Appeals Court Concludes that Facebook Failed to Obtain PIPEDA Consent

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

CANADA

Appeals Court Concludes that Facebook Failed to Obtain PIPEDA CoNSENT

A Canada Federal Court of Appeals decision reversed a lower court decision dismissing an action against Meta by the Privacy Commissioner of Canada on the basis that Facebook’s Graph API app programming interface (which allowed third-party apps to receive user information) breached PIPEDA’s requirement to obtain meaningful consent from users prior to data disclosure. Although users installing an app were provided with a notice about which categories of information the app sought to access, a hyperlink to the app’s privacy policy, and the choice to grant or deny the requested permissions (referred to as the Granular Data Permissions, or GDP, process), the appellate court found that meaningful consent was not obtained because Facebook did not adequately inform users of the risks to their data upon signing up to Facebook (including by making users aware that the third-party apps could be bad actors with intentions to ignore Facebook’s policies or local privacy laws or to onward sell their information to other third parties). Further, users’ friends (whose information was also disclosed) did not even have the opportunity to consent to the GDP process.

TAKEAWAY

Under PIPEDA, which requires the knowledge and consent of the individual for the collection, use or disclosure of personal information (with some exceptions), consent is only valid if it is reasonable to expect that the individual would understand the nature, purpose and consequences of the collection, use or disclosure, and organizations are required to make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used in such a manner that the individual can reasonably understand how the information will be used or disclosed.

The court in this case stressed the word “meaningful”, explaining that “the question is not whether there is a provision buried in the terms of service whereby a user can be said to have consented”, but rather “whether consent is meaningful takes into account all relevant contextual factors; the demographics of the users, the nature of the information, the manner in which the user and the holder of the information interact, whether the contract at issue is a one of adhesion, the clarity and length of the contract and its terms and the nature of the default privacy settings. The doctrines of unconscionability and inequality of bargaining power may also be in play. All of these considerations form the backdrop to the perspective of the reasonable person and whether they can be said to have consented to the disclosure.”

Privacy and consent legislation like PIPEDA and Quebec Act 25 are more important than ever to data privacy in Canada and the United States. Watch the on-demand webinar on Navigating Canada Privacy & Consent.

EUROPE

CNIL Issues Fine Over Use of Re-Identifiable Health Data

The French Data Protection Authority (the CNIL) issued an 800,000 euro fine against CEGEDIM SANTÉ based on allegations that the software company collected large amounts of individual health data for research purposes in a manner that was pseudonymous, not anonymous, without obtaining the CNIL’s obligations in accordance with the French Data Protection Act. 

TAKEAWAY

Although this ruling was based on obligations to carry out specific formalities in the health sector, it provides general insight into the CNIL’s assessment of whether data is pseudonymous or anonymous. In this case, the data at issue (which was collected from patients of doctors participating in specific “observatory” program) was linked to a unique identifier for each patient of the same doctor, making it possible to combine data transmitted successively by the same doctor concerning the same patient. The CNIL’s restricted committee (responsible for issuing sanctions) considered that, given the existence of the unique identifier and the depth of particularly detailed data concerning the individual collected by the company, and also taking into account the possibility of combining the data with data held by third parties, the risk that a person’s identity could be traced was too high for the data processed by the company to be considered anonymous. It was therefore considered to be pseudonymous and subject to the regulations.

Increased scrutiny on data collection practices has brought new challenges to legal and marketing teams alike. Check out our guide on connecting Legal and Marketing teams on consent and preferences.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.