Skip To Content

Privacy and misuse of personal information

Author(s): Kristian Brabander, Robert Carson, Tommy Gelbman, Jessica Harding, Craig Lockwood, Julien Morissette

Aug 9, 2023

A Man Uses A Mobile Phone

Table of contents

Read the full edition: Privacy Jurisprudence Review


Option Consommateurs c. Flo Health Inc., 2022 QCCS 4442

Read more about the case: Option Consommateurs c. Flo Health Inc., 2022 QCCS 4442

Facts

In 2016, the defendant launched an app called “Flo” that allows women to track their menstrual cycle and ovulation periods. An investigative report revealed that unencrypted and personally identifiable and intimate information was transmitted by the defendant to Facebook. Following the publication of this report, the defendant changed its privacy policy, indicating that it would not share any personal data with third parties. The plaintiff sought authorization to bring a class action against the defendant on behalf of individuals in Québec who used the Flo application between June 1, 2016 and February 23, 2019. The plaintiff alleged that the defendant breached its contractual and statutory obligations with respect to the preservation of class members’ personal information. The plaintiff was seeking compensatory damages (for material injury, relating to the infringement of the right to one’s image) and punitive damages (under the Québec Charter of Human Rights and Freedoms and Consumer Protection Act).

Decision

The Superior Court authorized the class action. The defendant had admitted to transferring certain information it collected, including a “unique device identifier.” The Court therefore found that it was not hypothetical or speculative to say that personal and highly sensitive information had been transferred to third parties who had used or may use it for purposes other than the technical operation of the Flo application. The extent to which the combined effect of the disclosure of information along with the unique device identifier allows for the personal identification of the user was held to be an issue to be examined on the merits of the class action.

Key Takeaway

The courts may, in some circumstances, authorize a class action even where there is some uncertainty as to whether the information disclosed is personally identifiable.

 

Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533

Read more about the case: Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533

Facts

The Privacy Commissioner of Canada (OPC) investigated a complaint that a third-party application obtained Facebook users’ personal data through the Facebook platform and disclosed it to another third party, Cambridge Analytica. The OPC issued a report concluding that Facebook had breached the Personal Information Protection and Electronic Documents Act (PIPEDA) by sharing Facebook users’ personal information with third-party apps without the users’ consent and by failing to safeguard users’ information. The OPC then brought an application in the Federal Court under paragraph 15(a) of PIPEDA alleging that Facebook breached the Act and seeking a remedy against Facebook.

Decision

The Court dismissed the application, finding that the OPC did not discharge its burden to establish that Facebook had breached PIPEDA by failing to obtain meaningful consent. The OPC did not adduce any expert evidence of what Facebook could feasibly have done differently, nor was there any subjective evidence from Facebook users about their expectations of privacy or their appreciation of the privacy issues at stake when using Facebook. The Court stated that, although such evidence may not be strictly necessary, “it would have certainly enabled the Court to better assess the reasonableness of meaningful consent in an area where the standard for reasonableness and user expectations may be especially context dependent and are ever-evolving.” As a result, the Court was left to draw inferences that were not supported by the evidentiary record.

The Court also found that once information was disclosed to a third-party app, Facebook’s safeguarding obligations under PIPEDA were at an end. Further, the Court stated that, even if the safeguarding obligations had applied to Facebook after information was disclosed to third-party applications, there was insufficient evidence to determine whether Facebook’s contractual agreements and enforcement policies constitute adequate safeguards.

Key Takeaway

On a de novo hearing under section 15(a) of PIPEDA, a breach of the legislation cannot be found in an “evidentiary vacuum.” The OPC bears the burden and is required to lead cogent evidence to establish a breach. Moreover, this decision supports the principle that, once an organization is authorized by a user to disclose information to a third-party app, the organization’s safeguarding duties under PIPEDA are at an end.

 

Facebook, Inc. v. Canada (Privacy Commissioner), 2023 FC 534

Read more about the case: Facebook, Inc. v. Canada (Privacy Commissioner), 2023 FC 534

Facts

The underlying facts are essentially the same as the facts in the previous summary: the OPC investigated a complaint that a third-party application obtained Facebook users’ personal data through the Facebook platform and disclosed it to Cambridge Analytica. The OPC issued a report concluding that Facebook had breached PIPEDA by sharing Facebook users’ personal information with third-party apps without the users’ consent and by failing to safeguard users’ information. However, this decision relates to an application filed by Facebook in the Federal Court, seeking judicial review of “the [OPC’s] decisions to investigate and continue investigating, the investigation process, and the resulting Report of Findings.”

Decision

The Court dismissed this application on the threshold ground that the application for judicial review was not brought in time, nor was an extension warranted. Nonetheless, the Court went on to address the substantive claims in the event that the decision on the threshold ground was wrong. The Court did not accept Facebook’s submissions that the complainants lacked standing, that the OPC’s investigation lacked a necessary real and substantial connection to Canada or that the investigation resulted in a breach of procedural fairness.

Stay informed

Get notified by email when the next edition of Privacy Jurisprudence Review is available.

Subscribe now