“…no user gave meaningful consent to all data disclosures by Facebook in the relevant period,” says Canada’s federal appeal court in a data protection case arising from the Cambridge Analytica scandal. Because Facebook’s terms of use are too long and too vague. This means: Between 2013 and 2015, Facebook passed on users’ data without their effective consent. Facebook was able to avoid this finding by paying fines in the United States and Great Britain; it has now been legally acquitted in Canada. However, this results in a zero-dollar fine.
Advertisement
In addition, the Canadian Federal Court of Appeal found that Facebook did not adequately protect the data it collected because it never examined the privacy policies of its partners. The court overturned a ruling from the first instance. It remains to be seen whether the new ruling will impose conditions on Facebook. In any case, there will be no fines.
Last year, Canada’s data protection appeared to fail due to the Cambridge Analytica case. The Federal Court in Ottawa ruled that the Federal Data Protection Bureau had not proven that Facebook had not obtained effective consent from users. Moreover, Facebook cannot be blamed for data protection because it is not responsible for the use of data by third parties.
Important substantive decisions
The bureau appealed against this. Successfully. The Federal Court of Appeal overturned the first instance decision and made fundamental decisions important to the monarchy’s poorly developed data protection system. This includes the fact that, contrary to the lower court’s holding, companies have no right to collect data. Canada’s data protection law merely gives them a requirement, which must be weighed against the user’s right to data protection.
In addition, contracts between digital platforms and users should be interpreted differently from traditional contracts. Because users have no room for negotiation; they can only nod or leave.
Survey: Children are increasingly exposed to pornIn addition, the court provides important guidelines on how to determine the effectiveness of data protection consent under Canadian law: the context, the demographic parameters of the relevant user, the nature of the interaction between the user and the data processor, whether the contract is negotiated or imposed unilaterally, the clarity and length of the contract and its clauses, and how any data protection settings are pre-determined. In this regard, the court generally criticized Facebook for pre-determining options in the most data-protection-hostile way possible. In addition, immorality (e.g. gross harm, unethicality) and imbalances in negotiating power over contract details may also be relevant to assessing the effectiveness of consent.
Cambridge Analytica Scandal
AggregateIQ, the Canadian Cambridge Analytica subsidiary, had offices in this house in Victoria, British Columbia until the scandal broke. AggregateIQ continues to operate in the policy consulting business.
(Image: Daniel AJ Sokolov)
The misuse of data by Cambridge Analytica, which became known in 2018, is one of the biggest scandals in Facebook’s history. The now bankrupt British company Cambridge Analytica illegally obtained data from 87 million Facebook users: In 2013, it published a “survey” app called thisisyourdigitallife (TYDL) on Facebook, in which several thousand Facebook users participated. But thanks to the data company’s privacy settings at the time, Cambridge Analytica had access to information from their 87 million Facebook contacts (“friends”). This data was later misused and sold for manipulative political campaigns.
In Canada, about 272 Facebook users have used TYDL. But this also gave Cambridge Analytica access to Facebook data of Facebook friends. This gave the 272 participants data on more than 600,000 Canadians who were never asked. The same in other countries: for example, in Italy, 57 participants provided data on an additional 214,077 Italians.
When the matter was discovered, an affected Canadian complained to the Canadian federal data protection bureau (Office of the Privacy Commissioner, OPC). However, it is not allowed to impose fines, but only to make recommendations. It suggested that Facebook please
- restrict third-party access to unnecessary data,
- inform users about what information an application needs and for what purpose, and
- Obtain users’ consent to transfer this data.
But even against these weak recommendations, Facebook fought in court and won at first instance. The Office of the Privacy Commissioner took legal action.
Facebook trains AI with public posts and images from Australians
