FaceApp and Legal Rights in Canada

The privacy over our digital information has been a growing topic of concern over the last several years with the popularity of social media platforms. The recent controversy involving the hugely popular photo manipulation application, FaceApp, and its Terms of Use and Privacy Policy, is another example that illustrates the ease by which an increasing number of applications obtain broad and unfettered license to use a user’s image, name and likeness. The myriad of legal implications these concerns highlight are relevant for Canadian businesses and users alike.

FaceApp and its Terms of Use and Privacy Policy

FaceApp was developed in 2017 by Wireless Lab, a company based in St. Petersburg, Russia, and founded by Yaroslav Goncharov. FaceApp has enjoyed viral fame, aided by the introduction of new filters that allow users to look younger or older, and by its use by a number of celebrities, including, Drake, Gordon Ramsey and Carrie Underwood, among many others.

The recent criticisms in both the press and social media are over its privacy, the security of user data and the broad nature of its terms of service.

Similar to many other mobile photo applications, to use FaceApp, users must first consent to the application’s ability to access and use user photos, which are then sent to the company’s servers, processed in the cloud and stored on its servers¹.  FaceApp’s technology is not new. Various mobile applications already exist that are capable of using technology to manipulate one’s digital face, one of the most popular being Snapchat.

FaceApp’s Terms of Use grants to itself very broad rights to use a user’s image and personal information. Under the section “User Content”, FaceApp states, among other things, that the user consents to the following:

• You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.

The permissions granted to FaceApp are “nonexclusive”. This is because the user still retains ownership. These rights are perpetual and cannot be revoked. These rights are also “royalty-free, worldwide, fully-paid, transferable sub-licensable license”, meaning that FaceApp can transfer the rights to your user content and information to a third party.

In addition, in its “Privacy Policy”, FaceApp states, among other things, that it collects user content, such as photos and other materials, and under the subsection “Sharing of your information”, it states that the company may share user content and information, including, cookies, log files and device identifiers and location data with its affiliates, third-party organizations that provide services to users and third-party advertising partners.

In the event of a change of control of the company (the whole of FaceApp or its assets), user information may be among the items sold or transferred. The company further states that it may access, preserve and share information in response to legal requests to share user information.

All of these rights can last even after a user’s image is deleted from the app. Deleting user content from the FaceApp app does not mean the content is removed from FaceApp services. It may continue to be stored by FaceApp.

Protection of Privacy and Copyright in Canada

The legal implications that FaceApp’s Terms of Use and Privacy Policy raise are not unique to FaceApp. Facebook, Snapchat and Instagram, for example, contain terms of service with some similar language. Each of these social media applications obtain users’ personal identifying information, including, among other things, users’ names, photographs and locations. The collection, use and disclosure of this personal information affect privacy, copyright and moral rights.  Although there is law in Canada that protects these rights, the question is whether there are sufficient protections to address the concerns social media applications raise.

Privacy Rights

In Canada, organizations, both public and private, must follow laws regarding the storage and use of personal information, which include the use of photos and names, to protect against unwanted intrusion into an individual’s private space.

Organizations such as FaceApp are subject to federal privacy law, specifically, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA protects consumer data across the country and sets out how organizations must handle personal information, including how companies are to handle breaches in security. In addition, every province and territory in Canada has its own form of privacy legislation and an oversight authority.

Under PIPEDA, consent, whether implied or expressed, is required before any personal information is collected, used or disclosed. PIPEDA permits only the collection and use of no more information than necessary for the purpose related to the transaction. The consent itself is only valid if it is reasonable to expect that the individual to whom it is directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information.

FaceApp users provide FaceApp with such a consent to use their content. As stated above, the consent given is wide-ranging and grants FaceApp permission to do essentially whatever it wants with user content and information through a “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license”. It can, among other things, use, reproduce, modify or even sell a user’s image, name, username, likeness, voice or persona for any purpose, including commercial purposes, such as for a product or advertisement, and it does not have to compensate the user.

PIPEDA only protects consumer data in Canada. Because the images that users upload to FaceApp are processed in the cloud and stored in servers based outside of Canada, the personal information that is transferred to these data servers are not subject to PIPEDA, but rather to the laws of those other countries. However, PIPEDA also mandates that organizations are responsible for personal information, even when its being transferred to a third party and to ensure comparable level of protection while the information is being processed by a third party. The organization remains accountable for the information. In addition, personal information must only be used for the original purpose for which it was collected. The organization must also be transparent about its practices in handling personal information.

Canadians do not have any meaningful control over their personal information and privacy with respect to information contained in applications like FaceApp. Presently, the only method by which a user can regain control over its image and information is by requesting removal of all their data from FaceApp’s servers²,  though there is nothing in its Terms of Use or privacy policy to indicate that FaceApp must comply.

The FaceApp controversy might be overblown in light of similar privacy policies in the applications of other companies, but it highlights that the broad rights its Terms of Use provide is becoming industry standard.

Copyright

The question that concerns many businesses and users is who owns the photos that are uploaded to these social media applications.

In its Terms of Use, FaceApp states that “you retain all rights in and to your User Content, as between you and FaceApp… FaceApp does not claim ownership of any User Content that you post on or through the Services”. This is generic language that states that FaceApp cannot prevent you from using your own content and cannot sue others over your images.

Although FaceApp does not own the copyright to your images, it has non-exclusive permission to “use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display” your images. In essence, users have little control over how the images that are uploaded to FaceApp are used.

Proposed Changes to PIPEDA and Canada’s Digital Charter

PIPEDA’s current model has been criticized for lacking effective oversight, enforcement and compliance mechanisms and for not effectively deterring offenders.

On May 21, 2019, as a part of its Digital Charter initiative, the Government of Canada released its discussion paper called, Strengthening Privacy for the Digital Age. In the discussion paper, the Government of Canada proposes to modernize PIPEDA. It seeks to do so by focusing on four key areas:

1. enhance individual control over personal information and privacy;
2. enable responsible innovation to ensure increased accountability and higher standards of care for privacy and security;
3. enhance enforcement and oversight to ensure real consequences for breaches in privacy; and
4. clarifying PIPEDA’s obligation through ongoing assessment to ensure it is accessible to individuals and organizations.

If implemented, the Digital Charter initiative would have broader implications on the data-driven, digital global economy by affecting not only PIPEDA, but also introducing changes to the Competition Act, Canada's anti-spam legislation, Telecommunications Act, Broadcasting Act and Radiocommunication Act. However, the Digital Charter is not a legal document and, therefore, has no legal force in Canada. The Government of Canada would have to revise the current legislation and corresponding regulations to bring these principles into action.

As we stated in our earlier article, Record Breaking Proposed Fines Against British Airways and Marriott International Under GDPR, the proposed regime may bring Canada’s privacy regime closer to that of the EU’s more aggressive privacy oversight enforcement framework, General Data Protection Regulations (GDPR), which includes a power for users to ask organizations to delete their personal data.

¹ In a prior version of its app, FaceApp did not make it clear to users that the images they were uploading were being processed in the cloud. As of July 18,
2019, FaceApp published a new version of its app wherein a popup appears providing users using the app for the first time with information in respect
of cloud photo processing in that “[e]ach photo you select for editing will be uploaded to our servers for image and processing and face transformation”.

² FaceApp has stated: “We accept requests from users for removing all their data from our servers…we recommend sending the requests from the FaceApp mobile app using “Settings->
Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.”