OPC appeals Federal Court’s Facebook decision not requiring it to change its privacy practices
OPC appeals Federal Court’s Facebook decision not requiring it to change its privacy practices
The Office of the Privacy Commissioner has appealed the Federal Court’s decision, released last month, denying the OPC’s application to order Meta (formerly Facebook) to change its privacy policies and procedures that had led to the Cambridge Analytica data breach.[1]
The court proceedings arose out of the joint investigation by the Commissioner and the BC Information and Privacy Commissioner into the Facebook/Cambridge Analytica scandal. That investigation focused on the unauthorized collection and sharing of the personal information of more than 50 million users worldwide, including over 600,000 in Canada, for the purposes of targeting political messages. It followed a complaint that Facebook had allowed Cambridge Analytica and other organizations to use a social media app – “This Is Your Digital Life” (TYDL) – to access users’ personal information and the information of their Facebook friends, and then share that information with third parties for purposes of U.S. and other political campaigns, without obtaining proper consent.
The Court’s decision contains some problematic determinations regarding interpretation of the current federal privacy law, PIPEDA,[2] as well as the nature of evidence required on a court application to enforce the Commissioner’s findings in any investigation under the law.
The investigation was highly critical of Facebook’s policies and procedures regarding collection of personal information by social media apps and the sharing of that information. In particular, it found that Facebook failed to obtain meaningful consent from app users and their friends for the purposes for which the information was used.
Specifically, the investigation found that Facebook:
- did not obtain meaningful consent from users who installed the app for the disclosure of their personal information to the app, and did not make a reasonable effort to ensure that such users were given the necessary information to ensure meaningful consent with respect to Facebook’s disclosures to apps more generally;
- did not obtain meaningful consent from users for disclosures of their personal information to the app and other apps as a result of their Facebook Friends installing them;
- did not provide for adequate safeguards to effectively protect users’ personal information; and
- was not accountable for users’ personal information that was under its control.
Facebook disagreed with the conclusions of the investigation and refused to change its privacy practices to address the deficiencies identified.
The two key issues before the Court were (i) whether Facebook breached PIPEDA by not obtaining meaningful consent and (ii) whether it also breached the statute by not ensuring adequate safeguards for the users’ data that was disclosed to the app (meaning due diligence to ensure that the data was not used improperly).
Is a reasonable effort to obtain consent sufficient?
With respect to the consent issue, the Court referred to PIPEDA’s Principle 3 (in Schedule 1) as well as section 6.1 of the statute – which together require, for consent to be valid, that it is reasonable for individuals to understand the nature, purpose and consequences of the collection, use and disclosure of their personal information. The Principle also includes a provision obliging an organization to make a “reasonable effort” to make sure an individual is advised of the purposes for which they are being asked to consent. This provision was interpreted by the Court – incorrectly it is submitted – as an over-arching qualification to the requirement to obtain meaningful consent; in other words, an organization needs only make a “reasonable effort” to confirm that meaningful consent has been obtained. I would argue that this is a misinterpretation of the relevant provision which reads in full as follows:
The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
The section 6.1 provision contains no such added stipulation.
Facebook’s position was that PIPEDA only requires that it make such reasonable efforts to protect the personal data of its users, and that it had done so through its “combination of network-wide policies, user controls and educational resources”.
The Court looked at Facebook’s generally worded privacy policies and procedures, data permissions and educational resources, which included references to disclosure to app developers, and in effect concluded that they met its posited test of making reasonable efforts to inform individuals of the potential uses of their personal information, including for psychographic profiling and political targeting purposes – notwithstanding that no mention of such uses was made in those policies and procedures.
In coming to this conclusion, the Court, it is suggested, not only failed to apply the clear language of the statute – in section 6.1 – but gave an unwarranted interpretation of the requirement to make reasonable efforts, to the effect that making such reasonable efforts will fully satisfy PIPEDA’s consent requirements. In other words, notwithstanding the statute’s explicit provisions regarding the nature of the understanding of what individuals purportedly are consenting to, those provisions are limited by an over-arching rule that an organization only need make reasonable efforts to ensure this understanding. This interpretation is an over-reading of the obligation to make reasonable efforts. The guiding rule should be as stated in the Consent Principle, that the individual can “… reasonably understand how the information will be used or disclosed” or as stated in section 6.1 that “it is reasonable to expect that an individual to whom the organization’s activities are directed would understand…”.
Instead of focusing on whether the evidence provided to the Court (primarily the relevant policies and procedures of both Facebook and the app) was sufficient to meet this test, the Court interpreted the governing requirement to be whether Facebook had made a reasonable effort to obtain consent:
The question for the Court is whether Facebook made reasonable efforts to ensure users and users’ Facebook friends were advised of the purposes for which their information would be used by third-party applications.[3]
It is submitted that this requirement should be read as an additional obligation of organizations supplemental to the key, base requirements, not a limitation, or precondition, to whether those requirements have been met.
Evidence insufficient to determine consent not obtained
The Court determined that, notwithstanding the evidence of the policies and procedures which was before the Court – and for which there was no disagreement among the parties, such evidence was not sufficient for it to rule that the reasonable standard had not been met, indicating that it had no evidence before it to spell out what Facebook failed to do to demonstrate that it made a reasonable effort:
There is no expert evidence as to what Facebook could feasibly do differently, nor is there any subjective evidence from Facebook users about their expectations of privacy or evidence that any user did not appreciate the privacy issues at stake when using Facebook.[4]
In the Court’s view, the burden was on the OPC to establish that the standard had not been met, by appropriate evidence. A plain reading of the Facebook and the app’s policies and procedures (reproduced in the Court’s reasons) apparently was not sufficient for the Court to conclude that they failed to represent a reasonable effort to inform users of the potential uses of their data.
A “reasonable person” standard?
The Court went on to suggest that such evidence could have addressed the characteristics of meaningful consent – in effect a standard of reasonableness based on user expectations. Significantly, this suggestion could be interpreted as the Court’s attempt to articulate a “reasonable person” standard for evaluating the adequacy of consent:
While such evidence may not be strictly necessary, it would have certainly enabled the Court to better assess the reasonableness of meaningful consent in an area where the standard for reasonableness and user expectations may be especially context dependent and are ever-evolving.[5]
To date, neither the regulators (i.e. federal and provincial privacy commissioners) nor the courts have gone so far as to posit that a standard of “reasonable person” should be adopted in assessing whether meaningful consent has been obtained. However, the PIPEDA provisions include language (“…stated in a manner that an individual can reasonably understand…”; “… if it is reasonable to expect that an individual would understand…”) that could be interpreted to posit such a standard – which the Court might be suggesting in its Facebook decision.
Accepting that this is in effect the benchmark by which the Court would have been prepared to rule on as to whether Facebook had complied with PIPEDA, it is mystifying for it to conclude that it could not determine what that standard requires, without expert evidence or evidence of Facebook users’ actual experience. This is a determination that has been made by the courts over many years in applying the misleading advertising rules under the Competition Act, without expert evidence, or evidence of actual consumer experience. In those cases, the courts have agreed that the test (typically referred to as the “standard of deception”) is not whether anyone actually was misled but whether a consumer of the category to whom an advertisement is directed was likely to be misled. The standard has been articulated as an objective criterion that could be applied to a range of fact situations, including different levels of sophistication and knowledge, or credulity. When originally articulating the standard, the courts did not seek expert evidence but rather looked to existing legal guideposts and in particular American court decisions.
While, to date, there may not be any such guideposts in the case law applying Canadian private sector privacy laws, one could look to court decisions under the Charter of Rights and Freedoms[6] applying a reasonable expectation of privacy – sometimes referred to as the “right to be left alone” – for guidance as to what such a standard might entail.
However, as Teresa Scassa noted in her Blog commenting on the Facebook case, the passages from the decision cited above characterizing what such a standard could entail should be troubling to those concerned about privacy:
The concept of the “reasonable expectation of privacy” has significant normative dimensions, as the Supreme Court of Canada reminds us in R. v. Tessling and in the case law that follows it. In Tessling, Justice Binnie noted that subjective expectations of privacy should not be used to undermine the privacy protections in s. 8 of the Charter, stating that “[e]xpectation of privacy is a normative rather than a descriptive standard.”
Professor Scassa posits that the Court’s reference to a reasonable expectation of privacy in terms of what users might expect in an ever-evolving technological context appears to abandon the normative dimensions of the concept:
[The Court’s] comments lead towards a conclusion that the reasonable expectation of privacy is an ever-diminishing benchmark as it becomes increasingly naïve to expect any sort of privacy in a data-hungry surveillance society.
Yet this is not the case, Professor Scassa argues. She points out that although Justice Binnie’s comment is made in relation to the Charter, a subjective “reasonable expectation of privacy” that is based on the constant and deliberate erosion of privacy would be equally meaningless in data protection law.
In other words, an objective, normative standard fashioned and adopted by the courts that can be applied to all circumstances, going forward, is the appropriate approach. By contrast, if the Court’s interpretation of PIPEDA’s consent rules is upheld on appeal, it will amount to a recognition that reasonableness of consent is an ever-evolving standard the requirements for which may diminish over time.
© David Young Law 2023
Read the PDF: OPC appeals Federal Court’s Facebook decision not requiring it to change its privacy practices
For more information please contact: David Young 416-968-6286 david@davidyounglaw.ca
Note: The foregoing does not constitute legal advice. © David Young Law
[1] Privacy Commissioner of Canada v. Facebook, Inc., 2023 FC 533.
[2] Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5
[3] Para. 63.
[4] Para. 71.
[5] Para. 71.
[6] Canadian Charter of Rights and Freedoms, Constitution Act, 1982, Part 1.