For many Canadian business owners, gathering information about customers forms the bedrock of sustained growth, because such data can inform decisions in a wide variety of areas, like marketing and advertising. Some businesses have subsidiaries, or are themselves subsidiaries of larger corporations, and they may want to share the customer information that they’ve gathered with these related entities. In other cases, this customer information has a great deal of value to third parties, who may be interested in purchasing the information for their own purposes.
In Canada, we have piece of “quasi-constitutional” legislation, called the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which sets out the obligations of private entities that collect, use, or disclose personal information. PIPEDA aims to balance individuals’ right to privacy with organizations’ need to collect, use or disclose personal information.
A recent Federal Court of Appeal (the “Court”) case, Canada (Privacy Commissioner) v Facebook, Inc., dealt with Facebook’s (now Meta Platforms Inc.) data policies and whether it breached PIPEDA by failing to gather “meaningful consent” from Facebook users for the collection, use or disclosure of their personal information, and for failing to have adequate safeguarding measures in place to prevent data breaches. The privacy litigation in this case arose from the infamous Cambridge Analytica scandal, in which a Facebook app, called “thisisyourdigitallife” (“TYDL”) scraped data about Facebook users (and their friends) and sold it to Cambridge Analytica, who, in turn, used it to create ‘psychographic models’ to make targeted advertising in the lead-up to the 2016 U.S. presidential election.
The Court dealt with two main issues: (i) whether the people whose data was sold to Cambridge Analytica provided “meaningful consent” to this use and disclosure of their data, and (ii) whether Facebook met its “safeguarding” obligations under PIPEDA.
Meaningful Consent
It is important to understand what the Court means by “meaningful consent”. Meaningful consent must be valid consent. Consent is only valid if it is reasonable to expect that the person whose information is at issue would understand the nature, purpose and consequences of the collection, use, or disclosure of the information to which they are consenting.
For consent to be meaningful, then, the purposes of the collection, use or disclosure must be stated in such a way that the individual can reasonably understand how the information will be used or disclosed. For consent to be valid, the individual must understand what they are consenting to. Further, the organization that is seeking to collect, use or disclose the information must make a reasonable effort to advise the individual of the purposes for the use or disclosure of the information. Therefore, both the organization’s efforts and the form in which the consent is sought must be reasonable.
Friends of Facebook Users
It is clear that the friends of users could not have provided meaningful consent to the use or disclosure of their information, because only those who actually installed TYDL, not their friends, could directly consent to the use of their data. Facebook provided TYDL with the ability to get information from the friends of users of TYDL without getting consent from those friends of users. Therefore, Facebook did not give friends of users who downloaded TYDL the opportunity to meaningfully consent to the disclosure of their data. The Court said that friends of users could not possibly inform themselves about the purposes for which third-party apps would use their data at the time of disclosure.
Even though Facebook’s Data Policy mentioned the fact that users’ apps could request permission to access their friends’ data, the Court said that this language was too broad to be effective, and the language suggests that Facebook has imposed limits on apps’ potential use of their friends’ data. The Court said that “even if consent can be distilled from the circumstances, there was use beyond that which could have reasonably been contemplated”. [1]
There was no meaningful consent to the disclosure by friends of users.
Installers of TYDL
The Court reached the same conclusion for those users who installed TYDL: there was no meaningful consent. The Court said that the question is “whether the reasonable person would have understood that in downloading [TYDL], they were consenting to the risk that the app would scrape their data and the data of their friends, to be used in a manner contrary to Facebook’s own internal rules (i.e. sold to a corporation to develop metrics to target advertising in advance of the 2016 U.S. election)”. [2] The Court said that the answer to this question is no.
Further, the Court said that reasonable Facebook users would expect Facebook to have robust data security safeguards that would prevent violations of its policies (which included a restriction on selling user data). On the contrary, Facebook did not even review the content of third-party apps’ privacy policies that these apps presented to users; rather, Facebook verified that the hyperlink to the policies were active and led to a functioning website. [3]
The Court concluded that Facebook failed to properly inform users of the risks to their data when they signed up for Facebook; there was no meaningful consent.
Safeguarding Obligation
The Court held that Facebook failed to meet its safeguarding obligations under PIPEDA. Under PIPEDA, an organization must protect personal information by security safeguards that are appropriate to the sensitivity of the information. These safeguards are supposed to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification. An excerpt from the Court’s decision is instructive on the depth of Facebook’s failure to safeguard users’ personal information:
Since Facebook never reviewed these privacy policies, and since friends of downloading users could not have reviewed these privacy policies either, the policing of an app’s data use and disclosure was left in the hands of a small number of downloading users who may never have read the policies themselves. [4]
Facebook argued that it would have been practically impossible to read every third-party app’s privacy policy to ensure they complied with Facebook’s policies; rather, Facebook argued, it should have been able to rely on the third parties to perform their contractual duties in good faith. The Court said that this was a problem of Facebook’s own making: Facebook created the opportunity for the data breach, and it cannot contract itself out of its obligations under PIPEDA.
Conclusion
The Court emphasized the fact that contractual consent is not what PIPEDA requires; “the question is not whether there is a provision buried in the terms of service whereby a user can be said to have consented”. [5] Instead, the question at the heart of PIPEDA, and its balancing between the rights of individuals and the needs of organizations, is whether the organization has made reasonable efforts to ensure that the individual understands the purpose of the collection, use, or disclosure of the individual’s personal information, and that the individual provides valid, meaningful consent to such collection, use, or disclosure. In this case, Facebook did not meet its obligations under PIPEDA, and the Court ruled against it.
Takeaways
For businesses that collect, use, or disclose personal information that they gather in the course of their business, it is important to avoid sharing such information with any affiliated companies or to sell it to third parties without clear, valid, and meaningful consent from your customers.
Consent should be separate from the normal “sign up” that the customer goes through, and the consent agreement should be brief, succinct, and easy for people to read and understand.
If a business decides to share or sell this information, it is crucial to have policies in place and agreements with the other party (i.e., the party that will be receiving the information) to ensure that the information is not being misused. If the information is being misused, it is prudent to report this fact to the Office of the Privacy Commissioner, to customers, and to further make sure that the party that misused the information and their affiliated entities are banned from your platform or barred from purchasing or receiving such information in the future.
Should you have any questions relating to privacy law, privacy litigation, or any other commercial litigation, please do not hesitate to reach out to one of Walker Law’s experienced litigation lawyers.
[1] Canada (Privacy Commissioner) v Facebook, Inc., 2024 FCA 140 at para. 82.
[2] Ibid at para. 87.
[3] Ibid at para. 93.
[4] Ibid at para. 110.
[5] Ibid at para. 123.
Tags: Civil Litigation Law, Appeals