Privacy & Data Management Blog

Facebook admitted in Federal Court that Cambridge Analytica accessed personal information of over 600,000 Canadian Facebook users through a third party application without permission and in breach of Facebook policies.  Nevertheless, the Federal Court decided Facebook did not breach the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Facebook came under fire when news outlets reported that Cambridge Analytica had accessed Facebook users’ personal information without their knowledge or consent.  Facebook has faced fines in the U.S. and Europe in relation to the incident, but not in Canada.

Federal Court Decision

The data in question was acquired through a third party Facebook application developed by a researcher.  About 200 Canadians used the app, which then accessed their and their “friends” data.  The personal information was later disclosed to Cambridge Analytica.  Facebook admitted Cambridge Analytica accessed the personal information of over 600,000 Canadians this way and that it was in breach of Facebook policies.

The Office of the Privacy Commissioner of Canada (“OPC”) and the Privacy Commissioner for British Columbia launched a joint investigation into Facebook’s privacy practices. Their Final Report heavily criticized Facebook for breaching its obligations under PIPEDA.

The Federal Court, however, dismissed the OPC’s application against Facebook. Facebook’s Data Policy explained to users how information was shared on Facebook, particularly how their information could be shared with third party applications through themselves or their friends. Facebook’s Terms of Service set out users’ rights and responsibilities, including how they could control their information in the context of third party applications on Facebook. All users had to agree to these policies during the sign up process and had access to them thereafter. Additionally, Facebook required app developers to agree to their Terms of Service and Platform Policy. The Platform Policy imposed contractual duties on app developers regarding the collection and usage of data collected from Facebook users and their friends. Because of these policies, there was no evidence that individuals had failed to consent to their data being collected.

This decision looks surprising given the OPC’s findings, the results in other countries and considering that only approximately 200 individuals actually used the app in question. The other 600,000 Canadians who were affected would not have known that that particular app was collecting their information via their Facebook friends. Nevertheless, the decision stands, subject to appeal.

The result of the case was driven by evidentiary issues and the existing onus on the OPC to prove a breach of PIPEDA, which made it difficult for the OPC to hold Facebook accountable.  This reveals a divide between how regulators, such as the OPC, may approach a privacy investigation, evidence and the burden of proof under PIPEDA, compared to Court proceedings.  It is important to note that other cases may not produce the same results, depending on the circumstances and the evidence. However, the Federal Court’s decision indicates that the types of general consent provisions and rules for users and app developers used by Facebook may stand up, even where a third party clearly breaches PIPEDA by collecting, using and disclosing personal information without consent.  As a result, there are more voices calling for a change to Canadian privacy laws that will make organizations more accountable.

Notwithstanding the result in this case, it does reinforce compliance measures.  Organizations should:

• Consider whether your organization’s privacy policies adequately explain how third parties might collect, use, and disclose user data.
• Ensure that these policies are well-documented and available to users.
• Ensure your organization is imposing appropriate contractual obligations on third parties, including limitations on use and disclosure, as well as reporting requirements in the event of unauthorized use or disclosure.

If your organization has any questions about privacy policies, other obligations under PIPEDA or data privacy generally, we would be pleased to help you. Please contact a member of our Privacy & Data Management Group.