Facebook Inc. v. Privacy Commissioner of Canada (41538)
On March 19, 2019, the respondent, the Privacy Commissioner of Canada received a complaint under s. 11(1) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) which raised concerns about the appellant Facebook’s compliance with the PIPEDA. The concerns were related to Facebook’s practice of sharing Facebook users’ personal information with third-party applications hosted on its platform. The complaint was filed in the context of reports related to a professor at the University of Cambridge, U.K., Dr. Aleksandr Kogan, who launched an application through Facebook’s Platform titled “thisisyourdigitallife” (“TYDL”) in November 2013. Presented to users as a personality quiz, Dr. Kogan could access the personal information of installing users and installing users’ friends. In December 2015, it was reported that user data obtained by TYDL was sold to a corporation named Cambridge Analytica and a related entity, Strategic Communication Laboratories Elections Ltd. (SCL), who, in turn, used the data purchased from Dr. Kogan to help their clients target political messaging to potential voters in the then upcoming presidential election in the United States. When TYDL was launched in 2013, it agreed to Facebook’s Platform Policy and Terms of Service. In 2014, Facebook issued a version 2 (v.2) of its communication protocol, Graph API, under which third party developers could no longer request permission to access installing users’ friends unless the app developer, through an expanded access to additional personal information request, can demonstrate that the data would be used to “enhance the user’s in-app experience”. The process for consideration of expanded access requests was introduced alongside Graph API v.2 as “App Review.” Although Graph API v.2 took effect in 2014, existing apps were given a one-year grace period before complying with the new iteration. When Graph API v.2 was announced, Dr. Kogan’s request for expanded access to additional personal information was denied by Facebook because his intended use, research, would not enhance user experience. Nonetheless, Dr. Kogan continued to collect data under Graph API v.1 with no additional scrutiny from Facebook. As a result, though only 272 Canadians ever installed the TYDL app, Facebook estimates that these installations lead to the potential disclosure of the data of over 600,000 Canadians. In 2015, when the reports became public, Facebook removed TYDL from Platform and asked Cambridge Analytica to delete the user data it had obtained. Facebook did not notify the affected users that their Facebook data had been collected and sold. It was not until 2018 that Facebook suspended Dr. Kogan and Cambridge Analytica from Platform. After receiving the complaint, the Privacy Commissioner investigated and concluded that Facebook failed to obtain valid and meaningful consent for its disclosures to applications and failed to safeguard its users’ information. As a result, in February 2020, the Privacy Commissioner filed a notice of application in the Federal Court claiming that Facebook was in breach of its obligations set out in Schedule 1 pursuant to s. 5(1)(a) of PIPEDA through its practice of sharing Facebook users’ personal information with third-party applications hosted on the Facebook Platform.The Federal Court dismissed the application. The Federal Court of Appeal allowed the appeal and granted the Privacy Commissioner’s application in part.
Argued Date
2026-03-19
Keywords
Privacy — Online social media platform — Obligation to safeguard users’ data — Obligation to obtain meaningful consent from users for disclosure of personal data — Whether application judge erred in finding Privacy Commissioner of Canada did not prove that Facebook failed to get meaningful consent to disclose personal information to third-party apps — Whether application judge erred in finding Privacy Commissioner did not prove that Facebook failed to maintain adequate security safeguards to protect personal information in its possession or custody? — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, ss. 3, 5(1), 6.1 and ss. 4.3 (principle 3) and 4.7 (principle 7) of schedule 1.
Notes
(Federal) (Civil) (By Leave)
Language
English Audio
Disclaimers
This podcast is created as a public service to promote public access and awareness of the workings of Canada's highest court. It is not affiliated with or endorsed by the Court. The original version of this hearing may be found on the Supreme Court of Canada's website. The above case summary was prepared by the Office of the Registrar of the Supreme Court of Canada (Law Branch).