The Federal Court of Canada has issued its ruling regarding the Privacy Commissioner’s request to hold the Facebook accountable for the Cambridge Analytica scandal under Canadian privacy law. The Commissioner had investigated Facebook’s privacy practices and found that the company had breached the Personal Information Protection and Electronic Documents Act (PIPEDA) by having insufficient data privacy measures for third-party apps accessing Facebook users’ data. The Commissioner sought to enforce this 2019 finding.
However, the Court rejected the Privacy Commissioner’s request and found that the Privacy Commissioner had not provided enough evidence to show that Facebook did not have adequate consent for data sharing.
The Privacy Commissioner argued that while Facebook verified the existence of privacy policies, and its Platform Policy and Terms of Service required third-party applications to disclose the purposes for which information would be used, it did not manually verify the content of these third-party policies. Facebook, on the other hand, argued that its network-wide policies, user controls, and educational resources amounted to reasonable efforts under PIPEDA. Facebook also criticized the Commissioner’s suggestion that it manually review each app’s privacy policy as impractical, as it would require legal staff to examine millions of documents.
The Court was left to “speculate and draw unsupported inferences from pictures of Facebook’s various policies and resources as to what a user would or would not read; what they may find discouraging; and what they would or would not understand.” The Court agreed with Facebook’s argument that once a user authorizes it to disclose information to an app, the social media company’s safeguarding duties under PIPEDA come to an end. At that point, the app creator’s own data protection obligations under an agreement with Facebook come into effect.
The Court’s decision also drew a distinction between data transferred for processing as compared to data only disclosed to a third party. While PIPEDA states that “an organization is responsible for information in its possession or custody, including information that is transferred to a third party for processing,” the judge noted that PIPEDA “does not impose a responsibility over information disclosed in all instances.” According to the Court’s decision, the Privacy Commissioner had the onus to prove that data sent to the third-party app was sent for processing, not only transferred.
Although the Privacy Commissioner may appeal the decision, it is worth noting that Facebook no longer allows third-party apps to run on its platform.
The company has taken steps to improve its data privacy practices and protect users’ information, including implementing new policies and tools to give users more control over their data. Nonetheless, the case serves as a reminder of the importance of data privacy and the need for effective privacy regulation.
Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533