Need to know
- The Office of the Australian Information Commissioner has laid charges against Facebook in the wake of the Cambridge Analytica scandal
- OAIC says users "were unable to exercise reasonable choice and control about how their personal information was disclosed"
- It's the first time OAIC has sought civil penalties through the Federal Court for contraventions of the Privacy Act
It's a fact that doesn't seem to be well understood by the world's tech giants: any business operating in Australia has to adhere to Australian privacy laws.
That includes the obligation to protect the personal information of customers.
The principle will soon be put to the test in the case of the Australian information commissioner versus Facebook, and the world will be watching.
On 9 March the Office of the Australian Information Commissioner (OAIC) announced it had lodged proceedings against Facebook in the Federal Court.
Facebook's default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacyPrivacy commissioner Angelene Falk
The case goes back to the Cambridge Analytica scandal, in which the personal data of about 87 million Facebook users was accessed without authorisation from March 2014 to May 2015 through the 'This is Your Digital Life' app.
Among the millions were about 311,127 Australian Facebook users.
"We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed," privacy commissioner Angelene Falk said in a statement.
"Facebook's default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy."
The Federal Court in Australia can impose a penalty of up to $1.7 million for each serious or repeated breach of the Privacy Act.
"This is the first time the OAIC has sought civil penalties through the Federal Court for contraventions of the Privacy Act 1988 and follows a detailed investigation, including cooperation with our international counterparts," an OAIC spokesperson tells CHOICE, adding that "this matter remains active internationally".
The OAIC investigation started in April 2018, around the same time that the Canadian privacy commissioner opened a similar investigation.
The Canadians made recommendations that were rejected or not adequately addressed by Facebook, and the Canadian privacy commissioner also lodged proceedings in the Canadian Federal Court in February this year. Canada previously investigated Facebook in 2009.
Legal action around the world
The OAIC case is just one of many. Here's how two other prominent cases panned out:
- In October 2019 a settlement was reached between Facebook and the UK information commissioner's office as a result of an investigation starting in 2017. Facebook agreed, without admitting liability, to pay a £500,000 fine.
- A US Federal Trade Commission (FTC) investigation, prompted by the breach of a 2012 FTC order, resulted in a July 2019 settlement of $US5 billion and changes to Facebook's privacy and governance practices. The settlement is awaiting finalisation in the US District Court. Again, Facebook has not admitted any wrongdoing.
A ‘This is Your Digital Life’ app on Facebook opened the door to 87 million users' personal data.
Facebook says it's cooperating
We reached out to the California-based tech giant and were told it was working with OAIC.
"We've actively engaged with the OAIC over the past two years as part of their investigation. We've made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data. We're unable to comment further as this is now before the Federal Court," a Facebook company spokesperson tells us.
Facebook declined to respond to our questions about whether it would accept a Federal Court verdict rendered in Australia and pay any fines that may be imposed, and whether it embraced the principle of adhering to the privacy laws in the various jurisdictions in which Facebook is used.
In a series of follow-up questions to OAIC, we asked how confident the agency is that an Australian court can compel Facebook to pay fines if it's found culpable.
OAIC declined to respond on the grounds that the matter is before the courts.