By Esther Shainblum and Martin U. Wissmath

Facebook Violated Privacy Laws, Failed to Obtain Valid Consent: Federal Court of Appeal

Canada (Privacy Commissioner) v Facebook, Inc. is a Federal Court of Appeal decision, released on September 9, 2024, with implications for all organizations handling personal data in Canada, including charities and not-for-profits. The Federal Court of Appeal allowed an appeal by the Office of the Privacy Commissioner of Canada (the “Commissioner”) after the lower court dismissed the Commissioner’s application alleging that Facebook, Inc. (now Meta Platforms Inc.) breached the Personal Information Protection and Electronic Documents Act (PIPEDA). The Commissioner challenged how Facebook managed the personal data of its users, particularly in sharing information with third-party applications, after an investigation into the scraping and selling of Facebook user data by an app “for psychographic modeling purposes between November 2013 and December 2015.”

The Commissioner had investigated a complaint and concluded that Facebook failed to obtain valid and meaningful user consent before sharing personal information with external applications connected through Facebook’s “Platform” technology that enabled third parties to build apps for users to install and run on Facebook. By 2013, there were 41 million of these apps, the court noted. Specifically, it was found that Facebook did not adequately inform users of the extent of data sharing or the potential risks involved, leading to privacy breaches.

In its defence, Facebook argued that it had implemented sufficient privacy controls, provided users with clear consent mechanisms and that “people could only use Facebook after agreeing to its Data Policy and Terms of Service”. However, the Commissioner contended that Facebook’s consent process was insufficiently transparent, leaving users unaware of how their data could be used beyond the immediate platform. The Federal Court of Appeal agreed with the Privacy Commissioner, and declared that Facebook “breached PIPEDA’s requirement that it obtain meaningful consent from users prior to data disclosure and failed its obligation to safeguard user data.” The court declined further compliance orders beyond the declaration of a breach of PIPEDA, given the amount of time that has transpired since the breaches occurred and Facebook’s claims “that there have been many changes in its privacy practices since then”. However, the court invited the parties to find agreement “on the terms of a consent remedial order” or to make further submissions “on the question of remedy.”

The Federal Court of Appeal’s decision in this case underscores the importance of adhering to PIPEDA’s requirements for clear and informed consent, especially in digital platforms that involve third-party data sharing. While the court did not impose fines, it reinforced the necessity for businesses to implement robust consent practices and privacy controls that align with Canadian privacy legislation.

For charities and not-for-profits, this case highlights the critical need for compliance with privacy laws, particularly in the context of data sharing with third-party service providers or platforms. Many charities and not-for-profits increasingly rely on digital tools and social media to reach their stakeholders, and this case serves as a reminder of the risks associated with inadequate data protection measures.

The decision in Canada (Privacy Commissioner) v. Facebook, Inc. signals a broader movement towards enhanced privacy protections. Charities and not-for-profits, especially those engaged in online platforms and services where personal information is shared or processed, should comply with the principles in Schedule 1 of PIPEDA, although the statute may not apply directly to them, as a national best-practice standard for the protection of personal information.

Amendments to Comprehensive Quebec Privacy Act Come into Effect

Several amendments to the Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act or “Law 25”) came into effect this month. As discussed in the June 2024 Charity and NFP Law Update, on May 15, 2024, Québec introduced the first Canadian regulation on data anonymization, establishing specific criteria and guidelines for how personal information should be anonymized. This regulation requires organizations to follow “generally accepted best practices” to ensure that anonymized data can no longer identify individuals, either directly or indirectly. The regulation is part of the broader provisions in Law 25, which largely came into effect on September 22, 2023, and applies to both the private sector and public bodies in Québec.

As of September 22, 2024, the final amendments to Law 25 are in force. These have the stated purpose of enhancing individual access rights. Barring “serious practical difficulties” (which include complex practical procedures and high costs) individuals can request their computerized personal information from organizations in a “structured, commonly used technological format”. They can also ask organizations to transfer this information “to any person or body authorized by law to collect such information.” Collectively, these new rights are known as “data portability”.

Organizations are required to provide personal information in a portable format not only to the individual but also, upon request, to any legally authorized entity. The term “authorized by law” means that the recipient must comply with legal obligations related to the collection of personal information under the applicable privacy laws.

Since the right to data portability extends from the right of access, organizations must follow the rules of the Quebec Privacy Act when handling such requests. This includes verifying the identity or legal authority of the requester, responding within 30 days, and providing assistance if a request is denied. While non-compliance with data portability requirements isn’t directly subject to fines, the Commission d’accès à l’information du Québec can issue orders for corrective action, and failure to comply with these orders may result in enforcement actions and penalties.

To comply with the new data portability right, charities and not-for-profits should take several key steps. They must identify the information that falls under the right to data portability and ensure it can be provided in a structured, commonly used format. Organizational policies should be reviewed to ensure they can handle data portability requests effectively and should be revised to inform individuals of their right to access said data. Finally, if a request is denied due to “serious practical difficulties,” the organization should document the specific reasons for the refusal.

​Read the September 2024 Charity & NFP Law Update