Aug 9, 2023
Table of contents
Option Consommateurs c. Flo Health Inc., 2022 QCCS 4442
Read more about the case: Option Consommateurs c. Flo Health Inc., 2022 QCCS 4442
The Superior Court authorized the class action. The defendant had admitted to transferring certain information it collected, including a “unique device identifier.” The Court therefore found that it was not hypothetical or speculative to say that personal and highly sensitive information had been transferred to third parties who had used or may use it for purposes other than the technical operation of the Flo application. The extent to which the combined effect of the disclosure of information along with the unique device identifier allows for the personal identification of the user was held to be an issue to be examined on the merits of the class action.
The courts may, in some circumstances, authorize a class action even where there is some uncertainty as to whether the information disclosed is personally identifiable.
Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533
Read more about the case: Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533
The Privacy Commissioner of Canada (OPC) investigated a complaint that a third-party application obtained Facebook users’ personal data through the Facebook platform and disclosed it to another third party, Cambridge Analytica. The OPC issued a report concluding that Facebook had breached the Personal Information Protection and Electronic Documents Act (PIPEDA) by sharing Facebook users’ personal information with third-party apps without the users’ consent and by failing to safeguard users’ information. The OPC then brought an application in the Federal Court under paragraph 15(a) of PIPEDA alleging that Facebook breached the Act and seeking a remedy against Facebook.
The Court dismissed the application, finding that the OPC did not discharge its burden to establish that Facebook had breached PIPEDA by failing to obtain meaningful consent. The OPC did not adduce any expert evidence of what Facebook could feasibly have done differently, nor was there any subjective evidence from Facebook users about their expectations of privacy or their appreciation of the privacy issues at stake when using Facebook. The Court stated that, although such evidence may not be strictly necessary, “it would have certainly enabled the Court to better assess the reasonableness of meaningful consent in an area where the standard for reasonableness and user expectations may be especially context dependent and are ever-evolving.” As a result, the Court was left to draw inferences that were not supported by the evidentiary record.
The Court also found that once information was disclosed to a third-party app, Facebook’s safeguarding obligations under PIPEDA were at an end. Further, the Court stated that, even if the safeguarding obligations had applied to Facebook after information was disclosed to third-party applications, there was insufficient evidence to determine whether Facebook’s contractual agreements and enforcement policies constitute adequate safeguards.
On a de novo hearing under section 15(a) of PIPEDA, a breach of the legislation cannot be found in an “evidentiary vacuum.” The OPC bears the burden and is required to lead cogent evidence to establish a breach. Moreover, this decision supports the principle that, once an organization is authorized by a user to disclose information to a third-party app, the organization’s safeguarding duties under PIPEDA are at an end.
Facebook, Inc. v. Canada (Privacy Commissioner), 2023 FC 534
Read more about the case: Facebook, Inc. v. Canada (Privacy Commissioner), 2023 FC 534
The underlying facts are essentially the same as the facts in the previous summary: the OPC investigated a complaint that a third-party application obtained Facebook users’ personal data through the Facebook platform and disclosed it to Cambridge Analytica. The OPC issued a report concluding that Facebook had breached PIPEDA by sharing Facebook users’ personal information with third-party apps without the users’ consent and by failing to safeguard users’ information. However, this decision relates to an application filed by Facebook in the Federal Court, seeking judicial review of “the [OPC’s] decisions to investigate and continue investigating, the investigation process, and the resulting Report of Findings.”
The Court dismissed this application on the threshold ground that the application for judicial review was not brought in time, nor was an extension warranted. Nonetheless, the Court went on to address the substantive claims in the event that the decision on the threshold ground was wrong. The Court did not accept Facebook’s submissions that the complainants lacked standing, that the OPC’s investigation lacked a necessary real and substantial connection to Canada or that the investigation resulted in a breach of procedural fairness.
Read the full edition: Privacy Jurisprudence Review
Get notified by email when the next edition of Privacy Jurisprudence Review is available.