party apps and other digital ecosystems. An organization cannot contract out of its statutory duty to safeguard personal information, and the impracticalities of monitoring compliance do not justify limiting the scope of safeguarding obligations \u2013 especially when those challenges are created by the organization itself.<\/p>\n\n\n\n

Background<\/h2>\n\n\n\n

This case stemmed from the Office of the Privacy Commissioner of Canada\u2019s (\u201cOPC<\/strong>\u201d) investigation into the scraping and selling of Facebook user data by the app \u201cthisisyourdigitallife\u201d (\u201cTYDL<\/strong>\u201d) which was sold and used to generate user profiles to facilitate targeted political advertising. The alleged PIPEDA violations occurred from TYDL\u2019s launch in November 2013 until its removal from Facebook in December 2015. During this period, Facebook had three layers of consent policies and practices in place:<\/p>\n\n\n\n

    \n
  1. Platform-wide policies<\/em>: When signing up for Facebook, users had to agree to the Terms of Service (4,500 words), which set out users\u2019 rights and responsibilities, including how users could control their information. Facebook\u2019s Data Policy (9,100 words) was incorporated by reference into the Terms of Service, such that users accepting the Terms of Service were deemed to have consented to the Data Policy. The Terms of Service broadly explained how user data could be shared, including with third-party apps, and stated that the agreement between the user and the app would govern how the app uses, stores, or transfers information. The Data Policy broadly described the user information shared with third-party apps \u2013 including through the use of such third-party apps by users\u2019 friends.<\/li>\n\n\n\n
  2. User controls<\/em>: Users could adjust their data sharing preferences through permissions, the App Settings page, and the Privacy Settings page (e.g., selecting the default audience for their posts and restricting apps\u2019 access to their information).<\/li>\n\n\n\n
  3. Educational resources<\/em>: Facebook provided resources for users to learn about Facebook\u2019s privacy policies and practices, including explanations of what information is shared when friends use third-party apps and how to control that information.<\/li>\n<\/ol>\n\n\n\n

    Facebook required third-party apps to agree to its Platform Policy and Terms of Service (\u201cPlatform Policy<\/strong>\u201d), which included specific  terms regarding the collection, use, and disclosure of user information. This included the requirement for apps to have a privacy policy and a prohibition against selling or purchasing data obtained from Facebook.<\/p>\n\n\n\n

    Despite the requirements of the Platform Policy, Facebook did not review or verify third-party compliance with this policy. When TYDL requested expanded access to user data, Facebook identified this as a “red flag” but took no action beyond denying the request.<\/p>\n\n\n\n

    After identifying that TYDL had breached the Platform Policy, Facebook removed TYDL in 2015 and asked it to delete the data it had obtained. However, Facebook did not notify affected users, nor did it remove Dr. Kogan or Cambridge Analytica from its platform until 2018, after media reports surfaced that they had not deleted the data as requested.<\/p>\n\n\n\n

    The OPC investigated Facebook[vi]<\/a> and concluded that it failed to obtain valid and meaningful consent for its disclosures to third-party apps[vii]<\/a> and failed to safeguard user data.[viii]<\/a> These conclusions formed the basis of the OPC\u2019s application pursuant to s. 15(a) of PIPEDA.<\/p>\n\n\n\n

    The Federal Court considered two central issues: 1) whether Facebook failed to obtain meaningful consent from users and their friends when sharing personal information with third-party apps, and 2) whether Facebook failed to adequately safeguard user data. The Federal Court dismissed the OPC\u2019s application, finding that the OPC\u2019s burden of proof for either allegation was unmet, particularly due to the absence of expert and subjective evidence.[ix]<\/a><\/p>\n\n\n\n

    Federal Court of Appeal’s Key Findings<\/h2>\n\n\n\n

    A unanimous panel of three judges at the FCA partially granted the OPC’s appeal, finding that the Federal Court made two main errors:<\/p>\n\n\n\n