OAIC sues Facebook over Australian privacy breaches

OAIC sues Facebook over Australian privacy breaches

Data from more than 300,000 Australian Facebook users may have been accessed and used without authorisation, an investigation by the Office of Australian Information Commissioner (OAIC) has revealed, as it pursues civil litigation against the social media giant.

The OAIC’s case has entered the next phase of litigation this month, with Commissioner Angela Falk’s office serving additional legal documents, via Australia’s Federal Court, to Facebook operations in the US and Ireland, where the company is registered, but not tax domiciled.

Litigation against Facebook was initiated by the Australian Government in March 2018, with the OAIC seeking civil penalties for contraventions of Australia’s Privacy Act 1988.

Commissioner Falk said the personal information of Australian Facebook users was disclosed through the ‘This Is Your Digital Life’ app, often without users’ knowledge nor consent to use the app. Personal information, it is alleged, was then exchanged with third parties for reasons beyond users’ initial consent.

The ‘This Is Your Digital Life’ app is among countless personality quizzes made available through Facebook’s platform.

Personally identifiable information (PII) on the app, it was alleged, may have been disclosed to Cambridge Analytica (CA), a since deregistered data exchange company infamously implicated in several high-profile data privacy breaches. CA, in its partnership with the social media giant, frequently made unauthorised use of personal data for political profiling and information-exchange with its extended third-party network.

Entities operating in Australia are required to meet minimum transparency and accountability thresholds when handling personal information – conditions the OAIC alleges Facebook did not meet.

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” Commissioner Falk said.

“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.”

Among the OAIC’s concerns were Facebook’s handling of personal data, presenting a clear breach of the Australian Privacy Principle 6, which involves the use and disclosure of personal data for secondary purposes.

“Most of those users did not install the app themselves, and their personal information was disclosed via their friends’ use of the app.”

Facebook also failed to take reasonable steps to protect users’ personal information from unauthorised disclosure, in breach of Australian Privacy Principle 11.

Data protection authorities overseas have also investigated Facebook for similar breaches.

Among these, a US Federal Trade Commission investigation enforcement action handed down in July 2019 resulted in a US$5 billion penalty and a settlement requiring changes to Facebook’s privacy and governance practices.

The order required Facebook to exercise greater oversight over third-party apps, including the termination of contracts with app developers that were not certified compliant with Facebook’s platform policies or that had failed to justify their need for specific user data.

Additionally, as part of the settlement, Facebook was required to establish, implement, and maintain a comprehensive data security program. This incorporated encrypted user passwords and regular scans to detect whether any passwords were stored in plaintext.

Mirroring the OAIC’s current case, the Canadian Privacy Commissioner also investigated Facebook in 2018 over privacy breaches resulting from the Cambridge Analytica scandal. A follow-up 2019 investigation, however, alleged the social media company had “outright rejected” the Canadian regulator’s recommendations issued following the scandal.

As a result, the Canadian Privacy Commissioner lodged new proceedings in their Federal Court in February 2020.

The Canadian Commissioner’s “Notice of Application” sought a declaration that Facebook had contravened Canadian privacy laws, and binding orders requiring Facebook to change its practices and comply with the law. Canada had earlier investigated Facebook in 2009.

Last year a settlement was reached between Facebook and the UK Information Commissioner’s office following an investigation into the misuse of personal data in political campaigns. Facebook agreed to pay a £500,000 fine, without admitting liability.