CANADA Trends and Developments Contributed by: Craig Ferris, Laura Bevan, Anna Paczkowski and Codie Chisholm, Lawson Lundell LLP
meaningful consent from users prior to data disclo- sure and failed in its obligation to safeguard user data. During the relevant time, there were three layers to Facebook’s consent policies and practices for users: • platform-wide policies (which included the terms of service and data policy); • user controls (which included the granular data permissions process); and • educational resources. Facebook required third-party apps to agree to its platform policy and terms of service before being granted access to the platform. The platform policy imposed contractual duties on the apps, including to: • only request user data necessary to operate the app, and only use user’s friends’ data in the con- text of the user’s experience on the app; • have a privacy policy telling users what data the app would use and how it will use or share that data; • obtain explicit consent from a user before using any non-basic information for any purpose aside from displaying it back to the user; and • refrain from selling or purchasing data obtained from Facebook. In November 2013, the TYDL app was launched on the platform (and thus agreed to Facebook’s platform policy and terms of service). TYDL was presented to users as a personality quiz. Through the platform, TYDL was able to access the Facebook profile infor- mation of every user who installed TYDL as well as the information of every installing user’s Facebook friends. The evidence established that approximately 272 Canadian users installed TYDL, enabling disclo- sure of the data of over 600,000 Canadians. User data obtained by TYDL was sold to Cambridge Analytica and a related entity, and the data was used to develop “psychographic” models for the purpose of targeting political messages towards Facebook users leading up to the 2016 US presidential election. In 2015, Facebook removed TYDL from its platform and asked Cambridge Analytica to delete the data it obtained. Facebook neither notified affected users nor
barred the creator of TYDL or Cambridge Analytica from its platform. It was not until 2018 that Facebook suspended the creator of TYDL and Cambridge Ana- lytica from the Facebook platform, following media reports that they had not deleted the data as request- ed in 2015. There was no dispute that TYDL breached Facebook’s platform policy by requesting access to user data beyond what it needed to function, by using users’ friends’ data for purposes beyond augmenting the app experience of installing users, and by transfer- ring and selling user data to a third party. The FCA concluded that the meaningful consent clauses of PIPEDA, along with the statute’s purpose, focus on the perspective of the reasonable person. The FCA continued that the perspective of the reason- able person is framed by the statute, which speaks of a corporation’s need for information. The statute does not speak of a corporation’s right to information. In the FCA’s view, this was a critical distinction. The statute requires a balance not between competing rights, but between a need and a right. The FCA concluded that there was a fundamental distinction between users and friends of users. Only those who installed the third-party apps, and not their friends, were given the opportunity to directly con- sent to TYDL’s (or other apps’) use of their data upon review of the app’s privacy policy. Similarly, direct users of third-party apps were able to use the granular data permissions process, through which they were given notice about the information categories the app sought to access, a link to that app’s privacy policy, and the opportunity to grant or deny data permissions. The friends of users could not access the granular data permissions process on an app-by-app basis and could not know or understand the purposes for which their data would be used. Friends of users were only informed at a high level through Facebook’s data policy that their informa- tion could be shared with third-party apps when their friends used these apps. The data policy was too broad to provide effective notice. In the FCA’s view, the data policy offered mundane examples of how those apps may use user data and did not contem-
163 CHAMBERS.COM
Powered by FlippingBook