What Global Tech Companies Should Take from the Canadian Facebook–Cambridge Analytica Decision

A recent decision of the Federal Court of Appeal (“FCA“) of Canada reinforces that businesses collecting personal data are liable for privacy violations, even where third parties are involved. The Court confirmed that Facebook violated Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA“) by:

Failing to obtain meaningful consent from users; and
Failing to adequately safeguard personal information

when it allowed the third-party app thisisyourdigitallife (TYDL) to access user data through Facebook’s app marketplace between 2013 and 2015. Meaningful consent requires more than a privacy policy Overturning a 2023 Federal Court ruling, the FCA held that the lower court erred by failing to define an objective, reasonable expectation of meaningful consent.

While Facebook argued that users read privacy policies before signing up for social media platforms, the Court rejected this as a “dubious assumption” (para. 98). Facebook had warned users that third-party apps were “not part of, or controlled by, Facebook.” However, this was insufficient for the FCA. The real question was whether a reasonable person would have understood that downloading an app through Facebook’s marketplace meant consenting to:

the scraping of their own data; and
the scraping of their friends’ data,
to be used in ways that violated Facebook’s own internal rules.

Their answer was no. Third-party access does not end safeguarding obligations Between 2013 and 2015, TYDL sold scraped data to Cambridge Analytica for psychographic modelling related to political advertising ahead of the 2016 U.S. election. Data from over 600,000 Canadians was exposed.

Critically for companies operating platforms, marketplaces, or APIs, the Court held that Facebook breached its safeguarding obligations under PIPEDA by:

Inviting millions of apps onto its platform and failing to adequately supervise them. (para. 104)

Why this matters for global tech companies Safeguarding duties under PIPEDA do not end simply because a user authorizes disclosure to a third-party.

For global tech companies operating across borders, the ruling is a reminder that privacy compliance must be built into how products, platforms, or services actually function. Clear explanations, realistic consent flows, and active oversight of third-party access are not optional: they are core obligations.