In which we return to discussing developments from times forgotten. Like, uh, 6 weeks ago? That’s not too bad (for me)! Also there was a development in this case just two and half weeks ago, so that’s kind of timely? Shut up, it is. Also, I should point out before we go further that there is no “privacy court” (yet!) as suggested by my headline. Lemme explain…
Let’s go back to uh, 2019, maybe? That sounds good. On this very website in April of that year, I wrote Regulators are sick and tired of Facebook’s crap. Fuck I had a foul mouth back then. In that post, I explained the Cambridge Analytica scandal (now with its own Wikipedia page) and how the Office of the Privacy Commissioner (“OPC”) had put out a 200-paragraph report about how Facebook had violated PIPEDA with all the shenanigans related to that scandal. Good job OPC!
But of course having a report that says Facebook (yeah yeah yeah, now Meta) violated PIPEDA means as much as a promise to buy people fine scotch if a person does not blog every month. What you really need is a court order that says “Facebook violated PIPEDA”. Especially when you recommend to Facebook that they should do some things to fix their privacy practices and Facebook basically says “um, no.” So in February 2020, the OPC went to our “privacy court” (actually Federal Court, though Privacy court aka the Data Protection Tribunal is coming!) to get a determination that Facebook sucks (I am paraphrasing).
On April 13 of this year, aka the six weeks ago I mentioned, the Federal Court released its decision in Canada (Privacy Commissioner) v. Facebook, Inc. You saw the headline so you know the result, but let’s read it anyway.
The Federal Court’s Judgment
Let’s just copy the whole introduction, so you know what’s going on. Though it is much a repeat of my own more pithy recap above:
 This is an application brought by the Privacy Commissioner of Canada [the “Commissioner” or the “OPC”] under paragraph 15(a) of the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA]. The Commissioner alleges that Facebook breached PIPEDA through its practices of sharing Facebook users’ personal information with third-party applications [“apps”] hosted on the Facebook Platform.
 The Commissioner’s allegations follow an investigation of a PIPEDA complaint, brought in light of news reports that a third-party application, “thisisyourdigitallife” [the “TYDL App”] had obtained data through the Facebook Platform and subsequently disclosed it to a British research firm called “Cambridge Analytica”.
Right, I told you all that; well most of it anyway. But now you get it in technical legal language, which is what you come to my blog for. I do love reading these types of judgments where judges have to give actual factual background (like they always do and a good judgment requires), for example explaining what Facebook does:
People join and use Facebook to stay connected with friends, family and others, to discover what is going on in the world and share and express their opinions on topics that matter to them.
That’s one way of putting it. Here’s the important background:
In 2007, Facebook launched the Facebook “Platform” – a set of technologies that enable third parties to build apps that can run and integrate on Facebook and be installed by Facebook users
So one of those apps was the TYDL app mentioned above. The TYDL app allowed access to the profile information of users who installed it, as well as the installing users’ Facebook friends, and it is believed that it collected data of over 600,000 Canadians. Yikes! The Court then discusses the details of the Facebook Terms of Service in place at the time and what they say about sharing data with third parties. The Court then goes into details about how “Facebook offered certain permissions, settings and controls that users could manipulate to choose what information is shared with third-party apps.” I am not going into details about those for reasons that will become clear later in this post. But here are some more important facts in relation to this case:
Media reports in December 2015 revealed that Dr. Kogan (and his firm, Global Science Research Ltd) had sold Facebook user information to Cambridge Analytica and a related entity, SCL Elections Ltd. The reporting claimed that Facebook user data had been used to help SCL’s clients target political messaging to potential voters in the then upcoming US presidential election primaries.
When these reports became public, Facebook removed the TYDL App from the Platform and asked Cambridge Analytica to delete the data it had obtained.
Upon a bunch of complaints from Canadians, the OPC launched an investigation and released the report I discussed above. But as mentioned, the OPC decided to go to Court too (“make an application” is the correct terminology). The Court lists the issues it has to deal with:
A. Is the Commissioner’s application improper because the Commissioner failed to obtain consent from each complainant?
B. Did Facebook fail to obtain meaningful consent from users and Facebook friends of users when sharing their personal information with third-party applications?
C. Did Facebook fail to adequately safeguard user information?
D. If Facebook erred, is it protected by the doctrine of estoppel by representation or officially induced error?
E. What is the appropriate remedy?
Allow me to summarize the Court’s answers to these issues:
A – this is a stupid procedural point you don’t care about, the Court says it’s all fine and proper, don’t worry about it.
B – Basically the Court says “this is all sort of murky, but the OPC has not proven to us that they (Facebook) failed to get meaningful consent, so PIPEDA is not violated” This is the heart of the matter and would be very very important, if not for reasons that will become clear later in this post.
C – Let me quote the Court – “I agree with Facebook; its safeguarding obligations end once information is disclosed to third-party applications.” Basically “once the data is in third party hands, wtf are we supposed to do?”
D – Well the OPC did not prove PIPEDA was violated (see B above) so this question is moot
E – Also moot.
And we’re done?
Superterrific Happy Hour Analysis and Why This Post is So Short
On May 12 (i.e. the “development in this case just two and half weeks ago” above) the OPC announced that it was appealing the Court’s decision. The OPC says in its announcement, “given that this matter is before the Courts, no further information is available at this time.” Well that does not really help your humble blogger.
Your humble blogger will have to wait until the Federal Court of Appeal decision is released in, what, 2-3 years? Then he’ll write a post of substance with all those details about meaningful consent, because what this Court says is totally irrelevant as soon as the Court of Appeal weighs in.