Facebook v. Privacy Commissioner of Canada: Why Canadians Need to be Concerned

The recent decision from the Federal Court of Appeal in Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140, should make Canadians, particularly those who are social media users, concerned. The case is a landmark in the Canadian privacy law realm, addressing two core obligations on social media corporations: (1) obtaining meaningful consent before collecting, using, or disclosing personal information, and (2) implementing adequate safeguards once data is collected.

The ruling reversed a Federal Court decision dismissing the Privacy Commissioner of Canada’s application alleging that Facebook, Inc. (now Meta) had breached the Personal Information and Protection and Electronic Documents Act (PIPEDA) by sharing Facebook users’ personal information with third-party apps. It has significant implications for digital platforms and other organizations handling personal information. The Federal Court of Appeals’ decision is now under challenge at the Supreme Court, and its decision in 2026 will be pathbreaking for Canadian privacy law – and perhaps other common law jurisdictions grappling with similar issues.

Overview

The Office of Privacy Commissioner (the “OPC”) conducted an investigation following a 2018 complaint about Meta Platforms Inc.’s (“Facebook”) unauthorized disclosures of Canadian user data via the “thisisyourdigitallife” (“TYDL”) app. Between 2013 and 2015, the app collected information not only from users who installed it (~272 Canadians) but also from their “Facebook friends” without consent, affecting over 600,000 Canadians.

The OPC submitted an application under section 15 of PIPEDA to appear in the hearing against Facebook and seek a declaration 15 of PIPEDA to appear in the hearing against Facebook and seek a declaration not adequately safeguard user data. The Federal Court dismissed the application in 2023, finding insufficient evidence that Facebook had breached PIPEDA.

Subsequently, when the matter was appealed at the Federal Court of Appeal, the court overturned this decision of the Federal Court in September 2024. It found that Facebook violated the law and requiring remedial reporting. Facebook subsequently sought leave to appeal to the Supreme Court of Canada (docket 41538), which was granted in June 2025.

The Federal Court had inquired into two key legal issues:

1. Did Facebook obtain consent sufficient under PIPEDA clause 4.3.2?
2. Did Facebook take reasonable steps to protect personal information, especially in relation to third-party app access?

The Federal Court found that the OPC had failed to discharge its burden on both these questions. Essentially, there was an “evidentiary vacuum” because there was insufficient evidence to establish that a PIPEDA breach had occurred.

However, the Federal Court of Appeal expressed disagreement with the Federal Court’s holding, finding that there was sufficient “probative evidence”, including Mark Zuckerberg’s own testimony that “most people do not” read or understand the platform’s Terms of Service and Data Policy.
On safeguarding, the Federal Court of Appeal rejected the view that Facebook’s obligations ended once data was shared with third-party apps. It found that:

• Facebook’s oversight of third parties was inadequate – it verified the existence but not the substance of privacy policies, accepted excessive data requests, and delayed remedial actions after the Cambridge Analytica disclosures.

The Court also emphasized that safeguarding obligations evolve with technology and risk. Compliance is not static; organizations must continuously monitor and adjust controls.The ruling is crucial in that it establishes that consent standards are higher than mere “I accept” checkboxes. Users and indirectly affected individuals must understand what they are consenting to. Further, ongoing safeguards are mandatory, especially when third parties are involved.

PIPEDA is not merely a latent legislative measure. It protects privacy as a right, requiring proactive organizational measures.

Key Insights

The case is now before the Supreme Court of Canada, which may refine the “reasonable person” framework and the extent of safeguarding obligations, particularly within the platform or the application, and in cross-border contexts. Organizations should anticipate potential new standards for consent, disclosure, and monitoring. For practitioners, this means simplifying consent processes, clearly disclosing data practices, auditing third-party access, and documenting internal risk assessments.The case highlights the evolving requirements for meaningful consent and safeguards under PIPEDA. The Federal Court of Appeal has signalled that digital platforms cannot hide behind complex policies or passive consent mechanisms. Transparency, accountability, and proactive governance are essential.

This will be a case to watch for in 2026, meanwhile, as the Supreme Court’s ruling remains pending, the Federal Court of Appeal decision already provides a roadmap for organizations to reassess consent processes, third-party oversight, and privacy compliance strategies.

Our Lawyers Can Help With Online Privacy Issues

Perley-Robertson, Hill & McDougall LLP’s lawyers, including author Priyanka Preet, are available to assist.