The Federal Court of Canada last week dismissed the Privacy Commissioner of Canada’s complaint against Facebook stemming from alleged privacy violations involving Cambridge Analytica. The Privacy Commissioner ruled against Facebook in 2019, but Facebook disagreed with the findings and took the matter to court. Last week, a court sided with the social media giant, concluding that the Privacy Commissioner did not provide sufficient evidence that Facebook failed to obtain meaningful consent when sharing information with third-party applications and rejecting a claim that Facebook did not adequately safeguard user information. The Cambridge Analytica case sparked investigations and complaints worldwide, leading to a $5 billion penalty in the U.S., significant settlements of private lawsuits, fines in the UK, and extensive new rules in the European Union. Yet in Canada, the case against the company has been dismissed, raising troubling questions about how it was handled and the adequacy of Canadian privacy law.
Federal and provincial privacy commissioners jointly investigated the Cambridge Analytica case starting in 2018. That joint approach raised some concerns, but the final report identified serious privacy violations and included several recommendations for reform, including new measures to ensure “valid and meaningful consent”, greater transparency for users, and oversight by a third-party monitor for five years. Facebook disagreed with the findings and challenged the case in court. In fact, with no order making power under current Canadian privacy law and a federal court approach that examines each privacy case “de novo” – ie. over again – there is no deference given to the Privacy Commissioner’s prior findings as the case must be made from scratch (as an aside, this is one reason why I am less troubled than others by the creation of a Privacy Tribunal in Bill C-27, which likely would be treated with some deference by the courts).
While there were several legal issues before the court, the case came down to two issues: did Facebook fail to obtain meaningful consent when sharing user information with third-party applications and/or did it fail to adequately safeguard the user information that was transferred to third-parties?
On the consent issue, the Privacy Commissioner unsurprisingly argued that Facebook did not meet the necessary consent standard, while Facebook said that it did. The court concluded that without expert evidence on the issue, it was left with an “evidentiary vacuum”:
In assessing these competing characterizations, aside from evidence consisting of photographs of the relevant webpages from Facebook’s affiant, the Court finds itself in an evidentiary vacuum. There is no expert evidence as to what Facebook could feasibly do differently, nor is there any subjective evidence from Facebook users about their expectations of privacy or evidence that any user did not appreciate the privacy issues at stake when using Facebook. While such evidence may not strictly be necessary, it would have certainly enabled the Court to better assess the reasonableness of meaningful consent in an area where the standard for reasonableness and user expectations may be especially context dependent and are ever-evolving.
In fact, the court says that not only was there no evidence on consent, but it notes that the Privacy Commissioner failed to compel Facebook to disclose evidence on the matter. The Commissioner’s counsel maintained that Facebook “would not have complied or would have had nothing to offer”, but the Court was left unimpressed, emphasizing that the burden falls on the Commissioner “to establish a breach of PIPEDA on the basis of evidence, not speculation or inferences derived from a paucity of material facts.” Ouch.
While the court says that shortcomings of the Commissioner’s evidentiary case took the consent claim off the table, it was Canada’s weak privacy laws that largely undid the claim regarding adequate safeguards of user information disclosed to third-parties. The court concluded that under the current privacy law “safeguarding obligations end once information is disclosed to third-party applications” and provided a clear shout-out for Parliament to pursue a modernized privacy law:
The Commissioner’s submissions speak to the need for rigorous third-party enforcement practices in the ever-evolving digital world given the vast amount of personal information that tech-giants like Facebook handle and the ease with which it flows from one party to another. Facebook’s submissions, on the other hand, speak to the role of social media companies play in modern society in facilitating freedom of expression; that Facebook has, in many ways, replaced the public square, the newsstand, the garage sale and the first date. These submissions are thoughtful pleas for well-thought-out and balanced legislation from Parliament that tackles the challenges raised by social media companies and the digital sharing of personal information, not an unprincipled interpretation from this Court of existing legislation that applies equally to a social media giant as it may apply to the local bank or car dealership.
In other words, fixing the inadequacy of Canada’s private sector privacy legislation falls to the government, not the courts. For years, the privacy community has urged the government to prioritize privacy reform. Rather than seeking to address privacy concerns, the current government has seemingly been far more interested in profiting from weak privacy rules, satisfied that the way to deal with the tech giants is to compel them to fund the cultural and news sectors or to threaten them with fishing expedition hearings into their internal communications and strategies. The consequences of that approach have now become readily apparent with Canada embarrassingly unable to deal with the most high profile global privacy case of the past decade.