Facebook data “scraping” claim lacks some basis in fact

The Supreme Court of British Columbia recently dismissed an attempt to certify a class action lawsuit against Facebook after the court found the plaintiffs failed to provide some “basis in fact” for their central allegation – that Facebook engaged in unauthorized data scraping.¹ Highlighting the need for evidence to support central allegations during a certification application, the court found the evidence supporting the plaintiffs’ allegations was overly generalized and it should exercise its gatekeeping function and not allow the action to proceed to the merits.

Background

The case concerned allegations Facebook engaged in unauthorized data “scraping” – which refers to extracting call and text data from users of its applications for its own purposes and without the users’ knowledge or consent. The plaintiffs alleged Facebook had collected call and text message data from users of the Facebook Messenger app on Android smartphones in Canada without consent and then provided that information to unknown third parties. Facebook was alleged to have done so “under the guise of accessing their contacts to supply its friend recommendation algorithm.”

The court described two theories of liability emerging from the allegations: a “front end” claim that Facebook used the proposed class members' allegedly inadequate and uninformed consent to access their “contact list” information to collect and use their call and text data, and a “back end” claim that class members had their call and text data scraped by Facebook’s manipulation of the interactions between the Android OS and the Messenger app.

As supporting evidence for their certification motion, the plaintiffs provided various Facebook press releases, excerpts from a disclosure package that included internal Facebook emails and two expert reports. Both expert reports consisted of answers to questions posed by the plaintiffs that the court found were general with little direct relevance to the matters at issue on the certification application. Facebook provided two affidavits from a software engineering manager it had employed. Part of its evidence was that Facebook had no record of either named plaintiff’s call or text logs uploaded to Facebook servers.

Decision

In dismissing the certification application, the court noted the fundamental flaw in the plaintiffs’ claim was “[an] absence of any evidence to indicate that Facebook used, or misused, the plaintiffs' information for its own benefit.” 

One plaintiff was found to not have even disclosed whether she had the Messenger app on her phone, or had used it in the past. The court found the expert evidence fell short of establishing the central allegations, that various documents appended to a clerk’s affidavit were not appropriately tendered, nor could they be objectively tested and that “the documents relied upon by the plaintiffs on this certification application lend weight to the defendants’ submission that the claim was largely ‘downloaded from the internet,’ rather than being a genuine expression of grievance or loss that warrants invoking the complex, time consuming and expensive mechanisms of a class proceeding.”

The court found the plaintiffs failed to establish a basis in fact to conclude that the proposed common issues were capable of determination on a class-wide basis or that a class proceeding was the preferable procedure. The court noted a claim for breach of privacy under the Privacy Act requires the court to consider the specific context in which an act or conduct occurs and the individual circumstances of the person claiming a breach, both factors that make it difficult to proceed on a class-wide basis. 

Agreeing with other recent decisions, the court held that the plaintiffs had failed to establish any basis in fact to conclude that reasonableness and context could be proved on a class-wide basis. The question of whether Facebook breached the Privacy Act was not determinable on a class-wide basis and not an appropriate or suitable common issue.

Takeaway

This is yet another case in which plaintiffs alleging the improper use of data have been unsuccessful at the certification stage. 

In Simpson v. Facebook, Inc., the certification application failed because there was no evidence any Canadian user’s data was shared as alleged and therefore no justification for a class proceeding. In Setoguchi v. Uber certification was denied on the basis there was no evidence that personal data allegedly obtained due to a breach was used to anyone’s detriment, no evidence of any real (not de minimis) harm and that speculation about a future possibility of loss or harm was insufficient.  

The cases are a welcome trend in the privacy area. They confirm the significance of certification applications as an “important gatekeeping function” particularly where there is no evidence to support the core allegation of alleged harm to the proposed class. While certification remains a low hurdle it is nonetheless a hurdle. Claims that are hypothetical, speculative or over generalized will face scrutiny and may not pass the certification stage.

The author wishes to thank Harris Khan, articling student, for his help in preparing this legal update.