On September 9, 2024, the Federal Court of Appeal (“FCA”) released its decision in Canada (Privacy Commissioner) v Facebook, Inc., 2024 FCA 140 (the “FCA Decision”), which addressed the Cambridge Analytica incident surrounding the 2016 U.S. presidential election. In this decision, the FCA overturned the Federal Court’s decision and found that there had been a breach of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The decision provides further guidance on what constitutes “adequate safeguarding” of personal information in the digital context, and, most importantly, clarifies the definition of “meaningful consent” and the perspective from which consent is evaluated.
Background
The Office of the Privacy Commissioner of Canada (the “OPC”) issued its report of findings on the investigation of the Cambridge Analytica incident on April 25, 2019. A third-party application that operated on the Facebook platform, “thisisyourdigitallife” (“TYDL”), had collected personal information from the application’s users and their “friends” and used it for targeted political messaging. The OPC found that Facebook had failed to obtain meaningful consent and to put in place adequate safeguards to protect personal information and applied to the Federal Court under paragraph 15(a) of PIPEDA for a hearing on the matter.
The Federal Court dismissed the application, determining that the OPC had failed to provide sufficient evidence of the failure to obtain meaningful consent for the collection, use, and disclosure of personal information or to provide adequate safeguarding of personal information (2023 FC 533). The OPC successfully appealed this decision.
Summary of the FCA Decision and Takeaways
The FCA Decision clarified that the perspective for determining sufficiency of consent or safeguarding of personal information under PIPEDA is that of a “reasonable person” (paras 60-63). The FCA rejected the Federal Court’s approach, which considered consent from a subjective perspective and that required expert evidence. Consequently, the FCA took the broader context into account without resorting to expert or subjective evidence to determine whether there was meaningful consent or adequate safeguarding of personal information, including:
- The demographics of the users, and the nature of the personal information.
- The manner in which the users interacts with the organization, including software interfaces.
- Whether there is a contract of adhesion.
- The clarity and length of the contract, its terms, and of the organization’s privacy statement.
- The nature of the default privacy settings.
Importantly, the FCA emphasized that disclosures set out in lengthy privacy statements are of limited value in obtaining meaningful consent from individuals. Given the FCA’s decision, organizations should review their specific notices and disclosures to individuals, whether electronic or otherwise, to ensure that they adequately support meaningful consent independent of the content of their privacy statement.
Approach to Interpreting PIPEDA
The FCA noted that PIPEDA balances individuals’ rights with respect to personal information against organizations’ needs to collect, use, and disclose personal information, and notes in particular that organizations do not themselves have a right to collect, use, and disclose personal information. With this framing, the FCA appears to imply that where there is conflict, the rights of individuals prevail over the needs of organizations.
Individual-Centric Approach to Consent
The FCA held that PIPEDA sets a “double reasonableness test” through clause 4.3.2, which requires (i) organizations to “make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used,” and (ii) “the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed” for the consent to be meaningful (para 71). Further, the FCA noted that meaningful consent is assessed against the objective standard of the reasonable person, that it is the “responsibility of the Court to define an objective, reasonable expectation of meaningful consent,” and that judges are charged “with the responsibility of determining the views of the reasonable person, who is both fictitious and yet informed by everyday experience” (para 70). Importantly, the court explained that “[w]hether consent is meaningful takes into account all relevant contextual factors; the demographics of the users, the nature of the information, the manner in which the user and the holder of the information interact, whether the contract at issue is one of adhesion, the clarity and length of the contract and its terms and the nature of the default privacy settings” (para 124). In this context, the FCA concluded that Facebook failed to meet this threshold.
In its decision, the FCA determined that a “reasonable person” would not have understood that their personal information would be disclosed to a third party for use in connection with political advertising, and that disclosures set out in lengthy terms of service and privacy statements are not conducive for establishing meaningful consent. Further, the FCA pointed to Facebook’s executive’s public comments (para 89) and knowledge of the “red flags” for policy violations by third party apps (para 95) to stress that Facebook failed to “make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used” as mentioned in clause 4.3.2. of PIPEDA.
Safeguarding Obligation
The FCA also concluded that PIPEDA’s obligation to adequately safeguard personal information can include an obligation on digital platforms to regulate the conduct of third parties that collect, use, and disclose personal information from the platform.
In this case, the FCA concluded that inaction with respect to third party applications meant that there was not “sufficient care” of personal information prior to disclosure, and that “failing to adequately monitor and enforce the privacy practices of third-party apps operating on the Platform” meant that personal information was not adequately safeguarded (para 118).
Conclusion
The key takeaway from the FCA Decision is that organizations will not be able to rely on their privacy statements alone to establish meaningful consent and that contractual provisions alone are not sufficient to ensure safeguarding of personal information. Together with possible federal privacy reform and the submissions of the OPC to Parliament and its past guidance on consent, the FCA Decision points to a movement in Canada’s privacy landscape that suggests a more rigorous application of PIPEDA’s consent requirements, as well as more layered and explicit disclosure when it comes to establishing meaningful consent.
