The issue of whether Facebook, Inc., now known as Meta Platforms Inc. (Facebook), acted in contravention of the federal privacy legislation in connection with a third-party application which collected and used information of Facebook users, will be heard by the Supreme Court of Canada, on March 19, 2026.
The Supreme Court of Canada will consider two key issues that could impact the privacy obligations of organizations under the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA). The first issue concerns the requirements for obtaining meaningful consent for the collection, use and disclosure of personal information. The second issue concerns the extent to which an organization must monitor third parties to which it discloses personal information.
Background
The dispute between the Office of the Privacy Commissioner of Canada (Commissioner or OPC) and Facebook began in 2018 with a complaint involving a third-party application, "thisisyourdigitallife" (TYDL App), which reportedly collected data from over 600,000 Canadians through Facebook. According to a joint investigation by the OPC and the Information and Privacy Commissioner for British Columbia (Joint Investigation), the information collected by the third-party application was shared with Cambridge Analytica Ltd. (Cambridge Analytica), as well as its related firm, SCL Elections Ltd., to generate psychographic profiles to facilitate targeted political advertising. The TYDL App was accessible through the Facebook application platform (Platform) from November 2013 to December 2015 and collected data from Facebook users who installed the TYDL App (Users) as well as data about those Users' friends who had not installed the TYDL App (Friends of Users).
The Joint Investigation into Facebook
On April 25, 2019, the OPC released its findings in relation to its Joint Investigation into Facebook's compliance with PIPEDA and the Personal Information Protection Act (British Columbia). The OPC and the Privacy Commissioner for British Columbia found that Facebook: (i) failed to obtain valid and meaningful consent from Users or from Friends of Users before disclosing their personal information; (ii) had inadequate safeguards to protect the personal information of Users and Friends of Users; and (iii) failed to be accountable for the user information under its control.
The Federal Court
On April 13, 2023, the Federal Court dismissed the Commissioner's application against Facebook. The Application Judge found that the Commissioner did not meet its burden regarding the issue of whether Facebook (i) obtained meaningful consent from Users and Friends of Users when sharing their personal information with third-party applications, or (ii) adequately safeguarded user information. For more information on the Federal Court's decision, see our previous blog post Federal Court Dismisses Commissioner's Application In Facebook Privacy Case.
The Federal Court of Appeal
On September 9, 2024, on appeal from the Commissioner, the Federal Court of Appeal overturned the Federal Court's decision and held that Facebook had acted in contravention of PIPEDA. Specifically, the Federal Court of Appeal held that Facebook failed: (i) to obtain meaningful consent from Users and Friends of Users when disclosing their personal information to third-party applications and (ii) "to adequately monitor and enforce the privacy practices of third-party apps operating on the Platform".
On the issue what is 'meaningful consent', the Federal Court of Appeal held that this is to be assessed objectively, based on what a reasonable person would understand the nature, purposes, and consequences of the disclosure to be, rather than on subjective evidence or expert testimony. Applying this objective standard, the Court concluded that the consent obtained was not meaningful, including for the following reasons:
- Friends of Users: While they were generally informed (through the Facebook Data Policy) that their information could be shared with third party applications when their friends used these applications, they were not given an opportunity to directly consent to TYDL App's use of their data, and were unable to review TYDL App's data policies prior to the disclosure of their information to the third party (Cambridge Analytica). The Federal Court of Appeal held that the language used in the Data Policy was too broad to be effective and form meaningful consent.
- Users: Were able to manage data permission using Facebook's data permission tool, and were required to accept the Terms of Services, which incorporated Facebook's Data Policy by reference. The Data Policy informed Users that third-party applications were not controlled by Facebook and advised Users to review third-party terms. The Federal Court of Appeal found that (i) acceptance of the Facebook's Terms of Services, which incorporated Facebook's Data Policy by reference did not constitute meaningful consent; and (ii) although Users were technically notified that third-party applications were not controlled by Facebook and advised to review third-party terms, a "reasonable user" would expect Facebook to implement robust preventive measures against bad actors, which the Federal Court of Appeal found Facebook failed to do. The Federal Court of Appeal further noted that "terms that are on their face superficially clear terms do not necessarily translate into meaningful consent. Apparent clarity can be lost or obscured in the length and miasma of the document and the complexity of its terms". The Terms of Services were approximately 9,100 words in length, and the Data Policy approximately 4,500 words.
On safeguarding obligations, the Federal Court of Appeal held that Facebook failed to adequately monitor and enforce the privacy practices of third-party applications operating on its Platform, despite having "invited millions" of such applications onto it. In particular, the Federal Court of Appeal held that Facebook failed to: (i) review the content of third-party applications' privacy policies; (ii) act on identified red flags, including requests for unnecessary information that Facebook itself had flagged as problematic; (iii) notify affected users when it became aware that the TYDL App had scraped and sold Users' and Friends' data, contrary to Facebook's policies; and (iv) ban Cambridge Analytica or the creator of the TYDL App from its Platform in a timely manner.
While both the Federal Court of Appeal and the Federal Court held that the safeguarding principles deal with an organization's "internal handling" of data, rather than post-disclosure monitoring of data, the Federal Court of Appeal found that Facebook had a regulatory duty to safeguard user information and failed to take sufficient care to ensure the data in its possession prior to disclosure was safeguarded. The Federal Court of Appeal held that "Facebook is entitled to rely on the good faith performance of contracts, but only to a point", and knowing that there may be "bad actors" using the platform, Facebook should have taken further measures to monitor third-party contractual compliance.
The Supreme Court of Canada
On June 12, 2025, the Supreme Court of Canada granted Facebook leave to appeal. The issues before the Supreme Court of Canada are as follows:
- Did Facebook obtain meaningful consent to disclose personal information to third-party apps?
- Did Facebook fail to maintain adequate security safeguards to protect personal information in its possession or custody?
Key Issues at Stake
The Supreme Court of Canada's decision could have a significant impact on the requirements imposed on organizations regarding how to obtain meaningful consent, particularly in the online context, and on the scope and nature of their obligations to adequately safeguard personal information when disclosing data to third parties. Below are issues the Supreme Court of Canada may address or contemplate during its review.
- What constitutes "meaningful consent", particularly in the context of online collection, use and disclosure: A key issue may be what is required to establish meaningful consent in a complex digital environment.In particular, should the type or nature of an organization's activities, its business model, length and clarity of the privacy related notices, default settings, inequality of bargaining power and type of contract (adhesion contract) be considered when assessing meaningfulness of consent?
- Safeguarding Obligations: This appeal also raises questions about the scope of an organization's responsibility when personal information is disclosed to a third party. The Supreme Court of Canada is expected to comment on whether organizations have a proactive duty to implement and maintain safeguards in connection with third-party disclosure, including obligations to monitor third-party compliance, enforce contractual privacy commitment, respond to red flags and ensure that internal processes do not facilitate unauthorized access or misuse.
If you have any questions about the possible implications this case may have for your organization, the Bennett Jones Privacy & Data Protection group is available to assist.
