The Canadian Federal Court of Appeal found that social media platform Facebook violated statutory obligations for data protection and meaningful consent created by Canada’s primary legislation on the use of personal information by corporations, the Personal Information Protection and Electronic Documents Act (PIPEDA).

Following an investigation into Facebook’s personal data-sharing practices, the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that:

1. Facebook failed to ensure apps used on the site acquired meaningful consent from users;
2. Facebook failed to obtain meaningful consent from the friends of users;
3. Facebook did not have enough safeguards in place to protect users’ personal information; and
4. Facebook failed to take accountability for data breaches and instead blamed users or relied on vague and broad terms of service agreements.

After the Privacy Commissioner sought a court order obligating Facebook to change its practices, the lower court found in favor of Facebook, finding that Facebook’s data protection obligations ended where external apps using the platforms requested information and that there was insufficient evidence to determine if the safeguards Facebook had were appropriate.

On appeal, the Privacy Commissioner successfully argued that the lower court had set the bar “too low”  for Facebook in interpreting the “meaningful consent” requirements created by PIPEDA, failed to differentiate between consent granted to users and friends, and failed to consider the “reasonability” of the data safeguard procedures Facebook used.

The meaningful consent requirement from PIPEDA obliges companies handling user information to acquire consent from users where they could reasonably understand what they are consenting to. In the present case, the appeal court found the extreme length and vague, broad nature of Facebook’s user terms meant the consent was not meaningful. Further, data safeguarding principles in the act require companies handling user data to create and regularly review the effectiveness of their data protection policies. The court found Facebook did not regularly review the privacy policies of third-party apps beyond verifying they had a working hyperlink in their data agreement and therefore did not meet its data protection obligations.

The Privacy Commissioner first initiated the complaint following the Cambridge Analytica Scandal, where the company Cambridge Analytica harvested Facebook users’ and their friends’ data for targeted political ads. In the scandal, Cambridge professor Aleksandr Kogan developed a Facebook personality quiz called “thisisyourdigitallife,” a Facebook app where users took personality quizzes. However, in using the app, users inadvertently agreed to share their profile information and information about all their Facebook friends with the political consulting firm Cambridge Analytica. The firm would then use the information harvested through the app to target political ads to Facebook users depending on their personality, geographic location, race, gender and any other relevant details the firm could find. Notably, Donald Trump’s 2016 campaign contracted Cambridge Analytica, which used the details harvested from this survey to create targeted Facebook ads in swing states.