‘Meaningful consent’ in Canada: Privacy Commissioner beats Meta in ‘Cambridge Analytica’ appeal

The Canadian Office of the Privacy Commissioner (OPC) has won a case against Meta at Canada’s Federal Court of Appeal concerning the Cambridge Analytica scandal. 

The OPC alleged that Meta (then “Facebook”) breached Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA) by allowing third-party apps to access and misuse user data without obtaining meaningful consent.  

After a defeat at the Federal Court last year, the OPC has won at appeal. Here’s a look at the case and what it means for organizations operating under Canada’s federal data protection law. 

Cambridge Analytica: 11 years on

Despite mostly occurring in 2013 and being exposed in 2018, the Cambridge Analytica fallout is ongoing in Canada. In fact, the case is also still active in the US, where Meta remains in a back-and-forth with the Federal Trade Commission (FTC) over its $5 billion fine from 2019. 

As the Canadian Federal Court of Appeal explains in its judgment, published Monday, the OPC’s initial complaint against Meta was submitted to the first instance court in early 2020 -right before the COVID-19 pandemic caused a bottleneck of cases. 

Before we explore the most recent developments, here’s a reminder of the Cambridge Analytica scandal. 

A data scientist working for Cambridge Analytica developed a Facebook app called This Is Your Digital Life (TIYDL) – a survey, presented as an academic research project, that collected data about many thousands of Facebook users. 

Meta had established a consent process called Granular Data Permissions (GDP) that provided “notice” and obtained “consent” on behalf of third-party apps such as TIYDL. But in addition to the users who had been through the GDP process, TIYDL also collected data about its users’ Facebook friends – who had not received notice or provided consent. 

The data obtained by Cambridge Analytica was allegedly used for political campaign targeting during the 2016 US election. However, an investigation by the UK Information Commissioner’s Office (ICO) revealed no evidence that the data had been used in such a way in the UK. 

The OPC’s case against Meta

The OPC’s case against rested on two allegations: 

• Meta failed to obtain “valid meaningful consent” to disclose users’ data to the various vendors involved in the Cambridge Analytica scandal. 
• Meta failed to appropriately secure users’ data, particularly the Facebook friends of people who had given TIYDL access to their own data. 

Canada’s federal data protection law, PIPEDA, requires organizations to obtain consent in certain circumstances, and the law also includes some broad data security obligations. The OPC argued Meta violated these provisions. 

Last year, however, the first instance court sided with Meta, finding that the OPC failed to:  

• Use its powers to compel evidence from Facebook 
• Provide any expert evidence as to what Facebook could do differently 
• Provide any subjective evidence from Facebook users around their expectations and understandings of privacy. 

The OPC’s appeal victory

Firstly, the Federal Court of Appeal said the lower court “erred when it premised its conclusion exclusively or in large part on the absence of expert and subjective evidence given the objective inquiry.” 

According to the appeal court, the lower court was wrong to place so much emphasis on evidence and expert statements. The court should have interpreted the law itself and determined whether Meta broke it. 

Having disregarded the lack of expert evidence and testimony from users, the Federal Court of Appeal concluded the following: 

• Meta had failed to obtain consent – or even request consent –  from the friends of TIYDL users. And beyond this, the company had also failed to obtain meaningful consent from the TIYDL users themselves. 
• Meta’s Terms of Service and Data Policy were so lengthy and complex that most users would not read or fully comprehend them. This meant Meta had failed to provide adequate notice, undermining the ability of any users to provide meaningful consent under PIPEDA. 
• Meta violated its data security obligations under PIPEDA by failing to take action when “red flags” were raised regarding the TIYDL app. The company lacked adequate security controls around third-party apps. 

Meaningful notice and consent 

These violations occurred despite Meta having recently introduced a new consent mechanism (“GDP”), showing that organizations in Canada and elsewhere must ensure they meet the following requirements: 

• Notice must be concise, comprehensive, and accessible. 
• Consent, where requested, must be meaningful. 
• Once you have obtained a person’s data – even with their consent – you must safeguard the data from illegitimate third-party access.