Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court's willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance. 1 Organizations governed by PIPEDA should keep a close eye on the Court's inquiry as well as any eventual order enforcing compliance with the Act.

Background

In March 2018, in response to a complaint, the OPC commenced a joint investigation of Facebook's privacy practices with the Information and Privacy Commissioner for British Columbia. In particular, the investigation concerned Facebook disclosing its users' personal information to a third party application known as "thisisyourdigitallife", which is connected to the widely reported Cambridge Analytica scandal concerning the microtargeting of voters in various election campaigns, including the 2016 US presidential election and the Brexit referendum.

A year later, the OPC found that Facebook failed to obtain valid and meaningful consent from its users and their friends before sharing personal information with the third-party application. It also found that Facebook had inadequate safeguards in place to protect user information. Finally, the investigation concluded that Facebook had failed to take responsibility for the user information under its control. 2 According to the OPC, Facebook had failed to provide it with sufficient evidence about its personal information handling practices to satisfy it of Facebook's compliance with the Act.

Take-away

In the Application, the OPC asks the Federal Court not only for a declaration that Facebook has contravened PIPEDA and an order prohibiting further contravention of the Act, but also for (a) an order requiring Facebook to correct its practices and implement effective measures to obtain and maintain meaningful consent from all users; (b) an order requiring Facebook to specify which technical changes it will make to its practices; (c) an order that the Court will retain ongoing supervisory jurisdiction to monitor and enforce court-mandated compliance measures; and (d) an order requiring Facebook to publish a public notice setting out the corrective measures it has undertaken.

Assuming the Court finds Facebook to be in non-compliance with PIPEDA, what remedies the Court will be willing to issue to enforce compliance will be of particular interest to organizations governed by PIPEDA. In particular, as few precedents of this nature exist, and certainly not for cases involving such a large and well-known company, this case will demonstrate the Court's willingness to consider and intervene in such cases by ordering changes to legal and technical elements of an organization's privacy practices. In particular, the OPC has long highlighted its lack of enforcement powers under PIPEDA as an impediment in fulfilling its supervisory role and ensuring organizations comply with PIPEDA.

Moreover, as the OPC asks the Court to take on a continuing supervisory role for ongoing monitoring and enforcement of the court-mandated compliance measures, this case will shed light on whether the Court will be willing to take on these extraordinary compliance and monitoring functions in future cases, as courts are often hesitant to remain seized with supervisory compliance programs.

This Application comes at an interesting time for the privacy landscape in Canada. Legislative amendments to PIPEDA are anticipated following the mandate letter sent by the Prime Minister's Office to the Minister of Innovation, Science and Industry in January outlining a number of data protection initiatives for the Ministry, several of which include introducing greater enforcement powers for the OPC including the ability to make compliance orders and award fines for non-compliance. 3 Additionally, across Canada there are numerous proposed, but as yet uncertified class actions against Facebook relating to it sharing user information with third parties.

Footnotes

1 https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-complaints-and-enforcement-process/court_p/na_fb_20200206/

2 https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-002/

3 https://www.dataprotectionreport.com/2020/01/data-privacy-day-2020-canadian-privacy-law-developments-on-the-horizon/

About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.