On 9 March 2020, the Office of the Australian Information Commissioner (OAIC) commenced Federal Court proceedings against Facebook Inc and Facebook Ireland Limited (Facebook), alleging serious or repeated contraventions of the Privacy Act 1988 (Act). This is an unprecedented step in the enforcement of Australian privacy laws.
The alleged contraventions occurred amidst the Cambridge Analytica scandal, in which the personal information of 86 million Facebook users was collected without consent and used for political purposes.
Facebook users’ personal information was collected through an app called ‘This Is Your Digital Life’ (App). Only 305,000 Facebook users globally downloaded the App, and were asked if they consented to the collection of their personal information for academic use. However, Facebook allowed the App to collect the personal information of every friend of every individual that used the App. The personal information collected was then bought by Cambridge Analytica, who used it to psychologically profile voters and influence their behaviour in the 2016 US Presidential Election.
The personal information of 311,074 Australians was collected, although only 53 Australians downloaded the App.
Privacy law in Australia
The Act establishes the Australian Privacy Principles (APPs), 13 binding principles that govern the collection, use and disclosure of personal information by businesses (other than small businesses) and Commonwealth Government agencies.
It is a breach of the Act to disclose personal information for a purpose other than that for which it was collected.
Relevantly, APPs 6 and 11 respectively relate to:
- Circumstances in which personal information may be used or disclosed; and
- The protection of personal information from misuse, interference, loss or disclosure.
Under APP 6 specifically, an organisation cannot disclose personal information without consent for a purpose other than that for which it was collected, unless a specific exception applies.
In its Statement of Claim, the OAIC alleges that Facebook breached APP 6 by collecting users’ personal information for the purpose of enabling them to build a social network, but disclosing the information to the App for a different purpose. Each separate disclosure, it argues, constitutes a breach of the Act.
The OAIC further alleges that Facebook breached APP 11 by failing to take reasonable steps to protect users’ personal information, including by not maintaining and reviewing records of the personal information disclosed.
According to the OAIC, Facebook’s default settings left users ‘unable to exercise reasonable choice and control about how their personal information was disclosed’. To modify the default settings and prevent the disclosure of personal information was a complex process, requiring changes to both ‘privacy settings’ and ‘apps settings’.
In addition, the OAIC highlights that Facebook still does not know the nature or extent of the personal information that it disclosed to the operators of the App.
The OAIC characterises Facebook’s behaviour as an unacceptable outsourcing of its responsibility to protect personal information to users and third party app operators.
Given the unprecedented nature of this action, it will be particularly interesting to see how the Court calculates a penalty in the event that it finds against Facebook.
The Federal Court can impose a civil penalty of up to $1.7 million for each serious or repeated interference with privacy, but has not been called to do so previously. We are accordingly left to speculate as to how these penalties might be applied.
The OAIC has specifically alleged that ‘On each occasion on which Facebook disclosed the personal information of the Affected Australian Individuals to the “This is Your Digital Life” App, it breached the Privacy Act’, and that Facebook engaged in further breaches of the Act including by failing to take appropriate security steps. If the Court found each of these instances to be a serious interference with privacy, then Facebook could be found to have contravened the Act several hundred thousand times. The Court would then have broad scope to award an extremely large range of penalties up to hundreds of billions of dollars, though there is little precedent for how this discretion might be exercised in privacy matters.
Recent privacy law developments
While the OAIC has to date typically taken a more educational and conciliatory approach to regulation, it may have been emboldened to enforce Australia’s privacy laws by recent activity in this space, including:
- Similar regulatory action against Facebook overseas;
- Proceedings relating to Google’s collection of personal location data commenced by the ACCC last year; and
- The government’s Digital Platforms Report, which acknowledged the need for greater protection of Australian’s personal data.
Similar regulatory action overseas
The UK Information Commissioner’s Office fined Facebook £500,000 over the Cambridge Analytica scandal in 2019, the highest possible fine it could impose.
Meanwhile, Facebook paid a penalty of $US5 billion to the US Federal Trade Commission in settlement of charges that it deceived users about their ability to control their personal information.
In October 2019, the ACCC commenced proceedings against Google, claiming that the company’s collection of users’ personal information was in breach of the Australian Consumer Law (ACL).
Rather than enforcing privacy-specific laws, the ACCC has relied upon the general prohibitions against misleading and deceptive conduct in the ACL. It argued that Google had made misrepresentations about its collection and use of personal location data, and misled consumers by failing to disclose that both the ‘Location History’ and ‘Web & App Activity’ settings had to be turned off to prevent Google from keeping their location data.
The ACCC suggested that consumers would have believed that by turning off the ‘Location History’ setting, that they had done all they needed to do to stop Google from collecting their location data.
Digital Platforms Report
The government’s response to the ACCC’s Digital Platforms Inquiry Final Report was released late in 2019, focussing heavily on the commercial activities of Google and Facebook. We previously reported on the ACCC’s findings here. In its response, the Government acknowledged the need for privacy protections to evolve to reflect the technologies they regulate.
Relevant steps the Government is taking in response to the inquiry include:
- A broadened review of the Act, which will consider the introduction of a direct right of action for individuals whose privacy has been interfered with; and
- The implementation of a Privacy Code that is binding on online platforms that trade in personal information.
The far-reaching report also included proposed changes across areas including media, terrorism, intellectual property, competition and consumer protection.
These changes are yet to come into force, although it should be noted that future privacy breaches are likely to be governed by amended laws.
Should the OAIC’s Federal Court action against Facebook proceed to judgment, the decision will provide valuable judicial guidance in a seldom litigated but increasingly important area of law.
In addition to clarifying the obligations that apply when collecting, holding and disclosing personal information, a judgment in this matter would provide guidance on what constitutes a serious interference with privacy and the basis on which penalties are calculated.
In the interim, the proactive action taken by the OAIC and the ACCC shows a clear increase in the scrutiny and accountability expected of organisations holding large volumes of personal information.
We will continue to provide updates as these matters progress.
This article was written by Luke Dale, Partner, Daniel Kiley, Special Counsel and Kelly Williamson, Law Graduate.