Key Lessons from Meta’s Victory Against the Privacy Commissioner of Canada in the Federal Court
In Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533, the Federal Court of Canada dismissed a high-stakes application brought by the Privacy Commissioner of Canada against Meta Platforms Inc. (formerly Facebook Inc.), marking the first time any court in the world has ruled on the merits of a case arising out of the Cambridge Analytica incident.
The Commissioner alleged that Meta breached federal privacy law in connection with the Cambridge Analytica incident and Meta’s sharing of Facebook users’ personal information with third-party applications. The Federal Court’s decision dismissing this application is a monumental victory for Meta and provides important lessons for businesses about Canadian privacy law:
- PIPEDA strikes a balance. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) strikes a balance between individual and organizational interests, and should therefore be interpreted in a flexible, pragmatic, and common-sense way. This means that courts must consider not only the individual’s privacy interests, but also the organization’s legitimate interests in collecting, using, and disclosing personal information for commercial purposes.
- Speculation cannot substitute for evidence. Even if the Commissioner finds that an organization breached PIPEDA at the investigatory stage, he bears the burden of proving his case afresh on a PIPEDA application. While he may have relied on speculation and inference at the investigatory stage, this will not suffice on a PIPEDA application. Absent concrete evidence of a PIPEDA breach, the application will fail.
- The safeguarding duty ensures seamless protection. An organization has a duty to safeguard information in its possession. When the organization discloses the information to a third party with consent, the safeguarding duty passes from the organization to the third party immediately upon disclosure, ensuring seamless protection.
In March 2018, the Commissioner, who oversees compliance with PIPEDA, received a complaint asking him to investigate Meta’s compliance with PIPEDA regarding third-party apps around the time of the Cambridge Analytica incident. After a 13-month investigation, the Commissioner issued a non-binding report of findings. The report found that Meta failed to obtain meaningful consent from Facebook users whose personal information was shared with third-party apps, and failed to adequately safeguard Facebook users’ personal information from unauthorized collection, use, and disclosure by third-party apps.
Based on this report, the Commissioner filed a Federal Court application in April 2020 seeking sweeping remedies that would require Meta to change Facebook’s worldwide operations and functions and to submit to ongoing supervision by the Commissioner and the court. The Commissioner asked the court to draw inspiration from a 2019 U.S. Federal Trade Commission settlement order requiring Facebook to pay a US$5 billion fine and submit to 20 years of mandatory injunctive relief and third-party monitoring.
In the three years that followed, Meta achieved a number of pre-hearing successes, including orders striking improper evidence led by the Commissioner, thus materially limiting the evidence the Commissioner could use in court.
Following a multi-day hearing, the Federal Court dismissed the Commissioner’s application in its entirety, with costs. On both consent and safeguards, the court found no breach of PIPEDA. It also gave valuable direction on the act’s interpretation and application.
PIPEDA governs the collection, use, and disclosure of personal information in Canada’s private sector. Among other things, PIPEDA generally requires private sector organizations operating in Canada to do two things:
- obtain meaningful consent to collect, use, or disclose Canadians’ personal information (the consent duty); and
- take adequate steps to safeguard personal information in their possession against unauthorized collection, use, or disclosure (the safeguarding duty).
The court provided guidance on how to interpret and apply PIPEDA. The court noted that PIPEDA expressly aims “to establish a balance between protecting user information and an organization’s right to reasonably collect, use or disclose personal information”. The court stated that “given the purpose of PIPEDA is to strike a balance between two competing interests, the Court must interpret it in a flexible, common sense and pragmatic manner”. The court also confirmed that although PIPEDA is “considered to be quasi-constitutional legislation”, this status “does not displace the ordinary exercise of statutory interpretation”.
The court also provided guidance on the nature of a PIPEDA application. The court confirmed that a PIPEDA application is a de novo application, meaning it involves a fresh hearing on the merits, not a review of the Commissioner’s report of findings. The court added that the burden of proving a PIPEDA breach through concrete evidence rests with the applicant—here, the Commissioner.
The court held that the Commissioner failed to meet his evidentiary burden to prove that Meta failed to obtain meaningful consent from Facebook users. The court stated that even though the Commissioner enjoyed broad investigatory powers to compel information, the Commissioner’s application proceeded in an “evidentiary vacuum”. For example, the Commissioner failed to lead any expert evidence about what Meta could feasibly do differently to obtain users’ consent, or any evidence from any Facebook users about their expectations. In the face of this evidentiary vacuum, the court declined to “speculate and draw unsupported inferences” and concluded that “ultimately it is the Commissioner’s burden to establish a breach of PIPEDA on the basis of evidence, not speculation and inferences derived from a paucity of material facts”.
The court held that the Commissioner also failed to meet his evidentiary burden to prove that Meta failed to adequately safeguard Facebook users’ personal information. The court accepted that Meta’s duty to safeguard personal information in its possession ends once Meta discloses the information to a third party such as a third-party app developer. The court added that even if Meta’s safeguarding duty continued after this disclosure, the Commissioner failed to show that Meta could not rely on third-party app developers’ contractual commitments to comply with Facebook’s terms.
McCarthy Tétrault represented Meta in the PIPEDA application.