FaceApp and Legal Rights in Canada
|Lawyer||Peter Ruby, Belle Van|
FaceApp was developed in 2017 by Wireless Lab, a company based in St. Petersburg, Russia, and founded by Yaroslav Goncharov. FaceApp has enjoyed viral fame, aided by the introduction of new filters that allow users to look younger or older, and by its use by a number of celebrities, including, Drake, Gordon Ramsey and Carrie Underwood, among many others.
The recent criticisms in both the press and social media are over its privacy, the security of user data and the broad nature of its terms of service.
Similar to many other mobile photo applications, to use FaceApp, users must first consent to the application’s ability to access and use user photos, which are then sent to the company’s servers, processed in the cloud and stored on its servers1. FaceApp’s technology is not new. Various mobile applications already exist that are capable of using technology to manipulate one’s digital face, one of the most popular being Snapchat.
- You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.
The permissions granted to FaceApp are “nonexclusive”. This is because the user still retains ownership. These rights are perpetual and cannot be revoked. These rights are also “royalty-free, worldwide, fully-paid, transferable sub-licensable license”, meaning that FaceApp can transfer the rights to your user content and information to a third party.
In the event of a change of control of the company (the whole of FaceApp or its assets), user information may be among the items sold or transferred. The company further states that it may access, preserve and share information in response to legal requests to share user information.
All of these rights can last even after a user’s image is deleted from the app. Deleting user content from the FaceApp app does not mean the content is removed from FaceApp services. It may continue to be stored by FaceApp.
Protection of Privacy and Copyright in Canada
In Canada, organizations, both public and private, must follow laws regarding the storage and use of personal information, which include the use of photos and names, to protect against unwanted intrusion into an individual’s private space.
Organizations such as FaceApp are subject to federal privacy law, specifically, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA protects consumer data across the country and sets out how organizations must handle personal information, including how companies are to handle breaches in security. In addition, every province and territory in Canada has its own form of privacy legislation and an oversight authority.
Under PIPEDA, consent, whether implied or expressed, is required before any personal information is collected, used or disclosed. PIPEDA permits only the collection and use of no more information than necessary for the purpose related to the transaction. The consent itself is only valid if it is reasonable to expect that the individual to whom it is directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information.
FaceApp users provide FaceApp with such a consent to use their content. As stated above, the consent given is wide-ranging and grants FaceApp permission to do essentially whatever it wants with user content and information through a “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license”. It can, among other things, use, reproduce, modify or even sell a user’s image, name, username, likeness, voice or persona for any purpose, including commercial purposes, such as for a product or advertisement, and it does not have to compensate the user.
PIPEDA only protects consumer data in Canada. Because the images that users upload to FaceApp are processed in the cloud and stored in servers based outside of Canada, the personal information that is transferred to these data servers are not subject to PIPEDA, but rather to the laws of those other countries. However, PIPEDA also mandates that organizations are responsible for personal information, even when its being transferred to a third party and to ensure comparable level of protection while the information is being processed by a third party. The organization remains accountable for the information. In addition, personal information must only be used for the original purpose for which it was collected. The organization must also be transparent about its practices in handling personal information.
The question that concerns many businesses and users is who owns the photos that are uploaded to these social media applications.
Although FaceApp does not own the copyright to your images, it has non-exclusive permission to “use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display” your images. In essence, users have little control over how the images that are uploaded to FaceApp are used.
Proposed Changes to PIPEDA and Canada’s Digital Charter
PIPEDA’s current model has been criticized for lacking effective oversight, enforcement and compliance mechanisms and for not effectively deterring offenders.
On May 21, 2019, as a part of its Digital Charter initiative, the Government of Canada released its discussion paper called, Strengthening Privacy for the Digital Age. In the discussion paper, the Government of Canada proposes to modernize PIPEDA. It seeks to do so by focusing on four key areas:
- enhance individual control over personal information and privacy;
- enable responsible innovation to ensure increased accountability and higher standards of care for privacy and security;
- enhance enforcement and oversight to ensure real consequences for breaches in privacy; and
- clarifying PIPEDA’s obligation through ongoing assessment to ensure it is accessible to individuals and organizations.
If implemented, the Digital Charter initiative would have broader implications on the data-driven, digital global economy by affecting not only PIPEDA, but also introducing changes to the Competition Act, Canada's anti-spam legislation, Telecommunications Act, Broadcasting Act and Radiocommunication Act. However, the Digital Charter is not a legal document and, therefore, has no legal force in Canada. The Government of Canada would have to revise the current legislation and corresponding regulations to bring these principles into action.
As we stated in our earlier article, Record Breaking Proposed Fines Against British Airways and Marriott International Under GDPR, the proposed regime may bring Canada’s privacy regime closer to that of the EU’s more aggressive privacy oversight enforcement framework, General Data Protection Regulations (GDPR), which includes a power for users to ask organizations to delete their personal data.
For further information related to copyright and privacy issues, please contact the authors or any member of our Litigation Group.
1 In a prior version of its app, FaceApp did not make it clear to users that the images they were uploading were being processed in the cloud. As of July 18,
2019, FaceApp published a new version of its app wherein a popup appears providing users using the app for the first time with information in respect
of cloud photo processing in that “[e]ach photo you select for editing will be uploaded to our servers for image and processing and face transformation”.
2 FaceApp has stated: “We accept requests from users for removing all their data from our servers…we recommend sending the requests from the FaceApp mobile app using “Settings->
Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.”