Notice of Application with the Federal Court against Facebook, Inc.

February 6, 2020

[Text of document filed by the Privacy Commissioner of Canada in Federal Court.]

Court File No.: T-190-20 

FEDERAL COURT

BETWEEN:

PRIVACY COMMISSIONER OF CANADA

Applicant

- and -

FACEBOOK, INC.

Respondent

APPLICATION UNDER paragraph 15(a) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.

---

NOTICE OF APPLICATION

TO THE RESPONDENT:

A PROCEEDING HAS BEEN COMMENCED by the applicant. The relief claimed by the applicant appears on the following page.

THIS APPLICATION will be heard by the Court at a time and place to be fixed by the Judicial Administrator. Unless the Court orders otherwise, the place of hearing will be as requested by the applicant. The applicant requests that this application be heard at Ottawa, Ontario.

IF YOU WISH TO OPPOSE THIS APPLICATION, to receive notice of any step in the application or to be served with any documents in the application, you or a solicitor acting for you must prepare a notice of appearance in Form 305 prescribed by the Federal Courts Rules and serve it on the applicant’s solicitor, or if the applicant is self-represented, on the applicant, WITHIN TEN DAYS after being served with this notice of application.

Copies of the Federal Courts Rules information concerning the local offices of the Court and other necessary information may be obtained on request to the Administrator of this Court at Ottawa (telephone: 613-992-4238) or at any local office.

IF YOU FAIL TO OPPOSE THIS APPLICATION, JUDGMENT MAY BE GIVEN IN YOUR ABSENCE AND WITHOUT FURTHER NOTICE TO YOU.

Application

1. The Office of the Privacy Commissioner of Canada (the “OPC” or the “Privacy Commissioner”) makes this Application under paragraph 15(a) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA” or the “Act”) for an Order, following the issuance of a Report of Findings dated April 25, 2019, regarding a Complaint concerning the personal information handling practices of the Respondent, Facebook, Inc. (“Facebook”).

THE APPLICANT MAKES APPLICATION FOR:

2. A declaration that Facebook contravened Clauses 4.3, 4.3.2, and 4.7 of Schedule 1 and section 6.1 of PIPEDA by:
   1. failing to obtain meaningful consent from Users for the disclosure of their personal information to third-party applications (“Apps”), including specifically with respect to the TYDL App as described below;
   2. failing to make reasonable efforts to ensure that Users had sufficient knowledge to provide meaningful consent for the disclosure of their personal information to such Apps;
   3. not obtaining express consent from Users for the disclosure of their personal information to Apps installed by their Facebook Friends (as defined below); and
   4. failing to adequately safeguard Users’ personal information from unauthorized access and use by Apps, including specifically the TYDL App.
3. An order, in accordance with paragraph 16(a) of PIPEDA, requiring Facebook to correct its practices in order to comply with Divisions 1 and 1.1 of PIPEDA by implementing effective, specific and easily accessible measures to obtain, and ensure it maintains, meaningful consent from all Users (as defined below) for the disclosure of their personal information to all third parties who are given access to its Users’ data by any means (whether the third party is an App developer or operator, advertiser, or other entity) (“Third Parties”) by:
   1. clearly informing Users about the nature, purposes and consequences of disclosure of their personal information to Third Parties and providing such information in a timely manner, in order for Users to meaningfully consent to the use and disclosure of their personal information before or at the time their personal information is used or disclosed;
   2. obtaining express consent from Users when Facebook uses and discloses sensitive personal information;
   3. ensuring that Users can determine, at any time, which Third Parties have access to their personal information, including whether any such App installed by any other User (including the User’s “Facebook Friends” as described herein) has access to any of their personal information;
   4. ensuring that, at any given time, Users are informed of and understand the nature of, purposes for, and consequences of any access given to such Third Parties;
   5. ensuring that Users can alter their preferences so as to terminate or disallow some or all access by such Third Parties to their personal information, without unreasonable effort;
   6. ensuring ongoing monitoring and enforcement of all Third Parties’ privacy communications and practices to ensure compliance with Facebook policies, Facebook’s contractual requirements and requirements under PIPEDA; and
   7. undertaking such further precise measures as counsel may advise and this Honourable Court deems just and appropriate.
4. An order requiring Facebook to particularize the specific technical revisions, modifications and amendments to be made to its practices and to the operation and functions of the Facebook service to comply with the relief sought in paragraph 3 herein, and that Facebook provide in that regard such particulars as are required, to the reasonable satisfaction of the Privacy Commissioner of Canada, for the purposes of ensuring that such revisions, modifications and amendments achieve compliance with Divisions 1 and 1.1 of PIPEDA;
5. An order that the parties return before the Court for purposes of seeking a fully-particularized formal order reflecting the specific revisions, modifications and amendments to be made in order to achieve compliance with Divisions 1 and 1.1 of PIPEDA pursuant to paragraph 4 herein, and for the purposes of seeking the Court’s further determination on any then-remaining dispute as to the sufficiency or necessity of any such particular revision, modification or amendment;
6. An order that the Court retain ongoing supervisory jurisdiction for purposes of monitoring and enforcement of the orders requested herein, and authorizing the parties to return before the Court on notice for purposes of determining any matter in dispute between them with respect to the implementation of the Court’s orders;
7. An order prohibiting Facebook from further using or disclosing any personal information of Users to Third Parties in any manner that contravenes PIPEDA;
8. An order under paragraph 16(b) of PIPEDA requiring Facebook to publish a notice, in a form to be particularized prior to the hearing or in such form as this Court deems proper, of any action taken or proposed to be taken to correct its practices that contravene PIPEDA, whether or not the Court grants an order to correct those practices under paragraph 16(a) of the Act;
9. The Applicant’s costs of this Application; and
10. Such other relief as counsel may request and as this Honourable Court may deem just.

THE GROUNDS FOR THE APPLICATION ARE:

Background

11. Facebook, Inc. Facebook is a global social media company that provides social networking services and products to a claimed 2.45 billion “monthly active users” world-wide. Facebook’s business model includes charging advertisers to promote their messages to precisely targeted segments of Facebook’s User base. Facebook collects and has access to a vast amount of personal information about its Users, which greatly enhances its ability to give advertisers access to uniquely tailored groups of individuals who share common characteristics that may be of interest to them.
12. Anyone with an email address and a date of birth demonstrating that they are 13 years of age or older can create a Facebook profile and gain access to its social network for free, thereby becoming a “User”. Users have the ability, and Facebook encourages and prompts them, to become linked to one another by sending and accepting “Friend requests” to other Users of the social network. By doing so, Users become “Facebook Friends”, and can readily share information with one another, and post media and comments on each other’s Facebook “Timelines” (a page uniquely associated to the individual User, which is centered around a chronological record of their posts). Users can also view and engage with content posted by their Facebook Friends, which Users can choose to make accessible only to their Friends and not to the entire User base or to the public at large.
13. Facebook offers Users a wide variety of tools to identify and describe themselves; display photographs or videos and “tag” them by adding metadata that identifies the individuals portrayed; list their interests, tastes, relationships, location, work and school associations, and a wide variety of other personal or non-personal information; create or participate in “Groups” of Users on topics of shared interest; create and manage “Events”; broadcast live video of their activities in real-time; express their opinions; exchange private or group messages; and display or disseminate information, including personal information, in numerous other ways.
14. Facebook also offers Users access to Apps, mostly made by third-party developers and not Facebook itself, which Users can make use of while on the Facebook platform. The purpose and function of these Apps vary widely, but for example, include: gaming and entertainment Apps; e-commerce Apps; Apps that integrate the User’s other social media accounts; and messaging and private communication Apps. The OPC’s investigation (as described below) focused on Facebook’s activities during a time period when “quiz”-type Apps were widely available on Facebook. Quiz-type Apps generate personalized results based on gathering Users’ responses to a series of specific questions and/or through analysis of content on or arising from the User’s profile. The TYDL App, which is described further below presented itself as a quiz-type App.
15. Through User profiles, and Facebook’s overall operation of the social network and capacity to analyze or “mine” the information it gathers both from Users’ posts and by virtue of their online behaviour, Facebook has ready access to an immense variety and volume of detailed personal information about its individual Users. Examples of the information that Facebook routinely collects include an individual’s name, gender, birthdate, location, place of residence, photographs and comments, other Users’ Facebook pages that an individual “likes” or otherwise engages with, and the other Users with whom they are Facebook Friends. Facebook also has access to and collects a host of behavioural information about Users’ online activities, including data about the websites and apps that they visit or use on their computers, mobile phones and other electronic devices, and the services and functions they use while using those websites and Apps. Facebook collects vast amounts of potentially sensitive personal information of its Users, who number in the billions, and enables and controls the disclosure of such information to millions of Apps. Having created the environment through which it gathers and controls this personal information, and through which it discloses that information to third parties, Facebook has created real risks of substantial privacy breaches.
16. Privacy Commissioner of Canada. The OPC is an independent, impartial Agent of Parliament, with the statutory mandate to promote and protect the privacy rights of Canadians. The OPC has authority over the federal public sector under the Privacy Act, R.S.C. 1985, c. P-21, and over private sector organizations such as Facebook under PIPEDA. The purpose of PIPEDA – and in particular Part 1 entitled “Protection of Personal Information in the Private Sector” – is to establish rules that govern the collection, use and disclosure of personal information by organizations in a manner that recognizes the individuals’ right of privacy with respect to their personal information and organizations’ need to collect, use or disclose personal information for reasonable purposes.
17. A key part of the OPC’s statutory mandate under PIPEDA is to receive and, where appropriate, investigate complaints filed by members of the public that an organization has contravened certain provisions of PIPEDA or recommendations set out in its Schedule 1. After a complaint is filed, the OPC must conduct an investigation of the complaint unless certain circumstances apply. After conducting the investigation, the OPC is required to prepare a report of findings setting out the Privacy Commissioner’s findings and recommendations regarding the subject-matter of the complaint.
18. Through its investigations, reports and recommendations, the OPC’s actions are directed towards ensuring that organizations comply with their privacy obligations under the law. The OPC often focuses on resolving individual complaints and improving privacy practices through negotiation and persuasion. Where appropriate, the OPC has the authority to make broad recommendations to organizations. In the past, such recommendations have included measures designed to help prevent privacy violations or other related problems from recurring.
19. The OPC’s reports of findings and any recommendations it makes do not themselves constitute orders or decisions that legally bind organizations. Rather, in instances where the Privacy Commissioner determines that a complaint under PIPEDA is well-founded and remains unresolved – as in this case – he may take the matter before the Federal Court with the consent of the complainant. When warranted, the Federal Court has, among other powers, the authority to impose binding orders requiring an organization to correct its practices in order to comply with the law.

The Complaints and OPC Investigation

20. On March 18, 2018, the OPC received a complaint about Facebook from three individuals who were Members of Parliament (the “Complaint”).
21. The Complaint arose amid media reports that a British consulting firm, Cambridge Analytica, had accessed the personal information of millions of Facebook Users without their consent via a third-party application known as “This is Your Digital Life” (the “TYDL App”). The TYDL App was presented to Users as a personality quiz. However, the result of using the TYDL App was to grant the TYDL App access to personal information that was then used to develop psychographic modelling for purposes of targeting political messages towards particular segments of the User population. The media reporting became extensive as it was disclosed that Cambridge Analytica was operated by, among others, a well-known American political advisor and that the personal information it acquired had been used for purposes of enhancing the political messaging and targeting capabilities of the successful candidate for the office of President in the 2016 United States federal election. Subsequent media reporting has alleged that the data were also used to enhance similar political targeting and messaging in favour of the “Leave EU Campaign” ahead of the 2016 referendum in the United Kingdom, resulting in the decision of that country to withdraw from the European Union (colloquially known as “Brexit”).
22. The Complaint requested that the OPC investigate Facebook’s compliance with PIPEDA, in relation to the TYDL App and in general, and that the OPC ensure that Canadian Facebook Users’ information had not been compromised and that Facebook was taking sufficient measures to protect Canadians’ private data in the future.
23. The OPC commenced an investigation in respect of the Complaint. In April 2018, the Information and Privacy Commissioner for British Columbia joined the investigation, which proceeded jointly under each office’s respective governing legislation.
24. The OPC’s investigation under PIPEDA had three aspects:
    1. assessing the nature and quality of any consent obtained from Facebook Users who installed Apps, including the TYDL App, and their Facebook Friends whose personal information Facebook disclosed to Apps, including the TYDL App in particular;
    2. assessing any safeguards against unauthorized access, use and disclosure of that information by the TYDL App and other Apps; and
    3. assessing Facebook’s accountability for the personal information under its control.
25. Starting in March 2018, the OPC took a variety of investigative steps over the course of many months, including meeting with and soliciting representations from Facebook on numerous occasions. During the investigation, Facebook advised the OPC that approximately 272 individuals in Canada had installed the TYDL App and that the personal information of approximately 621,889 Canadians had been made available to the TYDL App. As such, those Users’ personal information had been exposed to potential exploitation by Cambridge Analytica.
26. Representatives of the OPC met with Facebook representatives in person on December 14, 2018. At that meeting the OPC informed Facebook of the OPC’s preliminary analysis regarding the matters under investigation, with the intention of starting a discussion that would eventually lead to a resolution of the OPC’s concerns.

The OPC’s Preliminary Report of Investigation, Recommendations and Report of Findings

27. On February 7, 2019, the OPC provided Facebook with a Preliminary Report of Investigation setting out its anticipated findings and recommendations, and the OPC’s understanding of the facts. The OPC gave Facebook an opportunity to provide comments on the Preliminary Report for the OPC’s consideration. Facebook did provide extensive comments.
28. In its Preliminary Report of Investigation, the OPC made a series of recommendations to Facebook to address the PIPEDA contraventions the OPC had identified. These included recommendations that Facebook implement measures, including adequate monitoring practices, to ensure that valid and meaningful user consent is in fact obtained from Users when their personal information is to be shared with an App; that it take measures to ensure that Users are easily able to access information about which Apps have access to elements of their personal information and to readily disallow or terminate such access; and certain other measures.
29. The OPC corresponded and met with Facebook and its representatives and considered Facebook’s representations. Ultimately, Facebook rejected or failed to adequately address all of the OPC’s recommendations.
30. On April 25, 2019, the OPC publicly released its finalized Report of Findings, which concluded that the complaint against Facebook was well-founded and unresolved.
31. As set out in the Report of Findings, and relying mainly on Facebook’s own representations, the OPC found that Facebook:
    1. did not obtain meaningful consent from Users who installed the TYDL App for the disclosure of their personal information to the App, and did not make a reasonable effort to ensure that such Users were given the necessary information to ensure meaningful consent with respect to Facebook’s disclosures to Apps more generally. For example, the OPC determined that Facebook never verified that Apps’ privacy policies provided sufficient information to allow for the meaningful consent of its Users;
    2. did not obtain meaningful consent from Users for disclosures of their personal information to the TYDL App and other Apps as a result of their Facebook Friends installing the Apps. In particular, Facebook sought to rely on overbroad, unclear and conflicting wording in its communications with Users that was insufficient to support meaningful consent;
    3. did not provide for adequate safeguards to effectively protect Users’ personal information; and
    4. was not accountable for Users’ personal information that was under its control.
32. The OPC determined that these deficiencies were in contravention of the fair information principles contained in Clauses 4.3 and 4.3.2 (Consent), clauses 4.7 and 4.7.1 (Safeguards), and 4.1.4(a) (Accountability), established under Schedule 1 of PIPEDA.
33. With respect to Users’ downloads of the TYDL App at any time after June 18, 2015, the OPC determined that Facebook had also failed to comply with section 6.1 of PIPEDA, which came into force as of that date. Section 6.1 provides that an individual’s consent is valid only if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

This Application

34. At the time the Report of Findings was released publicly, the Privacy Commissioner publicly stated his intention to apply to the Court for an order requiring Facebook to correct its privacy practices to comply with PIPEDA.
35. The OPC’s Report of Findings concluded that Facebook’s practices created a risk to Canadians’ privacy. During the investigation, Facebook and its representatives asserted that it has significantly limited the disclosure to Apps of personal information belonging to Users’ "Facebook" Friends. However, Facebook has not provided to the OPC evidence about its specific and current personal information handling practices sufficient to satisfy the OPC that it is complying with PIPEDA and that the risks that led to the TYDL App privacy breach and that were uncovered in the OPC’s investigation have been remedied. The OPC has concluded that until Facebook corrects its practices to comply with PIPEDA there is, and will continue to be, an ongoing risk that Canadians’ personal information will be disclosed by Facebook to Apps or other Third Parties and used in ways that Users do not know or expect.
36. Pursuant to paragraph 15(a) of PIPEDA, the Privacy Commissioner is entitled to apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Privacy Commissioner’s report, and that is referred to in certain sections of PIPEDA. In such an application, the Privacy Commissioner may seek such orders as are necessary to ensure an organization’s compliance with PIPEDA. Where the investigation arises from a complaint, the Privacy Commissioner requires the consent of the complainant in order to initiate such application. The Privacy Commissioner has obtained such consent to proceed with this application.
37. The matters in respect of which an application may be made do not include Principle 4.1.4 of Schedule 1 to PIPEDA. Accordingly, the OPC’s findings regarding Accountability are not in issue in this application. However, the Privacy Commissioner applies through this Application for remedies in respect of all of the OPC’s other findings.
38. The Privacy Commissioner relies on the Personal Information Protection and Electronic Documents Act, the Federal Courts Act and the Federal Courts Rules, as in force from time to time, and such other legislation as counsel may advise or this Honourable Court deems just.
39. Such further and other grounds as counsel may advise, and this Honourable Court deem just.

THE APPLICATION WILL BE SUPPORTED BY THE FOLLOWING MATERIAL:

40. The affidavit of Michael Maguire, to be affirmed; and
41. Such further and other material as counsel may advise and as this Honourable Court may allow.