ANALYSIS: Facebook, Cambridge Analytica, and the Supreme Court — Why Canada Is a Decade Behind on Privacy

2019: The Office of the Privacy Commissioner Finds a Violation

After an investigation, the Office of the Privacy Commissioner concludes that Facebook violated federal law. Not a gray area. Not a generous interpretation. A violation. Facebook disputes the finding. The case goes to the Federal Court.

2023: The Federal Court Rules in Facebook’s Favor

First twist. The Federal Court rules that Facebook did not violate the law. The Office of the Privacy Commissioner, humiliated, appeals.

2024: The Federal Court of Appeal overturns everything

Second reversal. The Federal Court of Appeal overturns the lower court’s ruling and concludes that Facebook did indeed violate PIPEDA by failing to adequately warn its users of the risks to their data. Facebook, in turn, takes the case to the Supreme Court.

March 2026: The Supreme Court hears the case—and remains silent

The one-day hearing was held in Ottawa. The nine justices heard the arguments. And they reserved their decision. In legal jargon, this means they will take time to deliberate. In plain language, it means that 600,000 Canadians whose data was compromised will have to wait a little longer.

The Apple, Google, and All the Others Precedent

David Fraser, a privacy lawyer at McInnes Cooper in Halifax, asks the question that has Silicon Valley on edge: “To what extent is Apple responsible for monitoring each of the thousands—or even millions—of apps on its platform?”

If the Supreme Court confirms that Facebook was responsible for what third-party apps did with its users’ data, the principle will apply to every digital ecosystem: Apple’s App Store, the Google Play Store, every app marketplace, and every platform that allows third parties to access its users’ data.

This is no longer just a Facebook issue. It’s an issue that could redefine the very architecture of Canada’s digital economy.

The specter of TikTok looms over the hearing

The irony of the timing is almost too perfect. While the Supreme Court hears arguments on a decade-old data scandal, the Canadian government has just imposed new restrictions on TikTok—an app whose data collection model makes Cambridge Analytica look like an amateur. Canada is still fighting yesterday’s battle, while tomorrow’s data war is already raging.

PIPEDA: Designed for a World That No Longer Exists

PIPEDA was enacted in 2000. In 2000, Facebook didn’t exist. The iPhone didn’t exist. Cloud computing was an academic concept. Artificial intelligence was the stuff of science fiction. And yet, it is this law—unchanged in its fundamentals—that is supposed to protect Canadians from the algorithmic exploitation of their personal data in 2026.

Michael Geist doesn’t mince words: “We need certainty in Canadian privacy law. We need enforcement.” ” And he’s right on both counts. The current law gives the Office of the Privacy Commissioner no real enforcement powers. No fines. No penalties. Just recommendations that companies can—and this is exactly what Facebook did—blithely ignore.

Parliament is looking the other way

Bill C-27, which was intended to modernize privacy protection in Canada, died on the order paper. The government knows the law is outdated. Experts have been saying so for years. The courts have demonstrated this case after case. And yet, nothing is happening. Geist issues a direct appeal: “It’s high time Canada updated its privacy rules, which are now more than 25 years old.”

And yet, every parliamentary session passes without reform. Every data scandal is followed by statements of intent, then legislative silence.

Cambridge Analytica is dead—but the business model is more alive than ever

Cambridge Analytica went bankrupt in 2018. Its founders were prosecuted. The firm has become a textbook case in digital law programs around the world. But the business model it employed—collecting massive amounts of personal data to target individuals with tailored political messages—has not disappeared. It has been refined.

Election campaigns in 2024 and 2025, all over the world, used microtargeting techniques infinitely more sophisticated than anything Cambridge Analytica could have dreamed of doing in 2014. Generative artificial intelligence now makes it possible to create personalized messages on an industrial scale. And what about the laws supposed to regulate all of this? They date back to a time when the flip phone was considered an innovation.

Six Hundred Thousand Digital Ghosts

Think about it for a second. Six hundred thousand Canadians had their personal data harvested without their consent, sold to a foreign firm, and used to manipulate democratic processes. How many of them know this? How many were individually notified? How many received any compensation at all? The answer to all three questions is the same: practically none.

These people aren’t statistics. They are teachers, nurses, retirees, and students who once clicked on a Facebook quiz and whose digital lives were laid bare without their knowledge.

When “I agree” No Longer Means Anything

The Facebook-Cambridge Analytica case raises a fundamental question that the Supreme Court will have to address: Does consent, as we understand it legally, still have any meaning in a digital ecosystem where data flows are so complex that even the engineers who design them cannot always trace them?

Colleen Bauman, representing the Office of the Privacy Commissioner, clearly articulated the issue before the justices: “It’s about ensuring that people can use social media in a way that gives them control.” But control requires understanding. And understanding requires transparency. And transparency requires laws that mandate it.

Artificial intelligence makes the problem exponentially worse

In 2014, Cambridge Analytica needed a quiz app to collect data. In 2026, AI models can infer your political preferences, your emotional state, and your psychological vulnerabilities based on your browsing history, your “likes,” and your reading times. Data is no longer just collected—it’s generated by algorithms that know more about you than you know about yourself.

The Supreme Court is ruling on a 2014 case using a law from 2000. The digital world of 2026 watches them with growing concern.

Europe took action; Canada debated

The European Union adopted the General Data Protection Regulation (GDPR) in 2016, which has been in effect since 2018. Since then, fines have been pouring in. Meta was fined 1.2 billion euros by the Irish regulator in 2023. Amazon was fined 746 million euros by Luxembourg. Companies know that violating Europeans’ privacy comes at a high cost.

In Canada, the Office of the Privacy Commissioner can issue reports. It can make recommendations. It can raise concerns. What it cannot do is impose a single fine. Not a single dollar. Zero.

Even the United States does better

The United States, though known for its liberal approach to technology regulation, imposed a fine of 5 billion U.S. dollars on Facebook through the FTC in 2019. Five billion. Meanwhile, in Canada, the case was slowly—very slowly—making its way through the judicial system.

There is something deeply troubling about the fact that a country that prides itself on being a champion of human rights is unable to impose financial penalties on a multinational corporation that has violated the privacy of more than half a million of its citizens.

Scenario 1: The Court upholds the finding of a violation

If the Supreme Court upholds the Federal Court of Appeal’s decision, Facebook will be formally found guilty of violating PIPEDA. This would set a major precedent. Every digital platform operating in Canada would have to rethink its chain of liability regarding third-party applications and shared data.

But—and this is the crux of the matter—even a victory before the Supreme Court will not change the fact that the law does not provide for any financial penalties. Facebook could be found guilty and still have absolutely nothing to pay.

Scenario 2: The Court Rules in Facebook’s Favor

If the Supreme Court overturns the appellate court’s decision and rules in Facebook’s favor, the message sent to tech giants will be devastating: in Canada, you can open the floodgates on your data, let third parties exploit it, and as long as you’ve obtained some semblance of consent buried in terms of use that no one reads, you’re in the clear.

This would be a green light for every company that monetizes Canadians’ personal data.

Host or Accomplice?

The question the Supreme Court must decide goes beyond the strict legal framework. It is a philosophical one. Is a platform that allows third parties to access its users’ data merely a technical intermediary, or does it bear responsibility for how that data is used?

Facebook argues it is merely an intermediary. The Office of the Privacy Commissioner argues it bears responsibility. The Supreme Court’s ruling will shape the contours of Canadian digital law for decades to come.

The Business Model Is the Problem

And yet, no one in this courtroom is asking the most fundamental question: Is the business model itself compatible with respect for privacy? Facebook—now Meta—generates nearly all of its revenue through targeted advertising, which relies on the massive collection of personal data. Asking this company to protect its users’ privacy is like asking a casino to discourage gamblers. The very structure of the system makes protection an illusion.

An Office without power is a paper tiger

The Office of the Privacy Commissioner of Canada does remarkable work with the tools at its disposal. But these tools are like toothpicks against bulldozers. Without the power to impose fines, without the ability to impose sanctions, and without real enforcement authority, the Office can only observe, make recommendations, and hope that companies comply.

Compare that to the Irish regulator, which can impose fines of up to 4% of a company’s global revenue. For Meta, that amounts to billions. In Canada, it amounts to zero. For a multinational corporation, the choice between complying with Canadian law and ignoring it isn’t even a choice—it’s a no-brainer.

Citizens, Alone Against the Giants

When 600,000 Canadians see their data siphoned off by a foreign firm to manipulate elections, the very least they should have is concrete recourse. Not reports. Not hearings. Compensation. Sanctions. Consequences.

And yet, ten years after the fact, the only recourse is a legal process that has still not been resolved, before courts that enforce a law that lacks penalties. Canadian citizens are defenseless against the digital giants, and their government has still not provided them with any protection.

Don’t Wait for the Court’s Decision

Michael Geist is right on one crucial point: Parliament should not wait for the Supreme Court’s decision to act. Whatever the outcome of the ruling, the law will remain obsolete. Whatever the judges decide, the Office of the Privacy Commissioner will remain without the power to impose sanctions. Whatever legal interpretation is adopted, Canadians will remain less protected than Europeans, Americans, Australians, or Britons.

The government has a responsibility to act now. Not during the next session. Not after the next election. Now.

What a genuine reform should include

Real authority for the Office of the Privacy Commissioner to impose fines. Mandatory prompt notification requirements in the event of a data breach. An effective right to erasure for citizens. Mandatory audits for platforms exceeding a certain user threshold. And above all, penalties proportional to revenue—because a $100,000 fine for a company that generates 130 billion is not a penalty; it’s a tip.

You can’t make up for lost time

While Canada was debating, the rest of the world was moving forward. While Canadian courts were passing the buck back and forth between jurisdictions, Europe was enacting the GDPR, the United Kingdom was establishing the Information Commissioner’s Office with real powers, and even Brazil was adopting a comprehensive data protection law. Canada, a member of the G7 and a founding nation of the Charter of Rights and Freedoms, has become a developing country when it comes to digital privacy.

The Question That Remains

The Supreme Court will hand down its decision in the coming months. But the real question isn’t whether Facebook violated a 25-year-old law. The real question is why Canada waited for a global scandal, an investigation by the Office of the Privacy Commissioner, two conflicting rulings, and a hearing before its highest court to begin asking itself whether, perhaps, it might be time to protect its own citizens.

Six hundred thousand Canadians are still waiting for an answer. And Parliament’s silence is, in itself, a verdict.

Signed, Jacques PJ Provost