Privacy concerns continue to cast a shadow over social media companies where third party applications utilize and integrate their applications on their platforms. In the decision of Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533, the Federal Court dismissed the Privacy Commissioner’s claims that Facebook breached the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Commissioner claimed that Facebook contravened PIPEDA by sharing its users’ personal information to a third party application, “thisisyourdigitallife” (TYDL App), which hosted and integrated its application on the Facebook platform and sold user data to various research firms. Facebook allows third parties to build their applications on its platform and, in doing so, allows third party applications to receive user information when users interact with the applications.  The question of Facebook’s responsibility over the user’s data in the hands of third parties and how these parties utilize that data was a fundamental issue in the case.

The Federal Court held that there was a lack of evidentiary basis to claim that Facebook contravened PIPEDA. The Court clarified the interpretation of “meaningful consent” under PIPEDA as well as Facebook’s safeguarding obligations in disclosing user information to third-party applications.

Obtaining Meaningful Consent

Facebook argued that TYDL App’s act in selling information was not Facebook’s responsibility but was TYDL App’s responsibility instead. The Federal Court agreed and held that organizations like Facebook only have the responsibility to ensure that third parties obtain meaningful consent from their users before disclosing their user’s information. Third parties that use Facebook’s platform are required to agree to their Platform Policy, which sets out policies for third party applications on what kind of Facebook user data they are allowed to request, how much data they are allowed to receive, when user consent will be required, and whether user data can be sold or purchased.

The Federal Court found that the Privacy Commissioner did not have enough evidentiary basis to prove that Facebook had failed to obtain meaningful consent from its users before disclosing their information to TYDL App. In particular, there was no evidence to indicate that users did not understand the privacy issues at stake, and there was no indication on the privacy levels users had expected. Further, there was no expert evidence that showed Facebook could have done anything differently.

Safeguarding User Information

The Federal Court agreed with Facebook’s argument that its safeguarding obligations under PIPEDA end once the user authorizes Facebook to disclose their information to a third party application. Particularly, the Court discussed the difference between disclosing information to a third party, like this instance, versus transferring information to the third party, which would require the organization to remain accountable for the third party’s actions. The Federal Court held that the Privacy Commissioner failed to provide evidence that demonstrated any inadequacy of Facebook’s contractual agreements and enforcement practices.

Obligations for Social Media Platforms

This Federal Court decision is instructive for social media platforms that operate in Canada on how they can better protect their users and safeguard their liabilities. Social media platforms and organizations should ensure they have proper contractual agreements and enforcement practices when it comes to disclosing information to third parties. Further, as social media continues to play a significant role in keeping users connected, these companies should continue to consider the types of privacy risks that may arise when sharing data with third party applications, the kinds of risks that may arise in the process of sharing data, and how these parties may better handle their data.