Last Wednesday, the Federal Court imposed a penalty of $20 million against two Meta (nee Facebook) entities after action brought by the Australian Competition and Consumer Commission (ACCC) for misleading or deceptive conduct.
Meta’s ‘Onavo Protect’ app for Apple and Android phones was advertised as a ‘free, fast and secure virtual private network (VPN) to protect personal information’, but the app also allowed Meta to collect a range of data about users of the app, including all apps used and websites visited. The Court accordingly found that Meta’s companies ‘mislead the public went to the heart of the nature and characteristics of Onavo Protect, given the purpose for which it was promoted’, and imposed a hefty penalty as a result.
The case is the latest example of the ACCC taking an active role in policing misleading or deceptive conduct associated with the collection and use of data, and comes as the Office of the Australian Information Commissioner (OAIC) continues its court action against Facebook for issues associated with the Cambridge Analytica breach.
Between February 2016 and October 2017 Meta (who at the time was Facebook Inc), and its subsidiaries Onavo Inc and Facebook Israel Ltd, offered the Onavo Protect app (Onavo). The Onavo app was available for free on both the Apple App Store and Google Play Store and was downloaded by over 270,000 Australian users.
The Onavo app was advertised as a free VPN service. In simple terms, a VPN uses encryption and other security mechanisms designed to provide secure transmission, across a public or private network, of a user’s app and web traffic. In business settings, a VPN might be used to securely transmit internet traffic from a user’s device back to a corporate network, so that the user can function as if they were in the office.
Commercial VPN services for consumers operate using the same technology to securely funnel all of the user’s internet traffic back to an endpoint operated the VPN provider. This effectively makes all network activity of the end user appear to originate from the VPN provider’s endpoint, which can plausibly have a number of benefits. That endpoint might be in a different geographic location, allowing the user to look like they are somewhere else. For a user on a shared or public network, it may assist in masking their internet usage from other users or the network operator. In masking the user’s true ‘IP address’, a VPN may also help to prevent online services from building a profile of the user’s web traffic.
However, because a VPN sees all of a user’s traffic funnelled via the service operator, it places that operator in a position to track the online activities of the user.
The Onavo app was marketed as a free way in which consumers could protect their online privacy, with the app listed in the App Store and Play Store using language such as:
“Use a free, fast and secure VPN to protect personal information… add an extra layer of security and data encryption.”
“Onavo Protect: helps keep you and your data safe when you browse and share information on the web.”
However, Meta was in fact utilising the data for their own commercial benefit. This included market research which aided in identifying future business development strategies. The conduct involved Onavo keeping record of when the app’s users were accessing on their mobile phones, how long they spent on each app, and their IP addresses (which can help to determine user location). Additionally, if Onavo users had a Facebook account this data became even more valuable as Meta was able to tie this usage data to their profile.
In separate proceedings brought by the US Federal Trade Commission (FTC), the FTC alleged that Facebook used data from Onavo to ‘to track the growth and popularity of other apps’, with a view to ‘help us make strategic acquisitions’ which could remove a ‘potential rival’ and ‘frustrate others’ efforts to gain scale’.
There were statements in the Onavo app which explained that ‘we collect the info that is sent to, and received from, your mobile device’ and that ‘Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences’, but crucially:
The [App Store and Play Store] Listings for Onavo Protect conveyed that Onavo Protect users’ data would only be used for purposes of providing the Onavo Protect VPN and data management services, but did not mention that Onavo Protect also collected and supplied data about Australian users’ online activities to the respondents for other purposes.
Justice Abraham accordingly found that:
The failure to make sufficient disclosures in the Listings for Onavo Protect may have deprived tens of thousands of Australian consumers of the opportunity to make an informed choice about the collection and use of their data before downloading and/or using Onavo Protect… This is in the context where consumers had expected to download an app that would “protect [their] personal information” and “keep [their] data safe” (as promoted in the Listings). The conduct that was liable to mislead the public went to the heart of the nature and characteristics of Onavo Protect, given the purpose for which it was promoted in the Listings.
Given the large number of Australian users of the Onavo app, Justice Abraham commented that ‘the theoretical maximum penalty is in the billions or trillions of dollars’, but that this was not necessarily meaningful in this case.
Her honour instead was willing to accept the joint submissions of the parties that penalties totalling $20 million, plus $400,000 for the ACCC’s legal cost, would be appropriate ‘bearing in mind the protective and deterrent purpose of a pecuniary penalty’ and more than ‘merely an acceptable cost of doing business’.
This was not an isolated case
The ACCC is not the only Australian regulator with an interest in Facebook’s conduct with respect to the data of Australian users. The OAIC has proceedings underway under the Privacy Act against Facebook in relation to the Cambridge Analytica scandal, with our latest update detailing recent developments at the High Court.
The Onavo case is slightly unusual compared to that OAIC litigation, given that it involves proceedings which relate to privacy, brought not under the Privacy Act but instead under the Australian Consumer Law by the ACCC.
However, the Onavo case is not alone in this respect, as the latest in a series of cases brought by the ACCC against major digital platform operators for misleading or deceptive conduct in respect of privacy issues. We have previously discussed the ACCC’s successful Court proceedings against Google for issues associated with collection of location data, and its attempt to bring a similar claim in respect of Google advertising data.
The key takeaway
Ultimately, these decisions show how high-profile data breaches and privacy enforcement will continue to be strictly supervised by Australian regulators, and not just the OAIC. As the ACCC chair, Gina Cass-Gottlieb has commented their position remains that ‘Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading.’
This article was written by Daniel Kiley, Partner and Carmen Marino, Law Clerk.