In the latest round of privacy litigation between Facebook and the Office of the Privacy Commissioner of Canada (OPC), on September 9, 2024 the Federal Court of Appeal (FCA) ruled that Facebook breached the requirement under the Personal Information Protection and Electronic Documents Act (PIPEDA)1 to obtain meaningful consent from users prior to its disclosure of their personal information to third party app developers and that it failed in its obligation to safeguard user data.2 The decision overturns a 2023 Federal Court ruling.
Since as early as 2019, the OPC has been investigating the shortcomings in Facebook's data privacy procedures3 in response to a complaint regarding Facebook's disclosure of the personal information of certain of its users to the developer of the "thisisyourdigitallife" application (the TYDL App). The TYDL App encouraged users to complete a personality quiz but collected much more information about the users as well as data about their Facebook friends. The information collected by the TYDL App was later used by third parties for targeted political messaging.
In an effort to obtain a declaration that Facebook's practices violated PIPEDA, the OPC brought an application to the Federal Court. In its 2023 decision, the Federal Court found that the OPC failed to meet the burden of establishing that Facebook breached the law concerning meaningful consent. The Federal Court also agreed with Facebook's argument that once a user authorizes it to disclose information to an app, the social media company's safeguarding duties under PIPEDA come to an end.4
Meaningful Consent
In overturning the 2023 Federal Court decision, the FCA found that between 2013 and 2015 Facebook did not obtain meaningful consent as required by PIPEDA.5
The FCA held that the meaningful consent clauses of PIPEDA, along with PIPEDA's purpose, are based on the perspective of the reasonable person.6 For an individual to provide meaningful consent under PIPEDA, they must be able to reasonably understand how the information will be used or disclosed. In addition, obtaining meaningful consent means that organizations have an obligation under PIPEDA to "make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used".7
The FCA found that Facebook did not afford friends of users the opportunity to meaningfully consent as they were simply unable to review the third-party apps' data policies prior to disclosure. As a result, it was impossible to obtain meaningful consent from this group, since friends of users could not inform themselves about the purposes for which each third-party app would be using their data at the time of disclosure.8 Similarly, the judgement held that Facebook did not obtain meaningful consent from the users of the TYDL App, because the reasonable person would not have understood that downloading a personality quiz (or any app) would lead to the collection and use of the user's data and that of the user's friends in a manner contrary to Facebook's own internal rules.9
Although the FCA acknowledged the existence of Facebook's Terms of Service and Data Privacy Policy, the court questioned whether terms that are, on their face, superficially clear, translate into meaningful consent. The FCA stated that "Apparent clarity can be lost or obscured in the length and miasma of the document and the complexity of its terms."10 The court ultimately held that a reasonable person would not have understood the risks and meaningful consent was not obtained.
Safeguarding Obligation
Under PIPEDA, organizations are required to safeguard personal information. In its decision, the FCA considered the unauthorized disclosure by the TYDL App developer to be a breach of security safeguards.
While Facebook argued that it would have been practically impossible to read all third-party apps' privacy policies to ensure compliance with Facebook's policies, the FCA commented that that was "a problem of Facebook's own making"11 and that the scope of Facebook's responsibilities under PIPEDA cannot be limited by a claim of impossibility. As a result of its failure to review the content of third-party apps' privacy policies, the FCA held that Facebook breached its safeguarding obligations.12
Estoppel
Facebook also argued that it did not breach PIPEDA on the basis of the doctrines of estoppel and officially induced error, which it claimed arose after the OPC wrote to Facebook stating that Facebook had satisfied its commitments to the OPC following a 2008-2009 investigation by the OPC. 13 The FCA rejected these arguments for three reasons: (i) the OPC's statements were equivocal; (ii) applications under PIPEDA are de novo hearings (meaning they begin fresh), so the hearing was focused on whether Facebook was in compliance with PIPEDA through the relevant period; and (iii) estoppel has a very narrow application in a public law context.14
Conclusion
The FCA issued a declaration that Facebook's practices between 2013-2015 breached Principle 3, Principle 7, and section 6.1 of PIPEDA.15 While the OPC sought various remedies, given that the events leading to the OPC's application occurred ten years prior and Facebook's assertion that its privacy practices changed over that time period, the FCA remained seized of the matter and instead required the OPC and Facebook to develop a consent remedial order within 90 days of the date of judgement.16
This decision comes as a necessary reminder that, in order to comply with their obligations under PIPEDA, organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which their personal information will be used, and that for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. In some cases, an individual clicking a button to accept the Terms of Service and Data Policy may not equate to meaningful consent.
Footnotes
1. Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 [PIPEDA].
2. Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140 [Facebook].
3. Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, PIPEDA Findings #2019-002.
4. Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533.
5. Facebook, supra note 2 at para 135.
6. Ibid at para 72.
7. PIPEDA, supra note 1 s.4.3.2.
8. Facebook, supra note 2 at para 83.
9. Ibid at para 87.
10. Ibid at para 86.
11. Ibid at para 114.
12. Ibid at para 118.
13. Ibid at para 128.
14. Ibid at paras 132-134.
15. Ibid at para 135.
16. Ibid at para 147.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.