Facebook's data transfer to Cambridge Analytica was wrong in Canada after all
Around a decade later, it is clear that Facebook violated Canada's data protection laws by sharing data with Cambridge Analytica. There is no penalty.
(Image: nitpicker/Shutterstock.com)
"... no user provided meaningful consent to all data disclosures by Facebook in the relevant period", says Canada's Federal Court of Appeal in a data protection case following the Cambridge Analytica scandal. This is because Facebook's terms of use are too long and too vague. This means that between 2013 and 2015, Facebook passed on user data without their effective consent. Facebook was able to avoid this finding in the USA and the UK by paying fines; in Canada, this has now been established by the courts. However, this results in a zero-dollar fine.
In addition, the Canadian Federal Court of Appeal found that Facebook did not adequately protect the collected data because it never reviewed the privacy policies of its partners. The court overturns a different ruling by the court of first instance. It remains to be seen whether the new ruling will result in obligations for Facebook. In any case, there will be no fine.
Last year, Canada's data protection appeared to have failed in the Cambridge Analytica case. The Federal Court in Ottawa ruled that the Federal Privacy Bureau had not proven that Facebook had not obtained effective consent from users. Furthermore, Facebook could not be accused of data security because it was not responsible for the use of data by third parties.
Important decisions of principle
The Bureau appealed against this. With success. The Federal Court of Appeal tore the first-instance decision apart and made important fundamental decisions for the monarchy's weak data protection system. These include the fact that, contrary to the lower court's assumption, companies do not have a right to collect data. Canada's data protection law only grants them a need, which must be weighed against the user's right to data protection.
Furthermore, contracts between digital platforms and users are to be interpreted differently than traditional contracts. This is because users have no room for negotiation, they can only nod or opt out.
In addition, the court sets out important guidelines for determining the effectiveness of data protection consents under Canadian law: context, demographic parameters of the respective user, the type of interaction between the user and data processor, whether the contract is negotiated or unilaterally stipulated, the clarity and length of the contract and its clauses, and how any data protection settings are preset. In this regard, the court criticizes Facebook for generally presetting the options in the most privacy-hostile manner. In addition, unconscionability (such as gross disadvantage, immorality) and imbalances in negotiating power over contractual details could also be relevant for assessing the effectiveness of consents.
The Cambridge Analytica scandal
(Image:Â Daniel AJ Sokolov)
The data misuse by Cambridge Analytica, which came to light in 2018, is one of the biggest scandals in Facebook's history. The now insolvent British company Cambridge Analytica had obtained data from 87 million Facebook users in an irregular manner: in 2013, it had published a "survey" app on Facebook under the name thisisyourdigitallife (TYDL), in which several thousand Facebook users took part. However, thanks to the data company's privacy settings at the time, Cambridge Analytica also gained access to information from their 87 million Facebook contacts ("friends"). This data was subsequently misused and sold for manipulative political campaigns.
In Canada, around 272 Facebook users used TYDL. However, this also gave Cambridge Analytica the Facebook data of Facebook friends. Thus, 272 participants provided the data of more than 600,000 Canadians who were never asked. Similarly in other countries: In Italy, for example, 57 participants obtained the data of a further 214,077 unsuspecting Italians.
When the matter came to light, an affected Canadian complained to the Canadian Office of the Privacy Commissioner (OPC). However, the OPC is not allowed to impose penalties, only recommendations. It recommended that Facebook should
- Restrict third-party access to unneeded data,
- inform users about what information an application requires and for what purpose, and
- obtain users' consent to the transfer of this data.
However, Facebook fought back against even these tepid recommendations in court and won at first instance. The Office of the Privacy Commissioner appealed.
