The federal privacy commissioner’s attempt to have Facebook take responsibility for the Cambridge Analytical scandal under Canadian privacy law has been rejected by a judge.
In a decision released last week, Justice Michael Manson of the Federal Court dismissed the commissioner’s attempt to enforce its 2019 finding that Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA) by having inadequate data privacy safeguards over how third-party apps played with the data of Facebook users.
The case involved the sharing of Facebook users’ personal information with a third-party application called This Is Your Digital Life, hosted on its platform.
Its creator, U.K. university professor Aleksandr Kogan, presented the app as a personality quiz. Through it, the app could access the Facebook profile information of every user and their Facebook friends who installed the app and agreed to Facebook’s privacy policy.
What the app was really about was vacuuming up personal data for another purpose. Kagan sold Facebook user data — including those of an estimated 600,000 Canadians — to Cambridge Analytica and a related firm, SCL Elections. SCL used that data in targeted political messages in the U.S. and the U.K..
In his two-part ruling, Manson said the commissioner didn’t offer sufficient evidence that Facebook hadn’t gotten adequate consent for the sharing of user data with third-party apps.
And while the judge agreed Facebook had an obligation to safeguard users’ data, he said that shifted to app creators when users agreed to participate in the app. An app creator, in turn, had its own data protection obligations under an agreement with Facebook.
The privacy commissioner argued Facebook maintained control over the information disclosed to third-party applications because it holds a contractual right to request information from apps.
The judge disagreed.
“The Commissioner has failed to discharge their burden to show that it was inadequate for Facebook to rely on good faith and honest execution of its contractual agreements with third-party app developers,” the judge concluded.
PIPEDA says “an organization is responsible for information in its possession or custody, including information that is transferred to a third party for processing.” But, the judge said, PIPEDEA “does not impose a responsibility over information disclosed in all instances.” (Italics added by IT World Canada).
In an interview, Halifax privacy lawyer David Fraser said the distinction the judge made between data transferred for processing and merely disclosed (with approval) to a third party is crucial. The privacy commissioner had to prove data sent to This Is Your Digital Life was sent for processing, not just transferred, the judge essentially said.
The privacy commissioner could take the decision to the Federal Court of Appeal.
This particular issue is somewhat moot: Facebook no longer allows third-party apps to run on its platform.
But in a blog on Sunday, Fraser, of the McInnes Cooper law firm, said the federal privacy commissioner “lost, big time.”
The federal [and B.C.] privacy commissioners “announced their findings with big fanfare, denounced Facebook broadly for not getting adequate consent for users who use third-party apps on their platform,” Fraser said. “They called for all sorts of privacy law reform and said this is a grand indicator of why they needed broad order-making powers and ability to issue penalties.” But the Office of the Privacy Commissioner had to take Facebook to court because it didn’t have the power under PIPEDA to issue a compliance order to the social media platform. “And they’re not able to prove to the satisfaction of the judge that they even had evidence for their main allegation. The court said, ‘You have to have evidence.’ And in this particular incident, they asked the court to make a whole lot of inferences, which were at the heart of the privacy commissioner’s finding. But the court said, ‘That’s not evidence. You’re asking us to make assumptions.’”
Fraser said the decision shows why the federal privacy commissioner shouldn’t have the unfettered power to make orders and issue fines — in essence to be judge and jury.
In the Liberal government’s proposed overhaul of PIPEDA, Bill C-27 would give the commissioner order-making powers. But proposed fines would have to go to a new Personal Information and Data Protection Tribunal for approval.
University of Ottawa internet law professor Michael Geist said the decision “provided a clear shout-out for Parliament to pursue a modernized privacy law.”
“While the court says that shortcomings of the Commissioner’s evidentiary case took the consent claim off the table, it was Canada’s weak privacy laws that largely undid the claim regarding adequate safeguards of user information disclosed to third-parties,” he wrote in a blog today.
“Rather than seeking to address privacy concerns, the current government has seemingly been far more interested in profiting from weak privacy rules, satisfied that the way to deal with the tech giants is to compel them to fund the cultural and news sectors or to threaten them with fishing expedition hearings into their internal communications and strategies. The consequences of that approach have now become readily apparent, with Canada embarrassingly unable to deal with the most high-profile global privacy case of the past decade.”
While it was introduced into Parliament 10 months ago, C-27 still hasn’t been brought before a committee for detailed study.
Some background: In 2018 several news organizations published stories of how U.K.-based Cambridge Analytica used the data of 87 million Facebook users — 270,000 Facebook users plus millions of their Facebook friends — for political advertising. The 270,000 people had agreed to install the This Is Your Digital Life app. But few agreed to the use of the data by Cambridge Analytica.
In 2019, the federal and B.C. privacy commissioners issued a report concluding Facebook had violated the federal and British Columbia privacy laws around transparency and consent.
Facebook refused to accept that finding, so then-federal privacy commissioner Daniel Therrien asked the Federal Court to make the same finding and issue orders against the company.
“Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection,” Therrien said at the time.
“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning.”
The Cambridge Analytica scandal reverberated in several countries. Last year Facebook’s parent, Meta, agreed to pay US$725 million to resolve a U.S. class-action lawsuit stemming from the use of its data. In 2019, Facebook agreed to pay US$5 billion to resolve a Federal Trade Commission probe into its privacy practices, and US$100 million to settle U.S. Securities and Exchange Commission claims that it misled investors about the misuse of users’ data.