A panel of judges says Facebook broke federal privacy law by failing to adequately inform users of the risks to their data upon signing up to the popular social-media platform.
In a new ruling, the Federal Court of Appeal says Facebook, now known as Meta META-Q, did not obtain the meaningful consent required by the Personal Information Protection and Electronic Documents Act between 2013 and 2015.
It also said Facebook breached its safeguarding obligations under PIPEDA, which governs the private-sector’s use of personal information, during the relevant period by failing to adequately monitor and enforce the privacy practices of third-party apps.
In the decision, which overturns a 2023 Federal Court ruling, the Court of Appeal said Facebook “invited millions of apps onto its platform and did not adequately supervise them.”
It found that the Federal Court’s failure to engage with the relevant evidence on this point was an error of law.
In a statement, Privacy Commissioner Philippe Dufresne called the latest decision an acknowledgment that international firms whose business models rely on users’ data must respect Canadian privacy law.
“Facebook operates the world’s largest social media network and collects a vast amount of personal information and data about its users,” Mr. Dufresne said. “The issues at the heart of this matter are critically important to Canadians and their ability to participate with trust in our digital society.”
He noted the Court of Appeal has asked his office and Facebook to report back within 90 days on whether an agreement on the terms of a remedial order has been reached. “I expect Facebook to now bring forward proposals on how it will ensure that it complies with the court’s decision.”
In a brief statement, Meta expressed disappointment with the ruling. The company did not indicate whether it plans to appeal to the Supreme Court of Canada.
A 2019 investigation report from Daniel Therrien, federal privacy commissioner at the time, and his British Columbia counterpart cited major shortcomings in Facebook’s procedures and called for stronger laws to protect Canadians.
The probe followed reports that Facebook let an outside organization use a digital app to access users’ personal information, with that data then passed to others.
The app, at one point known as This is Your Digital Life, encouraged users to complete a personality quiz but collected much more information about the people who installed the app as well as data about their Facebook friends.
Recipients of the information included British consulting firm Cambridge Analytica, which was involved in U.S. political campaigns and targeted messaging.
About 300,000 Facebook users worldwide added the app, leading to the potential disclosure of the personal information of approximately 87 million others, including more than 600,000 Canadians, the commissioners’ report said.
The commissioners concluded that Facebook violated PIPEDA by failing to obtain valid and meaningful consent of installing users and their friends, and that it had “inadequate safeguards” to protect user information.
Facebook disputed the findings of the investigation. The company has said it tried to work with the privacy commissioner’s office and take measures that would go above and beyond what other companies do.
In early 2020, Mr. Therrien asked the Federal Court to declare Facebook had violated the law.
A judge ruled last year the commissioner failed to meet the burden of establishing that Facebook breached the law concerning meaningful consent. He also agreed with Facebook’s argument that once a user authorizes it to disclose information to an app, the social-media company’s safeguarding duties under PIPEDA come to an end.
In its decision, the Court of Appeal noted Facebook’s contention that users read privacy policies presented to them on signing up to social-networking websites, something the judges called “a dubious assumption” given such documents can run thousands of words.
“Terms that are on their face superficially clear do not necessarily translate into meaningful consent,” Justice Donald Rennie wrote for the three-member panel. “Apparent clarity can be lost or obscured in the length and miasma of the document and the complexity of its terms.”
In this case, Justice Rennie said, a central question was whether a reasonable person “would have understood that in downloading a personality quiz (or any app), they were consenting to the risk that the app would scrape their data and the data of their friends, to be used in a manner contrary to Facebook’s own internal rules (i.e. sold to a corporation to develop metrics to target advertising in advance of the 2016 U.S. election).”