In a landmark decision, the Federal Court of Appeal overturned a lower court decision involving Facebook’s (now known as Meta) breach of the Personal Information Protection and Electronic Documents Act (PIPEDA).

This dispute began in 2018 when three Members of Parliament raised concerns about Facebook’s compliance with PIPEDA after news reports showed that Facebook allowed Cambridge Analytica, a political consulting firm, to access users’ personal information without their knowledge or consent. The Privacy Commissioner of Canada responded by investigating Facebook’s practices, and ultimately producing a report finding that Facebook had “inadequate safeguards” to protect user information and had failed to get valid and meaningful consent from app users and friends of app users. The Commissioner found that Facebook was unable to show that the third-party personality quiz app in question, thisisyourdigitalafterlife (“TYDL”), had obtained consent for its purposes, including political purposes.

Facebook brought an application for judicial review of the Privacy Commissioner’s findings. Facebook disagreed with the results of the investigation and argued that it had taken proactive measures beyond the standards of other companies operating in the same market. In 2023, the Federal Court granted Facebook’s application, ruling that the Commissioner was wrong to take issue with the form of consent Facebook obtained.

The Privacy Commissioner successfully appealed to the Federal Court of Appeal. In its decision, the Court of Appeal found that the lower court erred in making too much of the Privacy Commissioner's failure to lead expert and subjective evidence from Facebook users showing their expectations and understanding of privacy. The Court of Appeal identified “extensive” evidence of Facebook’s problematic consent practices, including Facebook’s means of obtaining consent, Mark Zuckerberg’s testimony that users do not read the Terms of Service or Data Policy, and Facebook’s acknowledgement in 2018 that there is still “work to be done” to help users understand the choices they have over their data.

The Court of Appeal also found that the lower court did not consider consent from app installing users’ friends separately and independently from app installing users. The Court of Appeal observed that had the Federal Court distinguished between the two types of consent, it would have concluded, without the need for subjective or expert evidence, that meaningful consent was not provided from either group. By failing to consider for the two separate issues of consent, the Court of Appeal found that the lower court neglected to consider Facebook’s compliance with PIPEDA. The lower court had failed to consider the threshold question of whether each user who had their data disclosed consented to that disclosure.

This Federal Court of Appeal’s decision contributes to the growing discourse and critique of lengthy contracts and policies companies use to attempt to bind consumers. The Court of Appeal rejected Facebook’s argument that users read privacy policies when signing up for social networks. Justice Rennie called this claim a “dubious assumption” given that privacy policies are lengthy and inaccessible documents for the average reader. In a time when consumer protection reform is in motion in multiple provinces (Ontario, New Brunswick and Newfoundland and Labrador), the comments from Justice Rennie recognizing the inaccessible nature of Privacy Policies are significant. This warning should send alarm bells ringing to legal teams across the country to make privacy policies more accessible for Canadians.

The Facebook decision also raises risks around data portability requirements when organizations ask users to send personal information to third parties. Data portability is the ability to transfer data and data interoperability refers to the ability to integrates multiple datasets without affecting possible data use. While currently, there are no interoperability requirements in Canada, forthcoming legislation – Bill C-27 – aims to fill this gap by clarifying how organizations can securely send data to other organizations, what types of data can be transferred to other organizations, and which organizations are permitted to do this. Until further clarification, the Facebook decision shows the liability risk that can arise from data dissemination.

Privacy Commissioner of Canada, Philippe Dufresne, issued a statement on the decision describing the Court of Appeal’s ruling as “an acknowledgement that international data giants, whose business models rely on users’ data, must respect Canadian privacy law and protect individuals’ fundamental right to privacy.” The Federal Court of Appeal has asked Facebook and the Commissioner’s office to respond on whether an agreement for terms of a remedial order has been reached within 90 days. It is expected that this will prompt Facebook to produce proposals for how the company will comply with the court’s decision.