Court finds insufficient evidence to prove Facebook breached PIPEDA

This blog was written with the assistance of summer law student Jake Tesarowski.

There was insufficient evidence to prove that Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA) after a third-party app sold the personal information of hundreds of thousands of Facebook users, according to the Federal Court of Canada (the “Court”).

On April 14, 2023, the Court dismissed an application by the Privacy Commissioner of Canada (the “Privacy Commissioner”) seeking to enforce an investigation that found Facebook (now Meta Platforms Inc.; “Facebook”) violated PIPEDA. The Court concluded there was not enough evidence to demonstrate that Facebook failed to acquire meaningful consent before sharing user information with third-party apps and rejected the claim that Facebook did not adequately safeguard user information.

On May 12, 2023 the Privacy Commissioner announced it was appealing this finding.

The investigation

The Privacy Commissioner conducted an investigation on Facebook’s practices following reports that a third-party service provider obtained data through its app’s access to Facebook and proceeded to sell the data to a British research firm, in violation of Facebook’s policies. The app in question was installed 272 times, giving the service provider access to the data of more than 600,000 Canadians.

An inability to prove a lack of meaningful consent

The Court rejected the Privacy Commissioner’s arguments that Facebook failed to obtain meaningful consent from users before disclosing their information to third parties by relying on third-party applications to obtain user consent and failing to manually verify the content of third-party privacy policies.

The Court did not endorse Facebook’s efforts, but instead found there was insufficient evidence to show a breach of PIPEDA. Without further evidence, including expert evidence on what measures Facebook should have had in place, the Court was left in an “evidentiary vacuum.”

Safeguarding user information

The Court agreed with Facebook’s claims that “safeguarding obligations end once information is disclosed to third-party applications.”  The Court made specific reference to the difference between Facebook transferring personal information for business transactions and protecting information outside of its control.

Takeaways for your organization

While the Court found in favour of Facebook, this decision nonetheless highlights the need to ensure compliance with applicable privacy laws such as PIPEDA when transferring personal information to third parties. For example, under PIPEDA, an organization is accountable for the information in its custody, including information transferred to third parties. In particular, this decision highlights the importance of having consent and contractual protections any time your organization transfers data to third parties.

That said, whether an organization’s safeguarding obligations end once data is disclosed to a third party will be considered on appeal. The appeal will provide further insight on what is expected of organizations to meet PIPEDA obligations when transferring data to third parties.

Your organization should also be aware of Bill C-27, the Digital Charter Implementation Act, which stands to make significant changes to PIPEDA. Bill C-27 has gone through two readings in the House of Commons and is awaiting review by the Standing Committee on Industry and Technology.

If passed, Bill C-27 would empower the Privacy Commissioner and a newly formed Personal Information and Data Protection Tribunal (“PIDPTA”) to recommend stricter penalties and make binding orders for privacy law violations, subject to judicial review under the Federal Courts Act. Notably, PIDPTA includes a specific requirement that organizations transferring data to service providers provide a level of protection in line with the organization’s PIDPTA obligations.

The lawyers in the MLT Aikins Privacy, Data Protection & Cybersecurity group have extensive experience advising organizations on their obligations under applicable privacy law, including developing and implementing privacy policies and advising on the collection, use and sharing of personal information. Contact us to learn more.

Learn more about privacy law at our upcoming IP, Data & Technology Conference: Legal Risks & Safeguarding Your Business. Register today to attend the conference virtually or in person in Winnipeg. We hope to see you on June 1!

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.