There is no evidence that Canadian Facebook users’ personal information was shared with Cambridge Analytica, the Ontario Superior Court held recently in refusing to certify a proposed class action against Facebook arising out of the Cambridge Analytica scandal. This case is not the end of Facebook’s legal challenges however, as another class action alleging privacy breaches continues. Indeed, the storm of investigations and lawsuits that Facebook was hit with as a result of the Cambridge Analytica scandal provide an important example of the enormous risks faced by organizations that collect, use, and disclose personal information.
In 2018, news that UK consulting firm Cambridge Analytica may have influenced political campaigns by collecting personal data from as many as 87 million Facebook users and selling it to campaigns, including the Trump campaign in the 2016 US election, caused a political shockwave.
Facebook faced a storm of investigations. Facebook’s founder, Mark Zuckerberg, was grilled by a Congressional committee. Facebook itself was fined $5 billion by the US Federal Trade Commission, and £500,000 (the maximum available at the time) by the UK Information Commissioner. In Canada, the Privacy Commissioner found Facebook in breach of its obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), and later commenced an application in the Federal Court to force Facebook to correct its practices. Facebook also agreed to pay a $9 million administrative monetary penalty under the deceptive marketing practices provisions of the Competition Act on the basis that it mislead the public about its privacy practices (see our Comment).
Proposed class actions were also filed against Facebook in the US, Canada, and the UK.
In Ontario, three proposed class actions were initially filed. The competing plaintiffs’ counsel reached an agreement whereby privacy claims against Facebook were split between two class actions (with the third action being stayed). The Donegani action proposed a class consisting of all Facebook users whose personal information was obtained from Facebook by third parties, but excluded Facebook users whose personal information was shared with Cambridge Analytica without their consent. The Simpson action proposed a class consisting of Facebook users whose personal information was shared with Cambridge Analytica.
The Simpson action sought $684 million in damages for the tort of intrusion upon seclusion on behalf of all Canadian Facebook users. The core allegation was that Canadian Facebook users’ personal information was shared with Cambridge Analytica. Facebook contended that there was not even a shred of evidence to support this allegation.
To succeed in establishing the privacy breach as a common issue, the plaintiffs had to adduce some basis in fact, that is, some evidence, that Canadian Facebook users’ personal information was shared with Cambridge Analytica. At best, however, the plaintiff’s evidence showed that this information “may have been” shared, and that there was “no assurance” that it was not shared. There was no evidence, however, that Canadian Facebook users’ personal information was in fact shared with Cambridge Analytica, Justice Belobaba held.
This finding was sufficient to dispose of the certification motion, Justice Belobaba held, since there was no basis in fact for any of the proposed common issues relating to invasions of Canadian Facebook users’ privacy.
Justice Belobaba went on to consider and reject two “Hail Mary passes” thrown by the plaintiff.
The first, termed the “peephole” argument, was that Facebook violated users’ privacy by providing the “thisdigitallife” app unauthorized access to Facebook users’ personal information. The problem with this theory was that carriage over this claim had been granted to the plaintiff in Donegani, and could not be advanced in Simpson.
The second Hail Mary pass, termed the “affiliates” argument, was that the people behind the “thisdigitallife” app were affiliates of Cambridge Analytica. But this was a bald allegation with zero support in the evidence, Justice Belobaba held.
Justice Belobaba also listed an “array of, frankly, compelling arguments” advanced by the defendants, but did not deal with them given that the plaintiff had failed to clear the first hurdle.
The plaintiff is appealing to the Divisional Court.
The denial of certification in the Simpson action does not mean the end of Facebook’s privacy travails however. The Donegani action continues, and, as Justice Belobaba noted, the peephole argument can be asserted in that action.
The evidentiary burden that a plaintiff must meet to obtain certification of a class action is low; the plaintiff only need show “some basis in fact” to support its allegations. In most cases, this has been an easy standard to meet. This decision points to potential difficulties that plaintiffs in privacy breach class actions may have in meeting even this low burden, however.
Once a case gets to trial, the plaintiff no longer benefits from a relaxed standard of proof, but must prove the case on a balance of probabilities. In the first data breach class action to go to trial, a Quebec judge dismissed the case because investors whose personal information was potentially exposed when a laptop was left on a train did not suffer any loss beyond the normal annoyances that everyone who lives in society routinely experiences and reluctantly accepts. See: No Damages for Lost Laptop Data Breach, Quebec Court Finds.