Privacy Commissioner v Facebook: Protecting Your Data From Tech Giants

by · December 3, 2024

Canadian privacy law hit Facebook hard in the Federal Court of Appeal’s recent decision in Privacy Commissioner of Canada v Facebook inc., 2024 FCA 140 [Facebook]. The unanimous decision held that Facebook failed to obtain meaningful consent from users prior to disclosing user data. The decision is part of a larger trend in Canadian jurisprudence in which courts have afforded heightened scrutiny towards unfavourable contracts of adhesion imposed by large corporations against consumers.

 

Background

 

The Personal Information Protection and Electronic Documents Act, SC 2000 c5 [PIPEDA] protects Canadians’ personal information that is collected, used, or disclosed by private-sector organizations in the course of commercial activity. PIPEDA protects user data by giving individuals control over how their personal information is handled. PIPEDA outlines ten fair information principles, including meaningful consent and protecting personal information through safeguards.

Facebook launched “Platform” in 2007, a technology that enabled third parties to create applications which could be installed by Facebook users. When a user installed a third-party application, that user could be asked for permission to access information about the user and the user’s Facebook friends.

The Commissioner investigated a third-party application named “thisisyourdigitallife” (“TYDL”), a personality quiz which sold user data collected through Facebook to Cambridge Analytica Ltd. (“Cambridge Analytica”) for psychographic modeling purposes. The Commissioner’s 2019 report concluded that Facebook breached PIPEDA when it failed to obtain meaningful consent for the disclosure of user data to third-party applications and by not adequately safeguarding the personal information it collected.

In 2020, the Commissioner filed a Notice of Application to commence proceedings before the Federal Court.

 

Judicial History

 

Manson J of the Federal Court dismissed the Commissioner’s application. Mason J found that the Commissioner failed to provide sufficient evidence to demonstrate that Facebook did not obtain meaningful consent from users for data disclosures, nor that Facebook had failed to adequately safeguard user data (Facebook, para 2).

 

Issues

 

In considering whether Facebook breached PIPEDA, the Federal Court of Appeal addressed the following questions (Facebook, para 33):

  1. Whether Facebook failed to obtain meaningful consent from users and their Facebook friends when sharing their personal information with third-party apps; and
  2. Whether Facebook failed to adequately safeguard user information.

         

Decision

 

The Federal Court of Appeal allowed the Commissioner’s appeal, having found errors in the Federal Court’s reasons. The first error occurred when the Federal Court premised its findings on the absence of expert and subjective evidence, despite the application being an objective inquiry. The second error occurred when the Federal Court failed to consider whether consent was given by the friends of users who downloaded the third-party apps. Consequently the Federal Court refrained from determining whether each user who had their data disclosed had consented to that disclosure. (Facebook, para 56)

 

Meaningful Consent

 

Rennie J writing for the Federal Court of Appeal found that the Federal Court predicated its conclusions on the lack of subjective and expert evidence in support of the Commissioner’s application. Rennie J outlined that the applicable consent provisions within PIPEDA focused on the perspective of the reasonable person, an objective standard where subjective evidence is superfluous. The Federal Court was tasked with defining an objective, reasonable expectation of meaningful consent—which it was fully capable of doing, even in the absence of subjective and expert evidence (Facebook, paras 59-63 & 70).

Rennie J distinguished the privacy expectations of the 272 users who downloaded TYDL from the 600,000 friends of users. Both groups had their data disclosed to TYDL which was in turn sold to Cambridge Analytica but only the 272 users who downloaded TYDL were given the opportunity to directly consent to data use. The friends of the users were not given notice nor the opportunity to learn the purpose of TYDL’s data collection prior to disclosure—which breached PIPEDA’s meaningful consent obligations (Facebook, paras 75-77 & 78).

Facebook’s privacy policy required third-party apps to have a privacy policy which informed users what data the app will access and use—third-party apps were also required to  be consistent with Facebook’s privacy policy. However, Facebook’s data policy only informed users at a high level that when friends used third-party apps, those apps could access the data of both the user and their friends. The nebulous language used in Facebook’s data policy failed to inform users of the myriad of ways that data may be collected and used (Facebook, paras 80-83).

Rennie J continued that despite the opportunity to directly consent, the users who installed TYDL were not able to provide meaningful consent as contemplated and required by PIPEDA. A literal reading of Facebook’s data policy and terms of service may have been understood to highlight applicable risks and provide for the user’s consent in a contractual sense. However, the determination of whether there was meaningful consent goes beyond the presence of superficially clear terms  (Facebook, para 84).

Mark Zuckerberg testified before a United States Senate committee that it was likely that few people have ever read the lengthy terms of service or data policy. Rennie J noted that the complex terms and absurd length of the document obscured the clarity provided within it. There was a lack of positive consent to the data policy, which was exacerbated by the data policy being incorporated by reference into the terms of service, which meant that when a user consented to the terms of service, the user was deemed to have consented to the data policy (Facebook, paras 86-89).

Rennie J highlighted that contracts of adhesion place consumers at a disadvantage by preventing any contractual negotiation. Consequently, consent should be considered under heightened scrutiny, as the case was in Douez v Facebook, Inc., 2017 SCC 33 [Douez]. Rennie J concluded that the Federal Court would have found that users had not provided meaningful consent to all data disclosures in the relevant period if the Federal Court properly conducted the required objective analysis (Facebook, paras 100-103 & 108).

 

Obligation to Safeguard

 

Rennie J found that Facebook had also breached PIPEDA by failing to adequately safeguard user data. Facebook had merely checked whether third-party apps’ privacy policies led to a functioning webpage—Facebook never substantively reviewed the content of the third-party policies. Additionally, Facebook received a request from TYDL in 2014 for unnecessary user information, a red flag which attracted no further action by Facebook. Facebook effectively turned a blind eye to its obligation under PIPEDA to safeguard user data. Worse still, even when Facebook had knowledge that TYDL scraped and sold data in contravention with Facebook’s own policies, Facebook did not notify affected users, and took no action until the situation garnered media attention two and a half years later (Facebook, paras 110-112 & 118).

 

Analysis

 

The Federal Court of Appeal unanimous decision sets a high bar for private enterprises to comply with PIPEDA when collecting consumer data in the course of commercial activities. The Court in conducting objective analysis of whether consent was meaningful considered many contextual factors including (Facebook, para 124):

  • The demographics of the users (installing user vs friend of installing user);
  • The nature of the information disclosed;
  • Whether the contract is one of adhesion;
  • The clarity and length of the contract; and 
  • Inequality of bargaining power. 

The resulting decision sends a clear signal to private enterprises that mere contractual consent through agreement to terms of service or a privacy policy does not reach the higher threshold of “meaningful consent” which is required by PIPEDA

The decision reinforces that Canadians have a right to privacy when it comes to their data, affirming that PIPEDA demands strict compliance from commercial actors. When commercial actors wish to access information in accordance with an individual’s privacy rights afforded by PIPEDA, there must be “meaningful consent” in the eyes of a reasonable person. The Federal Court of Appeal in Facebook took issue with the long and complex contractual structure utilized by Facebook to acquire user consent, which impeded users from properly determining the protections and potential risks arising from the agreement.

The Court appeared to be especially concerned with Facebook’s apparent indifference exhibited in both acquiring consent and safeguarding data. Facebook opted for an automatic system to assess whether third-party developers had a privacy policy, a process which merely determined whether the policy link led to a functioning webpage. Facebook purportedly required third-parties to conform with Facebook’s data policy, but failed to protect users by actually enforcing this requirement. The presence of an enforcement policy and the subsequent failure to enforce it created a false sense of security for users. User’s false sense of security was perpetuated by Facebook’s failure to provide notice to users when misconduct was discovered. Moreover, Facebook did not take action until the TYDL incident garnered media attention.

This decision represents a larger trend of scrutiny towards contracts of adhesion which have been abused by the big tech industry to prevent legal action against experimental technological advancements. Both Uber Technologies Inc. v Heller, 2020 SCC 16 and Douez highlighted Canadian courts’ heightened scrutiny of terms within contracts of adhesion and the potential unconscionability arising from them. Businesses which primarily contract with consumers under contracts of adhesion should ensure that the terms are clear, concise, and accessible. Failure to do so creates uncertainty not only for the extent that terms are enforceable, but can create a breach of PIPEDA where meaningful consent is absent when collecting or using consumer information in the course of commercial activity.

Tags:

Kyle Smyth

Kyle is currently in his final year as Osgoode Hall Law School in the Tax Law Stream. Prior to law school, Kyle completed his undergraduate and MBA at Niagara University, New York, achieving a concentration in Finance. Beyond the law, Kyle is an avid sports fan who is hoping the Bills dethrone Taylor Swift’s boyfriend this season.

You may also like...

Join the conversation

Loading Facebook Comments ...

Follow:

2018 Awards

Canadian Law Blog Hall of Fame

Canada Law Blogs

2016 Awards

2016 Canadian Law Blog Awards Winner