Canadian Federal Court of Appeal rules Facebook breached Privacy Laws

The Federal Court of Appeal yesterday ruled that Facebook breached Canadian privacy laws in its handling of user data that was improperly shared with third-party apps, including in the Cambridge Analytica scandal. The decision, issued on September 9, 2024, overturns a lower court ruling that had dismissed complaints against the social media giant.

In a unanimous decision, the three-judge panel found that Facebook failed to obtain meaningful consent from users before disclosing their personal information to third-party apps between 2013 and 2015. The court also ruled that Facebook did not adequately safeguard user data during this period.

"Facebook invited millions of apps onto its platform and failed to adequately supervise them," wrote Justice Donald Rennie in the court's reasons. "The unauthorized disclosures here were a direct result of Facebook's policy and user design choices."

The case stems from an investigation by Canada's Privacy Commissioner into Facebook's practices following revelations that the personal information of up to 87 million Facebook users worldwide had been improperly obtained by political consulting firm Cambridge Analytica. Approximately 600,000 Canadian users were affected.

Key findings in the court's decision include:

• Facebook did not obtain meaningful consent from users or their friends before disclosing data to third-party apps
• The company's data policies and terms of service were too long and complex for users to reasonably understand
• Facebook failed to adequately review privacy practices of third-party apps on its platform
• The company did not act on "red flags" indicating potential misuse of user data

The court rejected Facebook's arguments that it had relied on previous guidance from the Privacy Commissioner approving its practices. Justice Rennie noted that privacy standards are "highly context-dependent" and evolve rapidly with technology.

While the court declared Facebook's past practices violated the Personal Information Protection and Electronic Documents Act (PIPEDA), it stopped short of ordering specific remedies. The judges cited the passage of time and Facebook's claims of having updated its privacy practices since 2015.

The court has given the parties 90 days to agree on potential remedial measures or to make further submissions on appropriate next steps.

Privacy advocates hailed the ruling as an important precedent in holding tech giants accountable for data protection. Facebook, which has since rebranded as Meta, said it is reviewing the decision but noted its practices have "evolved significantly" in recent years.

The case highlights ongoing debates around consent and data protection in the digital age. As Justice Rennie wrote: "Terms that are on their face superficially clear do not necessarily translate into meaningful consent."

The decision comes as governments worldwide grapple with regulating social media platforms and protecting user privacy. It remains to be seen what concrete changes, if any, may result from the ruling. However, it sends a clear message that even the largest tech firms are not above privacy laws.

Key facts

• Federal Court of Appeal ruling issued on September 9, 2024
• Overturns lower court decision from 2023
• Relates to Facebook's practices between 2013-2015
• Approximately 600,000 Canadian users affected by Cambridge Analytica data sharing
• Court found Facebook breached PIPEDA principles on meaningful consent and safeguarding data
• Parties given 90 days to agree on potential remedies or make further submissions
• Facebook (Meta) says it is reviewing the decision but practices have evolved since 2015