Canada (Privacy Commissioner) v. Facebook, Inc.

Canada (Privacy Commissioner) v. Facebook, Inc.
Court (s) Database
Federal Court of Appeal Decisions
Date
2024-09-09
Neutral citation
2024 FCA 140
File numbers
A-129-23
Decision Content
Date: 20240909
Docket: A-129-23
Citation: 2024 FCA 140
CORAM:
RENNIE J.A.
GLEASON J.A.
GOYETTE J.A.
BETWEEN:
PRIVACY COMMISSIONER OF CANADA
Appellant
and
FACEBOOK, INC.
Respondent
Heard at Ottawa, on February 21, 2024.
Judgment delivered at Ottawa, Ontario, on September 9, 2024.
REASONS FOR JUDGMENT BY:
RENNIE J.A.
CONCURRED IN BY:
GLEASON J.A. GOYETTE J.A.
Date: 20240909
Docket: A-129-23
Citation: 2024 FCA 140
CORAM:
RENNIE J.A.
GLEASON J.A.
GOYETTE J.A.
BETWEEN:
PRIVACY COMMISSIONER OF CANADA
Appellant
and
FACEBOOK, INC.
Respondent
REASONS FOR JUDGMENT
RENNIE J.A.
Overview [1] The Privacy Commissioner of Canada commenced proceedings in the Federal Court alleging that Facebook, Inc. (now Meta Platforms Inc.) breached the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) through its practice of sharing Facebook users’ personal information with third-party applications (apps) hosted on the Facebook platform. The proceeding arose from the Commissioner’s investigation into the scraping of Facebook user data by the app “thisisyourdigitallife” (TYDL) and its subsequent selling of the data to Cambridge Analytica Ltd. (Cambridge Analytica) for psychographic modeling purposes between November 2013 and December 2015.
[2] The Federal Court, per Manson J. (Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533, 2023 A.C.W.S. 1512), dismissed the Commissioner’s application, finding that the Commissioner had not shown that Facebook failed to obtain meaningful consent from users for disclosure of their data, nor that Facebook failed to adequately safeguard user data.
[3] I would allow the appeal. The Federal Court erred in its analysis of meaningful consent and safeguarding under PIPEDA. I conclude that Facebook breached PIPEDA’s requirement that it obtain meaningful consent from users prior to data disclosure and failed in its obligation to safeguard user data.
Facebook’s privacy measures [4] Facebook is an online social media platform that allows users to share information. Facebook’s business model centres around attracting and maintaining users on its platform for the purpose of selling advertising. The greater the number of users and the more specific the information about users known to advertisers, the greater the revenue to Facebook. As will be discussed later, this is an important contextual fact which frames the legislative obligations at issue in this appeal.
[5] In 2007, Facebook launched “Platform”, a technology that enabled third parties to build apps that can run on Facebook and be installed by users. These apps offer users personalized social and entertainment experiences, such as playing games, sharing photos, or listening to music. By 2013, 41 million apps were available on Facebook.
[6] Facebook also deployed an app programming interface called “Graph API” which allows third-party apps to receive user information. Between 2013 and 2018, Graph API underwent two revisions. Under Version 1 (v1), apps could ask installing users for permission to access information about installing users and about installing users’ friends. Under Version 2 (v2), issued in April 2014, apps could no longer request permission to access information about installing users’ friends, subject to limited exceptions, all of which were removed by March 2018. Facebook also introduced “App Review” alongside v2, a process that was meant to require apps seeking access to user information beyond a user’s basic profile to show how the additional information would improve the user’s experience on the app.
[7] Although Graph API v2 took effect in April 2014, existing apps were given a one-year grace period to continue functioning under Graph API v1. The alleged breaches of PIPEDA that provided the impetus for these proceedings occurred under Graph APIv1, and took place between November 2013, when TYDL was launched, and December 2015, when TYDL was removed from Facebook’s Platform.
[8] During this period, there were three layers to Facebook’s consent policies and practices: platform-wide policies, user controls, and educational resources. As these practices provide context to the inquiries into meaningful consent and safeguarding, they require some elaboration.
Facebook’s platform-wide policies [9] Facebook had two user-facing policies in place at the relevant time: the Data Policy and the Terms of Service. While Facebook employed different versions of these policies over the relevant period, the policies “remained mostly consistent” (Federal Court decision at para. 15). When users signed up to Facebook, they had to agree with the Terms of Service and were told that in so doing, they were deemed to have read the Data Policy. Both policies were hyperlinked directly above Facebook’s “sign up” button.
[10] The Terms of Service explained users’ rights and responsibilities, including how users could control their information. The Terms of Service explained that “[apps] may ask for your permission to access your content and information as well as content and information that others have shared with you”; that “your agreement with that [app] will control how the [app] can use, store and transfer that content and information”; and that “[y]ou may also delete your account or disable your [app] at any time”.
[11] The Terms of Service were approximately 4,500 words in length.
[12] The Data Policy explained how information is shared on Facebook and included descriptions of the following:
a)The meaning of “public information” (namely, information that a user “choose[s] to make public, as well as information that is always publicly available”), and the consequences of making information public (including the information being “accessible to anyone who uses… [Facebook’s] Graph API”);
b)Facebook’s user controls and permissions for sharing user data; and
c)Information about users that is shared with third-party apps—including when their Facebook friends used third-party apps—and how users could control the information they wished to share.
[13] The Data Policy, which the user was deemed to have read by agreeing to the Terms of Service, was approximately 9,100 words in length.
Facebook’s user controls [14] Facebook users could manipulate certain settings and permissions to choose the extent to which information was shared with third-party apps.
[15] In 2010, Facebook added the Granular Data Permissions (GDP) process to Platform. The GDP provided users installing an app with a notice about which categories of information that app sought to access, a hyperlink to the app’s privacy policy, and the choice to grant or deny the requested permissions. Facebook’s 2014 version of the GDP process gave users the ability to grant or deny apps permission to access specific categories of data.
[16] Facebook users also had access to an “App Settings” page that allowed them to view all apps in use, delete unwanted apps, or turn off Platform to prevent any apps from accessing any non-public information. After the launch of the GDP process, Facebook updated the App Settings page to display each app’s current permissions and to allow users to remove certain permissions.
[17] The App Settings page also had an “Information Accessible Through Your Friends” setting that enabled users to restrict information accessible to apps installed by their friends. The setting stated that “[p]eople on Facebook who can see your information can bring it with them when they use apps”.
[18] Finally, Facebook users had access to a “Privacy Settings” page, which allowed them to select a default audience for posts, but which also reminded users that “the people you share with can always share your information with others, including apps”. Facebook users could also opt out of Platform, preventing apps from accessing any of their information, or delete their account and ask relevant apps to delete their information.
Facebook’s educational resources [19] Resources offered to Facebook users between 2013 and 2015 included a Help Center, which provided educational materials on privacy topics such as what information is shared when friends use third-party apps and how to control that information. Other tools available included “Privacy Tour”, “Privacy Checkup”, and “Privacy Basics”, through which users could inform themselves about Facebook’s privacy policies and review certain privacy settings; and “Privacy Shortcuts”, found next to Facebook’s “home” button, which provided information to users under the headings of “Who can see my stuff?”, “Who can contact me?”, and “How do I stop someone from bothering me?”.
Facebook’s contracts with third-party apps [20] Facebook required third-party apps to agree to Facebook’s Platform Policy and Terms of Service before being granted access to Platform. The Platform Policy imposed contractual duties on apps, including that the app:
a)Only request user data necessary to operate their app, and only use user’s friends’ data in the context of the user’s experience on the app;
b)Have a privacy policy telling users what data the app would use and how it will use or share that data;
c)Obtain explicit consent from a user before using any non-basic information for any other purpose aside from displaying it back to the user; and
d)Refrain from selling or purchasing data obtained from Facebook.
[21] Facebook admits that it did not assess or verify the actual content of apps’ privacy policies; it only verified that the hyperlink to an app’s privacy policy linked to a functioning web page.
[22] The Platform Policy also specified Facebook’s right to take enforcement action. While Facebook took approximately 6 million enforcement actions against apps between August 2012 and July 2018, the reasons for each enforcement action are unknown.
TYDL and Cambridge Analytica [23] In November 2013, Dr. Aleksandr Kogan, then a professor at the University of Cambridge, launched the TYDL app on Platform (and thus agreed to Facebook’s Platform Policy and Terms of Service). TYDL was presented to users as a personality quiz. Through Platform, Dr. Kogan was able to access the Facebook profile information of every user who installed TYDL as well as the information of every installing user’s Facebook friends. Approximately 272 Canadian users installed TYDL, enabling the disclosure of the data of over 600,000 Canadians. Media reports in December 2015 revealed that user data obtained by TYDL was sold to a corporation named Cambridge Analytica and a related entity, and that the data was used to develop “psychographic” models for the purpose of targeting political messages towards Facebook users leading up to the 2016 United States (U.S.) presidential election.
[24] TYDL was launched under Graph API v1 and stayed on Platform during the transition to v2. Although it did not comply with the Graph API v2 requirements, it continued to operate during the grace period between v1 and v2. Following the announcement of Graph API v2, Dr. Kogan applied for expanded access to additional personal information. Facebook denied the request since the information would not be used to “enhance the user’s in-app experience” (Federal Court decision at para. 43). It is of significance that even though it knew of this request, Facebook took no steps to scrutinize TYDL’s use of data while the app continued to operate under Graph API v1.
[25] In 2015, Facebook removed TYDL from Platform and asked Cambridge Analytica to delete the data it obtained. Facebook neither notified affected users, nor did it bar Dr. Kogan or Cambridge Analytica from Platform. It was not until 2018 that Facebook suspended Dr. Kogan and Cambridge Analytica from Platform, again following media reports that they had not deleted the data as requested in 2015.
[26] The parties agree that Dr. Kogan breached Facebook’s Platform Policy by requesting access to user data beyond what it needed to function, by using users’ friends’ data for purposes beyond augmenting the app experience of installing users, and by transferring and selling user data to a third party. TYDL’s purported privacy policy also contained terms inconsistent with Facebook’s Platform Policy.
[27] The Commissioner subsequently received a complaint about Facebook’s compliance with PIPEDA. The Commissioner investigated and concluded that Facebook failed to obtain valid and meaningful consent for its disclosures to apps, and failed to safeguard its users’ information. In February 2020, the Commissioner filed the Notice of Application commencing the application at issue in the Federal Court (Federal Court decision at paras. 34 and 44). I note, parenthetically, that the application was filed just as the COVID-19 pandemic was unfolding, which accounts for the delay between the application and its disposition by the Federal Court.
Statutory Provisions [28] This appeal concerns the scope of the obligations of meaningful consent and safeguarding as set out in Schedule 1 of PIPEDA. Organizations must comply with Schedule 1 of PIPEDA pursuant to subsection 5(1) of PIPEDA.
[29] Meaningful consent and safeguarding are legislatively prescribed terms, set out as “Principles” in the Act. Meaningful consent is described in clause 4.3 of Schedule 1 of PIPEDA as “Principle 3”. Section 6.1 of PIPEDA was added in 2015. It incorporates as a separate section in (in somewhat clearer terms) the obligations that were already contained in Principle 3 of the Schedule:
Valid Consent
Validité du consentement
6.1: For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
6.1: Pour l’application de l’article 4.3 de l’annexe 1, le consentement de l’intéressé n’est valable que s’il est raisonnable de s’attendre à ce qu’un individu visé par les activités de l’organisation comprenne la nature, les fins et les conséquences de la collecte, de l’utilisation ou de la communication des renseignements personnels auxquelles il a consenti.
…
[…]
4.3 Principle 3 - Consent
4.3 Troisième principe — Consentement
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Toute personne doit être informée de toute collecte, utilisation ou communication de renseignements personnels qui la concernent et y consentir, à moins qu’il ne soit pas approprié de le faire.
4.3.1: Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).
4.3.1: Il faut obtenir le consentement de la personne concernée avant de recueillir des renseignements personnels à son sujet et d’utiliser ou de communiquer les renseignements recueillis. Généralement, une organisation obtient le consentement des personnes concernées relativement à l’utilisation et à la communication des renseignements personnels au moment de la collecte. Dans certains cas, une organisation peut obtenir le consentement concernant l’utilisation ou la communication des renseignements après avoir recueilli ces renseignements, mais avant de s’en servir, par exemple, quand elle veut les utiliser à des fins non précisées antérieurement.
4.3.2: The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
4.3.2: Suivant ce principe, il faut informer la personne au sujet de laquelle on recueille des renseignements et obtenir son consentement. Les organisations doivent faire un effort raisonnable pour s’assurer que la personne est informée des fins auxquelles les renseignements seront utilisés. Pour que le consentement soit valable, les fins doivent être énoncées de façon que la personne puisse raisonnablement comprendre de quelle manière les renseignements seront utilisés ou communiqués.
4.3.3: An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
4.3.3: Une organisation ne peut pas, pour le motif qu’elle fournit un bien ou un service, exiger d’une personne qu’elle consente à la collecte, à l’utilisation ou à la communication de renseignements autres que ceux qui sont nécessaires pour réaliser les fins légitimes et explicitement indiquées.
4.3.4: The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
4.3.4: La forme du consentement que l’organisation cherche à obtenir peut varier selon les circonstances et la nature des renseignements. Pour déterminer la forme que prendra le consentement, les organisations doivent tenir compte de la sensibilité des renseignements. Si certains renseignements sont presque toujours considérés comme sensibles, par exemple les dossiers médicaux et le revenu, tous les renseignements peuvent devenir sensibles suivant le contexte. Par exemple, les nom et adresse des abonnés d’une revue d’information ne seront généralement pas considérés comme des renseignements sensibles. Toutefois, les nom et adresse des abonnés de certains périodiques spécialisés pourront l’être.
4.3.5: In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.
4.3.5: Dans l’obtention du consentement, les attentes raisonnables de la personne sont aussi pertinentes. Par exemple, une personne qui s’abonne à un périodique devrait raisonnablement s’attendre à ce que l’entreprise, en plus de se servir de son nom et de son adresse à des fins de postage et de facturation, communique avec elle pour lui demander si elle désire que son abonnement soit renouvelé. Dans ce cas, l’organisation peut présumer que la demande de la personne constitue un consentement à ces fins précises. D’un autre côté, il n’est pas raisonnable qu’une personne s’attende à ce que les renseignements personnels qu’elle fournit à un professionnel de la santé soient donnés sans son consentement à une entreprise qui vend des produits de soins de santé. Le consentement ne doit pas être obtenu par un subterfuge.
4.3.6: The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
4.3.6: La façon dont une organisation obtient le consentement peut varier selon les circonstances et la nature des renseignements recueillis. En général, l’organisation devrait chercher à obtenir un consentement explicite si les renseignements sont susceptibles d’être considérés comme sensibles. Lorsque les renseignements sont moins sensibles, un consentement implicite serait normalement jugé suffisant. Le consentement peut également être donné par un représentant autorisé (détenteur d’une procuration, tuteur).
4.3.7: Individuals can give consent in many ways. For example:
4.3.7: Le consentement peut revêtir différentes formes, par exemple :
(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
a) on peut se servir d’un formulaire de demande de renseignements pour obtenir le consentement, recueillir des renseignements et informer la personne de l’utilisation qui sera faite des renseignements. En remplissant le formulaire et en le signant, la personne donne son consentement à la collecte de renseignements et aux usages précisés;
(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
b) on peut prévoir une case où la personne pourra indiquer en cochant qu’elle refuse que ses nom et adresse soient communiqués à d’autres organisations. Si la personne ne coche pas la case, il sera présumé qu’elle consent à ce que les renseignements soient communiqués à des tiers;
(c) consent may be given orally when information is collected over the telephone; or
c) le consentement peut être donné de vive voix lorsque les renseignements sont recueillis par téléphone; ou
(d) consent may be given at the time that individuals use a product or service.
d) le consentement peut être donné au moment où le produit ou le service est utilisé.
[30] Principles of safeguarding are set out in clause 4.7 of Schedule 1 of PIPEDA as “Principle 7”. The relevant portions are set out below:
4.7 Principle 7 - Safeguards
4.7 Septième principe - Mesures de sécurité
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Les renseignements personnels doivent être protégés au moyen de mesures de sécurité correspondant à leur degré de sensibilité.
4.7.1: The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
4.7.1: Les mesures de sécurité doivent protéger les renseignements personnels contre la perte ou le vol ainsi que contre la consultation, la communication, la copie, l’utilisation ou la modification non autorisées. Les organisations doivent protéger les renseignements personnels quelle que soit la forme sous laquelle ils sont conservés.
4.7.2: The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.
4.7.2: La nature des mesures de sécurité variera en fonction du degré de sensibilité des renseignements personnels recueillis, de la quantité, de la répartition et du format des renseignements personnels ainsi que des méthodes de conservation. Les renseignements plus sensibles devraient être mieux protégés. La notion de sensibilité est présentée à l’article 4.3.4.
4.7.3: The methods of protection should include
4.7.3: Les méthodes de protection devraient comprendre:
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
a) des moyens matériels, par exemple le verrouillage des classeurs et la restriction de l’accès aux bureaux;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
b) des mesures administratives, par exemple des autorisations sécuritaires et un accès sélectif; et
(c) technological measures, for example, the use of passwords and encryption.
c) des mesures techniques, par exemple l’usage de mots de passe et du chiffrement.
4.7.4: Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.
4.7.4: Les organisations doivent sensibiliser leur personnel à l’importance de protéger le caractère confidentiel des renseignements personnels.
[31] Finally, section 3 of PIPEDA sets out PIPEDA’s purpose:
Purpose
Objet
3: The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
3: La présente partie a pour objet de fixer, dans une ère où la technologie facilite de plus en plus la circulation et l’échange de renseignements, des règles régissant la collecte, l’utilisation et la communication de renseignements personnels d’une manière qui tient compte du droit des individus à la vie privée à l’égard des renseignements personnels qui les concernent et du besoin des organisations de recueillir, d’utiliser ou de communiquer des renseignements personnels à des fins qu’une personne raisonnable estimerait acceptables dans les circonstances.
The Federal Court Decision [32] The Federal Court began its analysis by noting that applications under paragraph 15(a) of PIPEDA are de novo proceedings, with the basic question being whether Facebook breached PIPEDA, and if so, what remedy should flow. The Court observed that the purpose of Part 1 of PIPEDA (which governs the use of personal information in the private sector) is to balance a user’s right to protect their information and “an organizations’ [sic] right to reasonably collect, use or disclose personal information” (Federal Court decision at para. 50). The Court acknowledged that while PIPEDA is quasi-constitutional legislation, the ordinary exercise of statutory interpretation still applies, and the Court must interpret PIPEDA in a flexible and common-sense manner.
[33] The Court then dealt with the two central issues: whether Facebook failed to obtain meaningful consent from users and Facebook friends of users when sharing their personal information with third-party apps; and whether Facebook failed to adequately safeguard user information. The Court held that the Commissioner had failed to discharge its burden on both allegations.
[34] In reaching this conclusion, the Court said that it “[found] itself in an evidentiary vacuum” (Federal Court decision at para. 71). The Court noted that the Commissioner neither used its powers to compel evidence from Facebook, nor did the Commissioner provide any expert evidence as to what Facebook could do differently. The Court also noted the absence of subjective evidence from Facebook users as to their expectations and understandings of privacy.
[35] The Court said that this subjective and expert evidence was not “strictly necessary”, but that it would have assisted the Court in its analysis “in an area where the standard for reasonableness and user expectations may be especially context dependent and are ever-evolving”. In the absence of evidence of this nature, the Federal Court found that the Commissioner’s burden could not be met by “speculation and inferences [as to the user’s perspective] derived from a paucity of material facts” (Federal Court decision at paras. 71-72 and 78).
[36] The Court also dismissed the importance of statistical evidence submitted by the Commissioner. This evidence, originating from Facebook, established that in 2013, 46% of Facebook app developers had not reviewed the Platform Policy or the Terms of Service since launching their app. The Federal Court found that this statistic was “insignificant” (Federal Court decision at paras. 73-76).
[37] The Court then held that the Commissioner also failed to discharge their burden to show that Facebook had not adequately safeguarded user information. In reaching this conclusion, the Court relied on three propositions.
[38] First, the Court noted that the occurrence of a data breach does not necessarily mean that an organization has adequate or inadequate safeguards (Federal Court decision at para. 82).
[39] Second, the Court held that Facebook’s safeguarding obligations end once information is disclosed to third-party apps (Federal Court decision at paras. 86-88, citing Englander v. TELUS Communications Inc., 2004 FCA 387, [2005] 2 F.C.R. 572 [Englander], as well as other clauses (4.1.2 and 4.7.3) and sections (7.2) of PIPEDA which speak to the need to establish safeguards over information currently within the control of the organization). The Court noted that its interpretation must remain principled, as the legislation “applies equally to a social media giant as it may apply to the local bank or car dealership” (Federal Court decision at para. 90).
[40] Finally, the Court found that even if the safeguarding obligations applied to Facebook following its disclosure of information to third-party applications, there was, again, insufficient expert and subjective evidence to determine whether Facebook’s contractual agreements and enforcement policies constituted adequate safeguards. The Court cited Bhasin v. Hrynew, 2014 SCC 71, [2014] 3 S.C.R. 494 for the proposition that commercial parties reasonably expect honesty and good faith in their contractual dealings, suggesting that Facebook could rely on apps to comply with the contractual agreements.
[41] Given these findings, the Court did not deal with two defences raised by Facebook, the doctrine of estoppel by representation or officially induced error, that Facebook claimed should result in the complaint being dismissed.
Issues on appeal and the positions of the parties [42] The Commissioner submits that the Federal Court made errors in interpreting and applying PIPEDA as well as errors in assessing the evidence.
[43] First, the Commissioner submits that the Court “set the bar too low” in its interpretation of meaningful consent under PIPEDA. The Court did not consider how Facebook’s notice and consent model constituted meaningful consent given Facebook’s admission that it did not review the privacy policies of third-party apps before disclosing information. Nor did the Court analyze evidence that Facebook’s Terms of Service and Data Policy were lengthy and not read or understood by most people, and evidence that TYDL’s privacy policy did not indicate the political advertisement targeting purposes for user information.
[44] The Commissioner also submits that the Court also erred by failing to distinguish between meaningful consent for installing users and meaningful consent for friends of installing users, despite the different consent processes and protections for these groups. According to the Commissioner, had the Court so distinguished, it would have found that meaningful consent was not provided from either group, without the need for expert or subjective lay evidence.
[45] Third, the Commissioner submits that the Court erred in determining meaningful consent by calling for subjective evidence of user experience, expert evidence, or evidence of what Facebook could have done differently, instead of applying an objective, user-focused reasonableness standard. The Commissioner points to the use of the term “reasonable” in clause 4.3 and section 6.1 of PIPEDA, as well as case law on the reasonable expectation of privacy, which applies an objectively determined, normative standard.
[46] With respect to the safeguarding duty, the Commissioner submits that the failure to safeguard information follows the failure to obtain consent. The Federal Court’s conclusion in respect of Facebook’s safeguarding duty rested on the fact that Facebook did not have post-disclosure obligations, but the Court erred in failing to consider Facebook’s conduct before the personal information was disclosed (such as Facebook’s failure to review privacy policies of third-party apps, even in the presence of privacy-related “red flags”). The Commissioner alleges that the Court should have treated this as prima facie evidence of Facebook’s failure to take appropriate steps to safeguard information and drawn further inferences from the evidence available, especially given the difficulties associated with demonstrating that an organization has failed to internally safeguard one’s personal information, citing Montalbo v. Royal Bank of Canada, 2018 FC 1155, 299 A.C.W.S. (3d) 199.
[47] Finally, the Commissioner submits that the Court erred in finding that there was an “evidentiary vacuum” with respect to both the meaningful consent and safeguarding issues, as the record contained “extensive and fulsome evidence” of a breach of these obligations by Facebook, including:
a)The means by which Facebook purported to obtain meaningful consent: the length and breadth of the Terms of Service and Data Policy, the requirement for users to take proactive steps to review these policies following sign-up, and U.S. Senate testimony from Facebook’s Chief Executive Officer, Mark Zuckerberg, that people did not read or understand the Terms of Service or Data Policy;
b)That friends of installing users were not notified of Facebook’s disclosure of their personal information to third-party apps and evidence that Facebook knew that users were “often surprised” to find out that their friend had shared their personal information with an app;
c)Facebook’s acknowledgement in March 2018 that there was much more work to be done “to enforce our policies and help people understand…the choices they have over their data” and “that privacy settings and other important tools are too hard to find”; and
d)That Facebook failed to act on “red flags” from third-party apps, knew that there were some “bad actors” among the third-party apps on Platform, and knew that a segment of app developers were not reviewing the Platform Policy.
[48] In response, Facebook submits that the Federal Court made no error in its assessment of the evidence, arguing that the Court considered all relevant evidence and found that the Commissioner had not satisfied its burden, and that this Court should not intervene just because it disagrees with the Court below.
[49] Facebook says that the Federal Court correctly interpreted PIPEDA. The Court acknowledged its quasi-constitutional status, but Facebook submits that the Court ultimately—and correctly—held that this does not displace ordinary principles of statutory interpretation, that PIPEDA should be given a flexible and common-sense interpretation, and that PIPEDA aims to balance privacy and commercial interests.
[50] Facebook says that there are four responses to the Commissioner’s argument that the Court failed to balance interests by not requiring Facebook to adduce any evidence as to why it was commercially unable to review the privacy policies of the apps it hosted: the Commissioner’s burden of proof; Facebook’s unchallenged evidence that such monitoring would be practically impossible; the irrelevance of third-party apps’ policies to Facebook’s consent and safeguarding duties; and Facebook’s entitlement to rely on the honest execution of its contracts.
[51] Facebook submits that the Court made no errors in its meaningful consent analysis. It says that the Court understood the Commissioner’s argument that neither users nor their Facebook friends gave meaningful consent, but ultimately found that there was insufficient evidence on which to find a breach of PIPEDA. In any event, Facebook met the applicable standards for meaningful consent: people could only use Facebook after agreeing to its Data Policy and Terms of Service, and through these policies, as well as various settings, tools, and permissions, Facebook explained to all of its users how their information would be shared, and how they could control their information (citing Toronto Real Estate Board v. Canada (Commissioner of Competition), 2017 FCA 236, [2018] 3 F.C.R. 563; and St-Arnaud c. Facebook inc., 2011 QCCS 1506, 200 A.C.W.S. (3d) 97).
[52] Facebook also attacks the evidentiary foundation of the application, arguing that it did not support finding that there had been no meaningful consent. The Commissioner led no evidence from Facebook users, very little evidence about Facebook users, no expert evidence, and no evidence about what Facebook could have done differently. The evidence that Facebook did not review third-party apps’ privacy policies, or the argument that Facebook users did not understand the nature, purposes, and consequences of the disclosure to third-party apps, are irrelevant to whether Facebook had consent to disclose information to those apps. Finally, Facebook submits that, in any event, its practices were in line with the Commissioner’s prevailing guidance and representations during the relevant period.
[53] Turning to the safeguarding analysis, Facebook first contends that there is no requirement under clause 4.7 of PIPEDA for intermediaries like itself to police third-party compliance with PIPEDA. Second, the Commissioner’s own guidance in 2014 was for platforms to provide links to external privacy policies. Facebook did this, used automated tools to monitor each link’s validity, and urged users via its Data Policy to “make sure to read [apps’] terms of service and privacy policies”.
Analysis [54] The parties agree that the standards of review from Housen v. Nikolaisen, 2002 SCC 33, [2002] 2 S.C.R. 235 apply: correctness for questions of law and palpable and overriding error for questions of fact or mixed fact and law.
[55] I conclude that there are errors in the reasons of the Federal Court. I would allow the appeal and grant the Commissioner’s application, in part.
[56] The Federal Court erred when it premised its conclusion exclusively or in large part on the absence of expert and subjective evidence given the objective inquiry. Second, the Court failed to inquire into the existence or adequacy of the consent given by friends of users who downloaded third-party apps, separate from the installing users of those apps. Consequently, the Court did not ask itself the question required by PIPEDA: whether each user who had their data disclosed consented to that disclosure. These are over-arching errors which permeate the analysis with the result that the appeal should be allowed.
[57] I would add that the Federal Court did not engage with the evidence which framed and inform the content of meaningful co