Written By Ruth Promislow and Michael Iankilevitch
The Federal Court of Canada released a decision on April 14, 2023 in OPC v Facebook Inc.,2023 FC 533 [Facebook], dismissing the Privacy Commissioner's application against Facebook (now Meta Platforms, Inc.) stemming from alleged breaches to the Personal Information Protection and Electronic Documents Act (PIPEDA). Though the Commissioner claimed that Facebook's practice of sharing Facebook users’ personal information with a third party application contravened Canadian privacy laws, the Court was unpersuaded, citing a lack of evidentiary basis to support these claims.
The Commissioner applied to the Federal Court following an investigation of a privacy complaint that a third party application known as "thisisyourdigitallife" (TYDL App) hosted on the Facebook Platform had sold Facebook user data to a British research firm called Cambridge Analytica and a related firm, SCL Elections. It was widely reported that SCL allegedly used that data to help their clients target political messages to potential voters in the 2016 U.S. presidential election primaries.
The fallout of the Cambridge Analytica case resulted in fines being levied against Facebook from countries all around the world, including the U.S.,1 the U.K.,2 Italy3 and Brazil.4 The TYDL App allowed access to the profile information of users who installed it, as well as the installing users' Facebook friends, and reportedly involved collected data of over 600,000 Canadians. In February 2020, Canada's Privacy Commissioner attempted to enforce his office's finding that Facebook violated PIPEDA by filing an application with the Federal Court for an order declaring that Facebook contravened PIPEDA.5
The Federal Court Rules In Favour of Facebook
While there were a number legal issues before the Court, there were two key considerations that were most relevant to the outcome of the case:
- whether Facebook obtained meaningful consent from its users and Facebook friends of users prior to sharing their personal information with a third party application; and
- whether Facebook adequately safeguarded user information.
The Commissioner Failed to Prove Lack of Meaningful Consent
The Commissioner asserted that Facebook failed to obtain meaningful consent from users prior to disclosing their information to the TYDL App. He argued that Facebook’s reliance on App developers to obtain meaningful third party consent did not constitute valid consent under PIPEDA. Facebook asserted that the responsibility for the sale of information by the TYDL App lies with the third party and not Facebook.
The Court held that an organization such as Facebook may indeed rely on third-party consent, however, clarifying that it must take reasonable steps to ensure that the third-party obtains meaningful consent. In the end, the Court held that an evidentiary vacuum existed and that the Commissioner had failed to discharge his burden on this issue.
The Requirement to Adequately Safeguard User Information Does Not Extend to Third Parties
With regard to the Commissioner's claim that there was a failure to adequately safeguard user information in contravention of PIPEDA, Facebook argued that its safeguarding obligations end once a user authorizes Facebook to disclose information to a third party App. The Court agreed citing the specific language in the legislation and case law. In making this finding, the Court specifically cited the difference between transferring information to a third party provider (in which case, the organization does remain accountable for the third party's failure to safeguard) vs disclosing the information to a third party.
Referencing the safeguarding provisions of PIPEDA, the Court found that none of these safeguarding measures related to protecting information outside an organization’s control.
Bill C-27 Will Provide Greater Weight to Privacy Commissioner's Decisions
In reaching its decision, the Court made clear that the Commissioner's findings were not owed deference. However if passed, Bill C-27, the Digital Charter Implementation Act, would materially change the weight given to a Commissioner's findings.
Bill C-27 would repeal parts of PIPEDA and replace them with three new statutes—the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA) and the Artificial Intelligence and Data Act (AIDA). These proposed legislative changes provide that a decision rendered by the Commissioner is to be given deference.
Under the CPPA, if the Commissioner were to find that an organization has contravened certain provisions in the Act, he is empowered to recommend a penalty to the Personal Information and Data Protection Tribunal—an administrative tribunal designed to impose penalties for contraventions of CPPA, and, separately, to hear appeals from decisions of the Commissioner. In determining whether it is appropriate to impose a penalty on an organization, the CPPA would require the Tribunal to rely on the findings set out in the Commissioner's decision. Only on appeal from a decision of the Commissioner is the Tribunal allowed to substitute its own findings for those of the Commissioner.
Further, in contrast to PIPEDA under which the Commissioner has no order-making power, under CPPA the Commissioner and Tribunal would each have order-making powers. Any decision made by the Tribunal regarding non-compliance or penalties to be imposed (up to higher of three percent of gross global revenue or $10 million) could be made an order of the Federal Court or any Superior Court for the purposes of enforcement.
Bill C-27 therefore represents an entirely new enforcement regime for the same privacy principles underlying both PIPEDA and the CPPA, and an entirely new level of exposure to penalties for non-compliance.
The Facebook case is a helpful reminder of an organization's obligations when it transfers information to third party service providers. In such circumstances, the organization remains accountable for the safeguarding of the information transferred to the third party. This is distinct from a scenario where an organization discloses information to a third party pursuant to consent obtained from the data subject, which does result in the same accountability for a failure to safeguard.
The Bennett Jones Privacy & Data Protection group is available to discuss any questions you may have about your organization's privacy obligations.