New Frontiers in Canadian Privacy Law
By Laith Sarhan
Two landmark decisions in 2024, Clearview AI Inc. v. Information and Privacy Commissioner for British Columbia (2024 BCSC 2311) and Canada (Privacy Commissioner) v. Facebook, Inc. (2024 FCA 140), provide critical guidance for organizations navigating privacy and AI regulation. These rulings establish new compliance paradigms for extraterritorial jurisdiction and digital consent frameworks.
Extraterritorial Reach: Clearview’s Precedent
In Clearview AI, the BC Supreme Court extended provincial privacy law to foreign entities without physical presence in British Columbia. The court found jurisdiction under BC’s Personal Information Protection Act (PIPA) based on two factors: (1) that Clearview AI was marketing services to BC clients; and (2) that Clearview was collecting facial recognition data from BC residents’ publicly available online images
This “real and substantial connection” test (applied to privacy law for the first time) signals that any organization harvesting data from BC residents may face PIPA compliance obligations, regardless of corporate headquarters or server locations.
The Court also rejected Clearview’s reliance on the “publicly available information” exemption, emphasizing that bulk scraping of biometric data creates disproportionate risks of harm.
Consent Revolution: Facebook’s PIPEDA Reckoning
The Federal Court of Appeal’s Facebook decision redefined consent standards under PIPEDA, addressing the Cambridge Analytica scandal. Key holdings included:
A. Meaningful Consent Requires Clarity: An objective “reasonable person” standard ensures that consent validity depends on what a hypothetical informed user would understand, not subjective interpretations
As part of this standard, the Federal Court of Appeal clarified the following prohibited practices:
- Buried disclosures in lengthy privacy policies (Facebook’s 4,300-word Data Policy failed this test)
- Passive consent through default sharing settings
- Vague references to third-party data use in adhesion contracts
This holding pushes companies to innovate with their digital consent frameworks online towards a model of consent as a reasonable user may expect.
B. Unshakable Safeguarding Obligations: The Court rejected Facebook’s argument that safeguarding responsibilities ended when data reached third-party apps. Key failures included:
- Ignoring “red flags” from apps requesting excessive data
- Failing to audit developers’ compliance with privacy policies
- Creating an unmanageable ecosystem of 40,000+ apps while contracting away accountability
This spelling away of accountability points to a regulatory trend of shifting the onus on consumers and data subjects to protect their data through consent towards a model in which data controllers have broader obligations towards their data subjects.
Cross-Canada Enforcement Landscape
These cases, taken together, drive at a compliance baseline with three key features:
- No Digital Exceptionalism: Traditional territorial analysis adapts to borderless data flows
- Consumer-Centric Standards: Complexity no longer excuses obscurity – privacy notices must facilitate genuine understanding
- Chain of Custody Accountability: Data controllers remain responsible for downstream uses, even by third parties
Building Future-Proof Compliance
For enterprises and organizations working with personal information, these decisions demand proactive strategies:
- Revise jurisdictional assessments to consider data subject residency rather than corporate footprints
- Redesign consent workflows using plain-language disclosures tested against the “reasonable person” standard
- Implement AI governance frameworks that document safeguarding measures for training data and model outputs
Organizations should treat these cases as warning shots across the bow – Canadian regulators now wield sharpened tools to enforce privacy rights in algorithmic systems. The path forward requires embedding privacy-by-design into AI development lifecycles, ensuring compliance keeps pace with technological innovation.