Facebook did not adequately protect user data in Cambridge Analytica scandal, FCA rules

The court found that Facebook breached PIPEDA, overturning a lower court ruling

Facebook did not adequately protect user data in Cambridge Analytica scandal, FCA rules

Facebook breached Canadian privacy law by failing to protect user data and allowing it to be disclosed to British consulting firm Cambridge Analytica before obtaining meaningful consent from users, the Federal Court of Appeal ruled Monday.  
 
The unanimous decision overturned a federal court ruling from last year, which said it did not have enough evidence to conclude that Facebook violated the Personal Information Protection and Electronic Documents Act.  
 
“The federal court erred when it premised its conclusion exclusively or in large part on the absence of expert and subjective evidence given the objective inquiry,” the FCA said, adding, that the lower court also “failed to inquire into the existence or adequacy of the consent given by friends of users who downloaded third-party apps, separate from the installing users of those apps.  
 
“These are over-arching errors which permeate the analysis with the result that the appeal should be allowed,” the court said.  
 
In a statement, Privacy Commissioner of Canada Philippe Dufresne called the FCA’s decision a landmark ruling that recognizes “that international data giants, whose business models rely on users’ data, must respect Canadian privacy law and protect individuals’ fundamental right to privacy.  
 
“Facebook operates the world’s largest social media network and collects a vast amount of personal information and data about its users,” Dufresne said. “The issues at the heart of this matter are critically important to Canadians and their ability to participate with trust in our digital society.” 
 
A Meta spokesperson told Canadian Lawyer on Tuesday, “We’re disappointed with the court’s ruling. As was confirmed by the federal court’s ruling last year, there is no evidence that Canadians' data was shared with Cambridge Analytica.”  
 
Justice Donald Rennie authored the decision. Justices Mary Gleason and Nathalie Goyette concurred.  
 
Between November 2013 and December 2015, University of Cambridge professor Aleksandr Kogan ran “thisisyourdigitallife,” a personality quiz app on Facebook’s platform. Through the platform, Kogan was able to access the Facebook profile information of every user who installed TYDL, along with their Facebook friends’ profile information. The number of Canadians whose data was exposed to disclosure through TYDL totalled more than 600,000.  
 
In 2015, media reports found that Facebook user data collected through the app had been sold to Cambridge Analytica and a related entity. That data was subsequently used to create “psychographic” models to tailor political messages to Facebook users ahead of the 2016 US presidential election.  
 
Facebook removed TYDL from its platform that year and asked Cambridge Analytica to delete the data it got from the social media company. In 2018, media reports found that Cambridge Analytica had not deleted the data as requested, and Facebook suspended the company and Kogan from its platform.  
 
The Privacy Commissioner of Canada filed its federal lawsuit against Facebook in 2020, after concluding in an investigation that Facebook had failed to safeguard user information or obtain valid consent for disclosing the data to third-party apps.  
 
In its decision, the lower court said it could not conclude that Facebook had committed either breach, noting that the privacy commissioner had not used its powers to obtain evidence from Facebook and failed to provide any expert evidence on how Facebook could have acted differently. The court also said there was a lack of subjective evidence about Facebook users’ expectations and understandings of privacy. This led to the court finding “itself in an evidentiary vacuum.”  
 
But the FCA disagreed. “There was, respectfully, considerable probative evidence that bore on the questions before the [lower] court,” Rennie wrote. These included Facebook’s terms of service and data policy, as well as a transcript of Meta chief executive officer’s testimony stating that he imagined most people did not read or understand either.  
 
Rennie also pointed to evidence showing that nearly half of the app developers who launched their apps on Facebook’s platform had not read the platform policy or terms of service and that Facebook allowed them to continue accessing user data even after the company became aware that the app was not complying with Facebook’s policies.  
 
Rennie wrote the lower court also erred when it found that subjective evidence was necessary for determining whether Facebook users provided meaningful consent to the company to disclose their information. However, the meaningful consent clauses in PIPEDA “pivot on the perspective of the reasonable person,” Rennie wrote, and “subjective evidence does not play a role in an analysis focused on the perspective of the reasonable person.”  
 
“It was the responsibility of the [lower court] court to define an objective, reasonable expectation of meaningful consent. To decline to do so in the absence of subjective and expert evidence was an error,” the FCA said.  
 
The Facebook friends of users who downloaded the TYDL app were never given the opportunity to consent to their information being disclosed to third parties, Rennie noted, so the only conclusion the lower court could have reasonably made was that Facebook failed to get consent from these friends, violating PIPEDA in the process. “To the extent this evidence was acknowledged by the federal court, it made a palpable and overriding error in its conclusion that there was no breach of PIPEDA,” Rennie said.  
 
However, even the Facebook users who installed the TYDL app did not give the company meaningful consent to disclose their data, the FCA said. Likening the size of Facebook’s terms and services and data policy to “the length of an Alice Munro short story,” Rennie said “apparently clarity can be lost or obscured in the length and miasma of the document and the complexity of its terms.” 
 
The policy, therefore, does not “amount to meaningful consent to the disclosures at issue in this case,” Rennie wrote.  
 
Noting that “an organization can be perfectly compliant with PIPEDA and still suffer a data breach,” Rennie further concluded Facebook nonetheless failed to safeguard user data. “The unauthorized disclosures here were a direct result of Facebook’s policy and user design choices,” he wrote.  
 
“Facebook invited millions of apps onto its platform and failed to adequately supervise them. The federal court failed to engage with the relevant evidence on this point, and this was an error of law.”

Recent articles & video

Airlines must reimburse passengers according to federal regulations, SCC rules

David Sowemimo: Top 25 influential lawyer advocating for justice

Law Society of British Columbia publishes 2023 annual report

Privacy Commissioner calls for interoperable privacy laws at Alberta committee review

BC Supreme Court declares injuries sustained in two separate car accidents indivisible

Canada endorses global effort for age-assurance standards to protect children's privacy

Most Read Articles

BC Supreme Court rejects employer's attempt to move employment dispute to arbitration

BC Supreme Court dismisses claim to waive solicitor-client privilege in family law dispute

Alberta Court of King's Bench orders sale of estate lands, ending 30-year dispute among heirs

BC privacy commissioner to decide whether to tell Airbnb hosts about requests for their data