You know a couple of years ago I publicly swore I would post every month. And I was good. For a while. But in my head the real rule was always “you can never go a year without posting”. [/checks date of last post]. Whew, that was close.
It’s a good thing this big Facebook case came out in the last couple of weeks so I could keep my blog every year rule! The case is Canada (Privacy Commissioner) v. Facebook, Inc., and it comes from the Federal Court of Appeal. Conveniently, last year when I was writing every month, in a post entitled Facebook wins in privacy court (for now), I wrote about the case when it came out of the lower court. I concluded there by saying:
On May 12 the OPC announced that it was appealing the Court’s decision.(…)
Your humble blogger will have to wait until the Federal Court of Appeal decision is released in, what, 2-3 years? Then he’ll write a post of substance with all those details about meaningful consent, because what this Court says is totally irrelevant as soon as the Court of Appeal weighs in.
Well just under a year and a half or so not 2-3. I am bad at predictions (Habs will make the Conference Finals this season!). But I was dead on when I wrote “because what this Court says is totally irrelevant as soon as the Court of Appeal weighs in” and “Facebook wins (for now)”, because drum roll…
Facebook is a big loser now. The Court of Appeal has overturned the lower court and ruled that Facebook violated privacy up the wazoo. This is my shocked face. OK let’s take a step back and dive in.
What’s all this about then?
Cambridge Analytica! You remember that scandal from back in the before times don’t you? Here’s its Wikipedia entry in case you forgot or blacked it out purposefully. Quick recap – personal data belonging to millions and millions and millions of Facebook users (some Canadian) was collected without their consent via a third-party Facebook app, transferred to Cambridge Analytica and generally used for political advertising. In light of that, many Canadians were upset! They complained to the Office of the Privacy Commissioner (OPC). The OPC investigated, and I wrote about their findings back in 2019. To save you clicking on that link, Facebook was found to have violated PIPEDA but not getting “meaningful consent for the collection, use and disclosure of personal information”, to use the OPC and PIPEDA language. They found specifically:
- Facebook failed to obtain valid and meaningful consent of installing users
- Facebook also failed to obtain meaningful consent from friends of installing users
- Facebook had inadequate safeguards to protect user information
- Facebook failed to be accountable for the user information under its control
Of course, having a crappy privacy law federally which my two regular readers know about by now, means that finding PIPEDA was violated was just about all the OPC could do. They “recommended” Facebook fix some stuff, and Facebook was all like “BWAHAHAHA nothing you can do about it suckers!” The OPC was miffed with that reply, while admitting the “nothing you can do about it” was fact check true. But they could go to court to get the court to also say Facebook violated PIPEDA, which would also be kind of useless except for some PR. Actually that is not really true, under sections 15 and 16 of PIPEDA the Court can actually order Facebook to get its act together and obey the law. Too bad the lower court laughed at the OPC too!
The Lower Court
Just go back and read the last post again. Or not. As the lower court has been overturned, it’s pretty irrelevant now. Let’s find out why! Finally.
The Court of Appeal
Let’s start with the summary:
[1] The Privacy Commissioner of Canada commenced proceedings in the Federal Court alleging that Facebook, Inc. (now Meta Platforms Inc.) breached the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) through its practice of sharing Facebook users’ personal information with third-party applications (apps) hosted on the Facebook platform. The proceeding arose from the Commissioner’s investigation into the scraping of Facebook user data by the app “thisisyourdigitallife” (TYDL) and its subsequent selling of the data to Cambridge Analytica Ltd. (Cambridge Analytica) for psychographic modeling purposes between November 2013 and December 2015.
[2] The Federal Court, per Manson J. (Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533, 2023 A.C.W.S. 1512), dismissed the Commissioner’s application, finding that the Commissioner had not shown that Facebook failed to obtain meaningful consent from users for disclosure of their data, nor that Facebook failed to adequately safeguard user data.
[3] I would allow the appeal. The Federal Court erred in its analysis of meaningful consent and safeguarding under PIPEDA. I conclude that Facebook breached PIPEDA’s requirement that it obtain meaningful consent from users prior to data disclosure and failed in its obligation to safeguard user data.
I told you all that already, but that’s a quality well-written legal summary. You don’t get to be on the Federal Court of Appeal if you write like me.
The Court starts off by diving into Facebook and its privacy practices, online legal terms, and their policies. They do not take a kind view of many of these things! I love how they note that Facebook’s Terms of Service were 4500 words and their Data Policy (which was a sub-set of the Terms) was 9100 words. Like, who would read that? [/raises hand] Also importantly, the Court notes that while users of the third-party apps are able to properly consent using Facebook’s “Granular Data Permissions” (GDP), the friends of the users, whose personal information also ended up with Cambridge Analytica, did not have access to the GDP process. Remember that!
The Court then notes that the people who make those third party apps like TYDL have to accept some Platform Terms of Service. These require such developers to “Only request user data necessary”, to have their own privacy policies, get explicit consent and not sell personal info. This all seems like it might be important later.
The Court dives in to the history of the TYDL app and how it sold data to Cambridge Analytica. The data included data from 600,000 Canadians.
The Law – PIPEDA
The Court reminds us that PIPEDA says that organizations must adhere to the 10 Principles found in Schedule 1. The10 Principles outline uh, ten principles that an organization must do in order to protect personal information. As I always tell my students, the most important principle imho is not number 1 but number 3 for some reason. Number 3 is “consent”. Given that the entirety of Canadian privacy law is based on consent you would think it would be #1! As if to prove me right, the Court correctly points out that Consent is so important they added section 6.1 to the main body of PIPEDA:
Valid consent
6.1 For the purposes of clause 4.3 of Schedule 1 [ed. – that is actually Principle 3, these numbers are stupid I know], the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
The Court also mentions Principle 7, “Safeguards” which basically says organizations like Facebook should, uh, safeguard people’s personal information.
The Court of Appeal summarizes the lower court
This Court notes in particular that the lower court:
dealt with the two central issues: whether Facebook failed to obtain meaningful consent from users and Facebook friends of users when sharing their personal information with third-party apps; and whether Facebook failed to adequately safeguard user information. The Court held that the Commissioner had failed to discharge its burden on both allegations.
At this point in the decision the Court does not really rip into the lower court. I guess that’s coming soon. It does hint at some problems, which we’ll get to.
Issues on appeal and the positions of the parties
Basically: the OPC says the lower court really fucked up by: (1) “setting the bar too low” in its interpretation of meaningful consent under PIPEDA; (2) failing to distinguish between meaningful consent for installing users and meaningful consent for friends of installing users; and (3) wanting to get subjective evidence of user experience and expert evidence, which the OPC did not provide, even though the court had plenty of objective evidence i.e. what is “reasonable”. On the other hand, Facebook says the lower court did great, thanks!
Analysis!
We are finally at the meat of the matter. The decision, like most court decisions, gives the conclusion at the beginning so you know what’s coming, It is not a best-selling novel. So the Court concludes and then explains why. It concludes the lower court made mistakes bigly:
The Federal Court erred when it premised its conclusion exclusively or in large part on the absence of expert and subjective evidence given the objective inquiry. Second, the Court failed to inquire into the existence or adequacy of the consent given by friends of users who downloaded third-party apps, separate from the installing users of those apps. Consequently, the Court did not ask itself the question required by PIPEDA: whether each user who had their data disclosed consented to that disclosure. These are over-arching errors which permeate the analysis with the result that the appeal should be allowed.
Let’s take each of these (and more!) in turn the way this Court does, using their own section headers.
1. The Federal Court’s call for subjective or expert evidence
The Court here says “hey lower court, section 6.1 has the word “reasonable” in it dammit! And so does the text of Principle 3!” The reasonable person standard has a long history in law, which it discusses at length. While subjective and expert evidence sometimes helps to define the reasonable standard, it is not necessary. As the Court states:
It was the responsibility of the Court to define an objective, reasonable expectation of meaningful consent. To decline to do so in the absence of subjective and expert evidence was an error.
That’s basically it.
2. Meaningful consent: the friends of users
The Court harps on that Facebook Granular Data Permissions (GDP) stuff I mentioned above, and how the friends of users had no access to it:
This distinction between users and friends of users is fundamental to the analysis under PIPEDA. The friends of users could not access the GDP process on an app-by-app basis and could not know or understand the purposes for which their data would be used, as required by PIPEDA.
Also, too, the app developers were required to have privacy policies as I mentioned. The users of the app certainly had the opportunity to evaluate those policies, but the friends did not. The Court also goes through the text of Facebook’s giant data policy which describes how those friends’ personal info might by used by third-party apps. But the Court says that the text of that policy is really fucking general, broad and vague and thus is completely bullshit. Well, the Court says “ineffective”. So broad that there is no way the friends could give meaningful consent based on it. As the court artfully concludes on this point:
Upon signing up to Facebook, friends of direct app users were effectively agreeing to an unknown disclosure, to an unknown app, at an unknown time in the future of information that might be used for an unknown purpose. This is not meaningful consent.
3. Meaningful consent: the installers of TYDL
While concluding that the friends did not give meaningful consent was easy, the Court goes into excruciating detail trying to show how the actual users / downloaders of the app also did not give meaningful consent. It’s like thirty paragraphs and if I want to finish this post before my year deadline expires I am going to have to really summarize here. Lots of it is based on my life’s work, the drafting of online Terms and policies. Remember when I mentioned above how the Court was very specific about how long the Terms and Data Policy were? Well:
… clarity can be lost or obscured in the length and miasma of the document and the complexity of its terms. At the length of an Alice Munro short story, the Terms of Service and Data Policy—which Mark Zuckerberg, speaking to a U.S. Senate committee, speculated that few people likely ever read—do not amount to meaningful consent to the disclosures at issue in this case.
Oof that hurts. I am trying to make my living here! Although I am going to read that as comparing my writing to Nobel Prize winner Alice Munro. Nice! We’ll just ignore that other Munro stuff (now). The Court talks about the reasonable Facebook user:
the reasonable Facebook user would expect Facebook to have in place robust preventative measures to stop bad actors from misrepresenting their own privacy practices and accessing user data under false pretences
And the court asks how could that be true when like half the app developers don’t even read the Facebook policies that govern them. Finally the Court notes how Facebook’s own procedures deemed TYDL’s actions collecting unnecessary personal data as red flags for privacy violations but Facebook did nothing about it for at least a year. Oopsie! All of this shit taken together “lead only to the conclusion that Facebook did not adequately inform users of the risks to their data upon signing up to Facebook” and thus there was no meaningful consent.
The Court takes a kind of interesting detour here talking about how Facebook policies for users are “contracts of adhesion” which is a fancy legal term for “take it as is or leave it” contracts. The Court discusses the famous (well, to internet law specialists) Supreme Court case Douez v. Facebook, which I wrote about back in 2017. That case had a different issue and different outcome (which the Court recognizes – “Douez admittedly dealt with a different beast”) so tbh I am not sure why they bring it up. Something about the fact that because it is a contract of adhesion it requires higher scrutiny by the courts. OK then. Anyway, after all this the Court concludes “had the Federal Court considered all of the factors above, it would have concluded that no user provided meaningful consent.”
4. The safeguarding obligation
Even in sub-sections, the Court likes to announce its conclusions right away and then explain, like so:
An organization can be perfectly compliant with PIPEDA and still suffer a data breach. However, the unauthorized disclosures here were a direct result of Facebook’s policy and user design choices. Facebook invited millions of apps onto its platform and failed to adequately supervise them. The Federal Court failed to engage with the relevant evidence on this point, and this was an error of law.
The Court then basically repeats the same salient facts from the previous section (to be fair, they warned they would do this in the previous section) – that Facebook did not review the app developers’ privacy policies, and that Facebook did not act on the red flags of TYDL requesting unnecessary personal info. Facebook also received plenty of complaints about the TYDL app but failed to notify users or ban the TYDL app developer from the platform. All of this is also evidence of failing to safeguard data as required by Principle 7.
5. Purposive balancing under PIPEDA
Forget what “purposive balancing” means. You see, what happened at the lower court was that they said “if we find that Facebook violated PIPEDA, we are putting undue obligations on the little company operating out of mom’s basement or a car dealership because the law has to be applied equally to everyone.” This Court OTOH says “ok; apply the law equally, but think about context.” The whole point of Facebook is to be a data whore (my wording, but the Court does say that), unlike the car dealership, so you are fucking stupid lower court. The lower court also erred bigly by misreading when it said PIPEDA has a right for organizations to collect and use personal information; in fact it says individuals have privacy rights, but the law recognizes the need for organizations to collect, use and disclose personal information. Dumb stupid lower court again!
6. Estoppel and officially induced error do not apply
And finally, we have some real legal crap. Do I have to explain estoppel and officially induced error to you? Of course not, you know what they are, right? Ugh, fine. Estoppel means if you make a statement or promise of some sort to someone, there are no backsies later, and you are “estopped”, i.e. prevented, from going after them. Officially induced error means that if an official tells you that you are cool with something like a law, the official can’t then say later that you violated that law.
You see, the OPC was investigating Facebook’s privacy practices all the way back in 2008. After that investigation, the OPC recommended Facebook fix some stuff, and Facebook actually kinda did, and the OPC followed up with a letter that said “you are pretty cool with PIPEDA now.” So Facebook thinks this is a get out of jail free card on PIPEDA for the rest of eternity. For a couple of legal reasons this Court says yeah no, that’s BS. It basically comes down to “duh that was more than a decade ago, things change Zuck”.
And we’re done!
The Court concludes “Facebook’s practices between 2013-2015 breached Principle 3, Principle 7, and section 6.1 of PIPEDA”. The OPC asked for a whole bunch of stuff that Facebook should do to improve its privacy practices from the Cambridge Analytica days. Facebook says “those events were a decade ago, we have changed since then.” The Court notes the irony of Facebook making that argument now when they were arguing the opposite when it came to that estoppel thing. Ha! Zing! Ya burnt! But in the end the Court actually does agree with Facebook here and says the stuff the OPC is asking for is kind of useless now. The Court says the parties should work together to come to some consent (ha!) about a “remedial order” which would just be a token statement, within 90 days. If not, come back to court and we’ll sort that out.
Superterriffic Happy Hour Analysis Time
Well, the Court did everything it could here. It fixed the egregious errors form the lower court and made the declaration that Facebook violated PIPEDA. Obviously this was a mess of privacy on Facebook’s part; even non-lawyers could see that.
But a court doing everything it can here is totally useless. The Court commented on the giant financial penalties imposed by American and British authorities for the same set of facts. But those are not available under PIPEDA as my two regular readers know. We have fixed that here in Quebec, but the Federal privacy law revamp is stuck in neutral. There is no way that Bill C-27 is going to get passed before this government falls. Sigh. Enjoy your time violating privacy law in Canada with impunity Zuck.