Mark Zuckerberg F8 2019 Keynote by Anthony Quintano (CC BY 2.0)

Mark Zuckerberg F8 2019 Keynote by Anthony Quintano (CC BY 2.0)


Canada’s Privacy Failure: Federal Court Dismisses Privacy Commissioner’s Complaint Against Facebook Over Cambridge Analytica

The Federal Court of Canada last week dismissed the Privacy Commissioner of Canada’s complaint against Facebook stemming from alleged privacy violations involving Cambridge Analytica. The Privacy Commissioner ruled against Facebook in 2019, but Facebook disagreed with the findings and took the matter to court. Last week, a court sided with the social media giant, concluding that the Privacy Commissioner did not provide sufficient evidence that Facebook failed to obtain meaningful consent when sharing information with third-party applications and rejecting a claim that Facebook did not adequately safeguard user information. The Cambridge Analytica case sparked investigations and complaints worldwide, leading to a $5 billion penalty in the U.S., significant settlements of private lawsuits, fines in the UK, and extensive new rules in the European Union. Yet in Canada, the case against the company has been dismissed, raising troubling questions about how it was handled and the adequacy of Canadian privacy law.

Federal and provincial privacy commissioners jointly investigated the Cambridge Analytica case starting in 2018. That joint approach raised some concerns, but the final report identified serious privacy violations and included several recommendations for reform, including new measures to ensure “valid and meaningful consent”, greater transparency for users, and oversight by a third-party monitor for five years. Facebook disagreed with the findings and challenged the case in court. In fact, with no order making power under current Canadian privacy law and a federal court approach that examines each privacy case “de novo” – ie. over again – there is no deference given to the Privacy Commissioner’s prior findings as the case must be made from scratch (as an aside, this is one reason why I am less troubled than others by the creation of a Privacy Tribunal in Bill C-27, which likely would be treated with some deference by the courts).

While there were several legal issues before the court, the case came down to two issues: did Facebook fail to obtain meaningful consent when sharing user information with third-party applications and/or did it fail to adequately safeguard the user information that was transferred to third-parties?

On the consent issue, the Privacy Commissioner unsurprisingly argued that Facebook did not meet the necessary consent standard, while Facebook said that it did. The court concluded that without expert evidence on the issue, it was left with an “evidentiary vacuum”:

In assessing these competing characterizations, aside from evidence consisting of photographs of the relevant webpages from Facebook’s affiant, the Court finds itself in an evidentiary vacuum. There is no expert evidence as to what Facebook could feasibly do differently, nor is there any subjective evidence from Facebook users about their expectations of privacy or evidence that any user did not appreciate the privacy issues at stake when using Facebook. While such evidence may not strictly be necessary, it would have certainly enabled the Court to better assess the reasonableness of meaningful consent in an area where the standard for reasonableness and user expectations may be especially context dependent and are ever-evolving. 

In fact, the court says that not only was there no evidence on consent, but it notes that the Privacy Commissioner failed to compel Facebook to disclose evidence on the matter. The Commissioner’s counsel maintained that Facebook “would not have complied or would have had nothing to offer”, but the Court was left unimpressed, emphasizing that the burden falls on the Commissioner “to establish a breach of PIPEDA on the basis of evidence, not speculation or inferences derived from a paucity of material facts.” Ouch.  

While the court says that shortcomings of the Commissioner’s evidentiary case took the consent claim off the table, it was Canada’s weak privacy laws that largely undid the claim regarding adequate safeguards of user information disclosed to third-parties. The court concluded that under the current privacy law “safeguarding obligations end once information is disclosed to third-party applications” and provided a clear shout-out for Parliament to pursue a modernized privacy law:

The Commissioner’s submissions speak to the need for rigorous third-party enforcement practices in the ever-evolving digital world given the vast amount of personal information that tech-giants like Facebook handle and the ease with which it flows from one party to another. Facebook’s submissions, on the other hand, speak to the role of social media companies play in modern society in facilitating freedom of expression; that Facebook has, in many ways, replaced the public square, the newsstand, the garage sale and the first date. These submissions are thoughtful pleas for well-thought-out and balanced legislation from Parliament that tackles the challenges raised by social media companies and the digital sharing of personal information, not an unprincipled interpretation from this Court of existing legislation that applies equally to a social media giant as it may apply to the local bank or car dealership.

In other words, fixing the inadequacy of Canada’s private sector privacy legislation falls to the government, not the courts. For years, the privacy community has urged the government to prioritize privacy reform. Rather than seeking to address privacy concerns, the current government has seemingly been far more interested in profiting from weak privacy rules, satisfied that the way to deal with the tech giants is to compel them to fund the cultural and news sectors or to threaten them with fishing expedition hearings into their internal communications and strategies. The consequences of that approach have now become readily apparent with Canada embarrassingly unable to deal with the most high profile global privacy case of the past decade.


  1. Pingback: Federal domstol stöder Facebook i kamp med Kanadas integritetskommissionär - rabzub

  2. Pingback: Federal court docket backs Fb in struggle with Canada’s privateness commissioner -

  3. Pingback: Federaal gerechtshof steunt Facebook in gevecht met Canadese privacycommissaris - ALGAFAH

  4. Pingback: 聯邦法院支持 Facebook 與加拿大隱私專員的鬥爭 | IT世界加拿大新聞 - 24 Digital Hub

  5. I would like to express my gratitude to you for sharing this excellent post. I have to say that I am very impressed with your post because the information provided is both comprehensive and simple to grasp. Your subsequent post will receive a lot of attention from me.

  6. Pingback: Links 17/04/2023: GNU poke 3.1 and Deepin 20.9 Released | Techrights

  7. Thank you for mentioning the problem.

  8. Claudia Shoebridge says:

    Law bites and all other subject matter are discussed for the individuals. The range of it support austin for the supportive means. The skills are firm for the targeted items for the host of the turns for the game for the people.

  9. Adam Murphy says:

    Car games, or driving games, have always been popular with kids and adults. Now players can enjoy a fast paced game user acquisition without the need for a steering wheel. This game has five modes to choose from as the race winds through gorgeous scenes and even different worlds. The thrill seekers will love the big jumps and the chance to do tricks in the air.