Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance.
The joint investigation of Facebook’s privacy practices
In March 2018, in response to a complaint, the OPC commenced a joint investigation of Facebook’s privacy practices with the information and privacy commissioner for British Columbia. In particular, the investigation concerned Facebook disclosing its users’ personal information to a third-party application known as “thisisyourdigitallife” (the App), which is connected to the widely reported Cambridge Analytica scandal concerning the microtargeting of voters in various election campaigns, including the 2016 US presidential election and the Brexit referendum.
In April 2019, the OPC released the joint investigation’s findings.2 It found that Facebook failed to obtain valid and meaningful consent from its users and their friends before sharing personal information with the App. It also found that Facebook had inadequate safeguards in place to protect user information. Finally, the investigation concluded Facebook had failed to take responsibility for the user information under its control.
The OPC stated that, during the investigation, Facebook failed to provide evidence about its specific and current personal information-handling practices sufficient to satisfy it of Facebook’s compliance with PIPEDA. Further, Facebook disputed the investigation report’s findings and refused to implement the report’s recommendations. As a result, the OPC states in its Application to the Federal Court that until Facebook corrects its practices, there remains a risk that Canadians’ personal information will be disclosed or used in ways that users do not know about or expect.
The OPC’s notice of application to the Federal Court
The Application, filed pursuant to Section 15 of PIPEDA, asks the court for:
- A declaration that Facebook contravened PIPEDA by disclosing users’ personal information without first obtaining meaningful consent;
- An order requiring Facebook to correct its practices and implement effective, specific and easily accessible measures to obtain and maintain meaningful consent from all users;
- An order requiring Facebook to specify the technical changes it will make to its practices to comply with PIPEDA and to return before the court to have these measures reflected in a formal order;
- An order that the court retain ongoing supervisory jurisdiction to monitor and enforce court-mandated compliance measures;
- An order prohibiting Facebook from further collecting, using, and disclosing users’ personal information in contravention of PIPEDA; and
- An order requiring Facebook to publish a public notice setting out corrective measures undertaken to comply with PIPEDA.
The Application will result in a hearing de novo, meaning the court will hear the matter afresh and will not simply review the OPC’s investigation report. As a result, the OPC will bear the burden of establishing that Facebook did not comply with PIPEDA. It will also have to satisfy the court that the requested remedies are necessary to ensure Facebook’s compliance with PIPEDA. Facebook has already stated publicly it looks forward to defending the many privacy-related improvements it has made to its social media platform.
Assuming the court finds Facebook to be in non-compliance with PIPEDA, what remedies the court will be willing to issue to enforce compliance will be of particular interest to organizations governed by PIPEDA. In particular, as few precedents of this nature exist, and certainly not for cases involving such a large and well-known company, this case will demonstrate the court’s willingness to consider and intervene in such cases by ordering changes to legal and technical elements of an organization’s privacy practices. In particular, the OPC has long highlighted its lack of enforcement powers under PIPEDA as an impediment in fulfilling its supervisory role and ensuring organizations comply with PIPEDA.
Moreover, as the OPC asks the court to take on a continuing supervisory role for ongoing monitoring and enforcement of the court-mandated compliance measures, this case will shed light on whether the court will be willing to take on these extraordinary compliance and monitoring functions in future cases, as courts are often hesitant to remain seized with supervisory compliance programs.
This Application comes at an interesting time for the privacy landscape in Canada. Legislative amendments to PIPEDA are anticipated following the mandate letter sent by the Prime Minister’s Office to the minister of innovation, science and industry in January outlining a number of data protection initiatives for the ministry, several of which include introducing greater enforcement powers for the OPC, including the ability to make compliance orders and award fines for non-compliance.3
Additionally, across Canada there are numerous proposed, but as yet uncertified class actions against Facebook relating to it sharing user information with third parties.