The already long and winding dispute between Facebook’s owner Meta and the Privacy Commissioner of Canada concerning the improper use of personal information by Cambridge Analytica and others is heading for a new chapter as the Commissioner has now commenced an appeal to the Federal Court of Appeal from a decision by a Federal Court judge in April 2023 dismissing the Commissioner's complaint against Facebook. The Federal Court also issued a concurrent decision dismissing a judicial review application by Facebook arising from the investigation and Report of Findings discussed below - this will be the subject of Part 2.
In 2015, public reports revealed that the Cambridge professor and his company had sold Facebook user information that it had collected through the TYDL App to Cambridge Analytica and a related entity, and that this information had been used to target political messaging to potential voters in the then upcoming 2016 US presidential election primaries. Facebook then removed the TYDL App from the its platform and asked Cambridge Analytica to delete the data it had obtained. Facebook did not notify affected users of the incident nor did it ban Cambridge Analytica or the Cambridge professor and his company from Facebook.
In March 2018, the Commissioner received a complaint from three elected members of the House of Commons asking that the Commissioner commence an investigation into Cambridge Analytica accessing the personal information of Canadians without their knowledge or consent. In April 2019, after a joint investigation by the Commissioner and the provincial privacy commissioner in British Columbia, the Commissioner issued its Report of Findings, concluding that Facebook had breached PIPEDA, the Canadian federal private sector privacy statute, in several ways:
· Facebook failed to be accountable for the user information under its control, but instead relied upon the operators of third party apps and failed to make reasonable efforts to ensure that the TYDL App was obtaining meaningful consent from users.
· Facebook failed to obtain meaningful consent from friends of installing users for the collection, use and disclosure of the personal information of those friends, and instead unreasonably relied on installing users to obtain such consent.
· Facebook relied on contractual terms with apps to protect against unauthorized access to users’ information, but then put in place superficial, largely reactive, and thus ineffective, monitoring to ensure compliance with those terms.
· Facebook abdicated its responsibility to protect the personal information under its control, effectively shifting that responsibility almost exclusively to users and the operators of apps. Facebook relied on overbroad consent language, and consent mechanisms that were not supported by meaningful implementation.
Facebook disputed the findings of the Commissioner and refused to implement its recommendations to address the alleged deficiencies. Under PIPEDA, the Commissioner has no ability to enforce its finding and must instead apply to the Federal Court for a mandatory order. This proceeding is heard de novo, and the original finding of the Commissioner are not in any way binding on the Federal Court and are not owed any deference. Importantly, the Commissioner also has the burden of proving that a breach of PIPEDA was committed.
The Federal Court examined two preliminary issues and two alleged breaches of PIPEDA by Facebook.
First, Facebook claimed that the Commissioner’s application to the Federal Court was improper since section 15(a) of PIPEDA requires the Commissioner to obtain consent from the initial complainants to commence the application, and in this case the Commissioner had only obtained consent from one of them. The Court quickly found that the Commissioner was entitled to treat the initial complaint as three separate complaints and to proceed with the consent of only one of the initial complainants.
Second, Facebook argued that because it had been separately investigated by the Commissioner 2008 and 2009, and the Commissioner had signed off on Facebook’s privacy policies and procedures at that time, Facebook could rely on either estoppel by representation or the doctrine of officially induced error. This issue was not determined because the Court ultimately decided that the Commissioner had not established that Facebook had breached PIPEDA.
The first substantive issue considered by the Court was whether Facebook made reasonable efforts to ensure users and users’ Facebook friends were advised of the purposes for which their information would be used by third party applications such as the TYDL App. The argument by the Commissioner was that Facebook’s reliance on app developers to obtain meaningful third party consent was not sufficient since, while Facebook verified the existence of privacy policies and policies required third party applications to disclose the purposes for which information would be used, Facebook did not verify the content of these third-party policies. In response, Facebook pointed to its elaborate and detailed privacy compliance rules and procedures and to the Commissioner’s approval of Facebook’s privacy measures in 2009, and argued that in any event it was the developer of the TYDL App and Cambridge Analytica who were responsible for any PIPEDA violations, not Facebook.
On this issue, the Court found that Facebook only needed to show that it had made a “reasonable effort” to disclose the uses which would be made of personal information collected from users in order for there to be valid consent, and that the detailed privacy policies and disclosures by Facebook satisfied this requirement. However, this appears to be a misreading of the rather odd structure of PIPEDA and of the interaction of Principle 3 in Schedule 1 to PIPEDA and the mandatory requirements of section 6.1. Schedule 1 of PIPEDA is the text of a voluntary set of privacy principles promoted by business interests prior to the implementation of PIPEDA in 1999, and includes several “mushy” obligations using language which is strengthened considerably in the actual operative provisions of the statute. In this case, while Principle 3 does excuse entities which make a “reasonable effort” to disclose the uses to which personal information may be used, section 6.1 does not use this qualification in requiring that valid consent is only obtained if it is reasonable in the circumstances for individuals to understand the nature, purpose and consequences of the collection, use and disclosure of their personal information. The Federal Court therefore seems to have employed the wrong test in resolving this issue.
The Court also found that there was little or no evidence concerning what privacy policies were provided to users of the TYDL App and what steps Facebook could have taken to prevent the privacy breaches by the operator of the TYDL App, and that it was therefore impossible to determine whether Facebook had breached PIPEDA. The Court criticized the Commissioner for relying on “inferences” which it wanted the Court to make about Facebook’s activities rather than actual evidence. In the result, the Court was not satisfied that the Commissioner had satisfied its burden of demonstrating that appropriate consent had not been obtained. While this conclusion appears to be a lightly veiled criticism of the litigation tactics of the Commissioner (in particular the Commissioner’s failure to compel evidence be provided by Facebook pursuant to section 12.1 of PIPEDA), it raises serious questions about what actual standard of reasonableness should be applied to an entity’s efforts to convey adequate disclosures to users about how their personal information is to be used and disclosed. No clear answer is apparent from the Court’s decision.
The second substantive issue was whether Facebook had failed to safeguard the personal information of users of the TYDL App and the “friends” of those users. Facebook argued, and the Court ultimately accepted, that once a user authorizes Facebook to disclose information to an app, Facebook’s safeguarding duties under PIPEDA are at an end, and in any event Facebook’s detailed combinations of data safeguards are sufficient under PIPEDA. The Court examined several provisions of PIPEDA and concluded that they all spoke to “internal” safeguards by entities in the possession of personal information, and did not impose any obligation on Facebook to “follow” the data as it passes to third parties and safeguard it in the hands of those third parties. In responding to the Commissioner’s argument that there was a “need for rigorous third-party enforcement practices in the ever-evolving digital world given the vast amount of personal information that tech-giants like Facebook handle and the ease with which it flows from one party to another,” the Court noted that it was not the Court’s responsibility to impose an “unprincipled interpretation” of a stature like PIPEDA “that applies equally to a social media giant as it may apply to the local bank or car dealership.”
The Federal Court’s decision is not a resounding endorsement of Facebook’s actions in relation to third party apps, but it does for the moment relieve Facebook of any obligation to make any substantive changes to its policies and procedures in response to the Cambridge Analytica controversy. Because the next step in the process is an appeal and not another de novo hearing, the burden on the Commissioner to overturn the Federal Court’s decision will be even higher. One can only hope that if the appeal proceeds the Federal Court of Appeal will resolve some of the questions that this proceeding has thus far not clearly answered.