Blog
Appeals Court Concludes that Facebook Failed to Obtain PIPEDA Consent
September 16, 2024
Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
CANADA
Appeals Court Concludes that Facebook Failed to Obtain PIPEDA CoNSENT
A Canada Federal Court of Appeals decision reversed a lower court decision dismissing an action against Meta by the Privacy Commissioner of Canada on the basis that Facebook’s Graph API app programming interface (which allowed third-party apps to receive user information) breached PIPEDA’s requirement to obtain meaningful consent from users prior to data disclosure. Although users installing an app were provided with a notice about which categories of information the app sought to access, a hyperlink to the app’s privacy policy, and the choice to grant or deny the requested permissions (referred to as the Granular Data Permissions, or GDP, process), the appellate court found that meaningful consent was not obtained because Facebook did not adequately inform users of the risks to their data upon signing up to Facebook (including by making users aware that the third-party apps could be bad actors with intentions to ignore Facebook’s policies or local privacy laws or to onward sell their information to other third parties). Further, users’ friends (whose information was also disclosed) did not even have the opportunity to consent to the GDP process.
TAKEAWAY
Under PIPEDA, which requires the knowledge and consent of the individual for the collection, use or disclosure of personal information (with some exceptions), consent is only valid if it is reasonable to expect that the individual would understand the nature, purpose and consequences of the collection, use or disclosure, and organizations are required to make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used in such a manner that the individual can reasonably understand how the information will be used or disclosed.
The court in this case stressed the word “meaningful”, explaining that “the question is not whether there is a provision buried in the terms of service whereby a user can be said to have consented”, but rather “whether consent is meaningful takes into account all relevant contextual factors; the demographics of the users, the nature of the information, the manner in which the user and the holder of the information interact, whether the contract at issue is a one of adhesion, the clarity and length of the contract and its terms and the nature of the default privacy settings. The doctrines of unconscionability and inequality of bargaining power may also be in play. All of these considerations form the backdrop to the perspective of the reasonable person and whether they can be said to have consented to the disclosure.”
Privacy and consent legislation like PIPEDA and Quebec Act 25 are more important than ever to data privacy in Canada and the United States. Watch the on-demand webinar on Navigating Canada Privacy & Consent.
EUROPE
CNIL Issues Fine Over Use of Re-Identifiable Health Data
The French Data Protection Authority (the CNIL) issued an 800,000 euro fine against CEGEDIM SANTÉ based on allegations that the software company collected large amounts of individual health data for research purposes in a manner that was pseudonymous, not anonymous, without obtaining the CNIL’s obligations in accordance with the French Data Protection Act.
TAKEAWAY
Although this ruling was based on obligations to carry out specific formalities in the health sector, it provides general insight into the CNIL’s assessment of whether data is pseudonymous or anonymous. In this case, the data at issue (which was collected from patients of doctors participating in specific “observatory” program) was linked to a unique identifier for each patient of the same doctor, making it possible to combine data transmitted successively by the same doctor concerning the same patient. The CNIL’s restricted committee (responsible for issuing sanctions) considered that, given the existence of the unique identifier and the depth of particularly detailed data concerning the individual collected by the company, and also taking into account the possibility of combining the data with data held by third parties, the risk that a person’s identity could be traced was too high for the data processed by the company to be considered anonymous. It was therefore considered to be pseudonymous and subject to the regulations.
Increased scrutiny on data collection practices has brought new challenges to legal and marketing teams alike. Check out our guide on connecting Legal and Marketing teams on consent and preferences.
Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
New Privacy Requirements Took Effect October 1 In Three States
October 7, 2024New Privacy Requirements Took Effect In Montana, Maryland &...
[WEBINAR] Consent is not enough: Protecting against new U.S. privacy litigation risks
October 2, 2024Join Sourcepoint and privacy litigation expert Matthew Pearson, Partner...
How Haymarket Uses Sourcepoint to Manage Vendor Compliance
October 1, 2024Haymarket sought to elevate their level of compliance by...
Latest White Papers
E-book: Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Benchmark Report: US Privacy Compliance
August 19, 2022The current state of publisher compliance with CCPA, and...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.