Australian privacy watchdog takes Facebook to court over Cambridge Analytica data breaches

Australia’s Information and Privacy Commissioner is taking Facebook to court, alleging serious privacy breaches that saw the personal data of more than 300,000 local consumers potentially disclosed to Cambridge Analytica for political profiling.

The latest proceedings allege the personal data of about 311,127 Australian Facebook users was disclosed to the ‘This is your digital life’ app for purposes that contradicted disclosed usage and breached the Privacy Act 1988. The privacy watchdog also alleges this data was exposed to be sold and used for a range of purposes well outside what consumers were aware of, including political profiling.

According to court documents lodged by the Australian Information Commissioner, the period in question is from 12 March 2014 to 1 May 2015.

The local court proceedings are the latest in a swathe of legal and regulatory proceedings launched off the back of the Cambridge Analytica scandal, which saw the personal information of up to 87 million people globally illegitimately collected and used for purposes outside their consent.

In response, Facebook banned the data analytics provider and its parent company, Strategic Communication Laboratories, which subsequently collapsed under what has become the biggest data leak in the social media company’s history. It also triggered a wave of data, API and policy changes by Facebook aimed at shoring up user data privacy and the ability for third-party apps to harvest such information.

In April 2018, after the scandal had broken, Facebook suggested more than 310,000 Australians may have had their data improperly shared with Cambridge Analytica. The app at the centre of the fresh court proceedings was a personality survey developed by Dr Aleksandr Kogan, who became a central figure in the global data breach scandal for the apps allowing Facebook data to be harvested.

In its latest statement, Australian Information Commissioner and Privacy Commissioner, Angelene Falk, said Facebook’s default settings facilitated the disclosure of personal and sensitive information “at the expense of privacy”.

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” she stated. “We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”

In its Federal Court statement of claim, the privacy watchdog noted most of the Facebook users impacted by the data disclosure to ‘This is your digital life’ did not install the app themselves, but instead had personal information divulged via friends’ use of the app. This action is in breach of the sixth of the 13 Australian Privacy Principles (APP) sitting underneath the Privacy Act.

In addition, the information and privacy commissioner has alleged Facebook did not take reasonable steps during this period to protect user information from unauthorised disclosure. The penalties for such a breach could be up to $1.7 million.

“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” Falk stated.

In its concise statement, the Australian Information Commissioner said Facebook did not adequately inform affected Australian individuals of the manner in which information could be installed via a friend downloading the app.

“Unless those indivdiuals undertook a complex process of modifying their settings on Facebook, their personal information was disclosed by Facebook to the ‘This is your digital life’ app by default,” the statement reads. “Facebook did not know the precise nature or extent of the personal information it disclosed to the ‘This is your digital life’ app. Nor did it prevent the app from disclosing to third parties the personal information obtained. The full extent of the information disclosed, and to whom it was disclosed, accordingly cannot be known.

“What is known, is that Facebook disclosed the affected Australian individuals’ personal information to the ‘This is your digital life’ app, whose developers sold personal information obtained using the app to the political consulting firm, Cambridge Analytica, in breach of Facebook’s policies.”

The Cambridge Analytica scandal broke in early 2018 after it was revealed by both The New York Times and The Observer UK the data analytics firm had harvested an estimated 50 million Facebook profiles to hypertarget voters in the US and UK elections and political activities. The reports were based on Christopher Wylie, a key figure behind Cambridge Analytica’s formation who has since turned whistleblower.

The latest Australian privacy proceedings also come nearly nine months after the Australian Competition and Consumer Commission (ACCC) launched its scathing Digital Platforms Inquiry final report, calling for holistic and dynamic reforms to counter the adverse effect Google and Facebook are having on the economy, media landscape, competition and society.

Off the back of its new information gathering powers, the ACCC launched an inquiry into the adtech services space in February.
 
There have also been a range of legal actions taken globally against Facebook off the back of the Cambridge Analytica scale. A settlement between Facebook and the UK Information Commissioner’s office in October 2019, for example, saw Facebook agreeing, without admitting liability, to pay a £500,000 fine. Undertakings by the Privacy Commissioner of Canada in February 2020 in Canada’s Federal Court seeking a declaration that Facebook has contravened Canadian privacy laws, also resulted in binding orders requiring Facebook to change its practices and comply with the law.

And in July last year, the US Federal Trade Commission investigation culminated in settlement terms including a US$5 billion penalty and changes to Facebook’s privacy and governance practices. These are now awaiting finalisation in the US District Court.

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page, or join us on Facebook: https://www.facebook.com/CMOAustralia.