Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance.  Organizations governed by PIPEDA should keep a close eye on the Court’s inquiry as well as any eventual order enforcing compliance with the Act.
In March 2018, in response to a complaint, the OPC commenced a joint investigation of Facebook’s privacy practices with the Information and Privacy Commissioner for British Columbia. In particular, the investigation concerned Facebook disclosing its users’ personal information to a third party application known as “thisisyourdigitallife”, which is connected to the widely reported Cambridge Analytica scandal concerning the microtargeting of voters in various election campaigns, including the 2016 US presidential election and the Brexit referendum.
A year later, the OPC found that Facebook failed to obtain valid and meaningful consent from its users and their friends before sharing personal information with the third-party application. It also found that Facebook had inadequate safeguards in place to protect user information. Finally, the investigation concluded that Facebook had failed to take responsibility for the user information under its control.  According to the OPC, Facebook had failed to provide it with sufficient evidence about its personal information handling practices to satisfy it of Facebook’s compliance with the Act.
In the Application, the OPC asks the Federal Court not only for a declaration that Facebook has contravened PIPEDA and an order prohibiting further contravention of the Act, but also for (a) an order requiring Facebook to correct its practices and implement effective measures to obtain and maintain meaningful consent from all users; (b) an order requiring Facebook to specify which technical changes it will make to its practices; (c) an order that the Court will retain ongoing supervisory jurisdiction to monitor and enforce court-mandated compliance measures; and (d) an order requiring Facebook to publish a public notice setting out the corrective measures it has undertaken.
Assuming the Court finds Facebook to be in non-compliance with PIPEDA, what remedies the Court will be willing to issue to enforce compliance will be of particular interest to organizations governed by PIPEDA. In particular, as few precedents of this nature exist, and certainly not for cases involving such a large and well-known company, this case will demonstrate the Court’s willingness to consider and intervene in such cases by ordering changes to legal and technical elements of an organization’s privacy practices. In particular, the OPC has long highlighted its lack of enforcement powers under PIPEDA as an impediment in fulfilling its supervisory role and ensuring organizations comply with PIPEDA.
Moreover, as the OPC asks the Court to take on a continuing supervisory role for ongoing monitoring and enforcement of the court-mandated compliance measures, this case will shed light on whether the Court will be willing to take on these extraordinary compliance and monitoring functions in future cases, as courts are often hesitant to remain seized with supervisory compliance programs.
This Application comes at an interesting time for the privacy landscape in Canada. Legislative amendments to PIPEDA are anticipated following the mandate letter sent by the Prime Minister’s Office to the Minister of Innovation, Science and Industry in January outlining a number of data protection initiatives for the Ministry, several of which include introducing greater enforcement powers for the OPC including the ability to make compliance orders and award fines for non-compliance.  Additionally, across Canada there are numerous proposed, but as yet uncertified class actions against Facebook relating to it sharing user information with third parties.