Meta subsidiaries have been fined $20 million by the Federal Court for not providing sufficient notice to VPN users that their data would be collected for commercial benefit.
The subsidiaries have also been ordered to contribute $400,000 towards the Australian Competition and Consumer Commission’s (ACCC) legal bills and other costs relating to the proceeding.
The Federal Court on Wednesday declared that Meta subsidiaries Onavo and Facebook Israel had failed to make sufficient disclosures to Australian consumers on its listings of VPN app Onavo Protect on the Google Play and Apple App stores.
Onavo Protect users’ internet and app activity and details on their use of other apps was collected, anonymised, and aggregated to serve Meta’s market research activities.
Meta employees viewed the collected data through a dashboard and combined with their social media profile if they had a facebook account.
The Onavo VPN app – used to route online activity through a separate computer or server for privacy – was shutdown in May 2019 after it was removed from the Apple App Store for breaching privacy rules.
Statements such as “Use a free, fast and secure VPN to protect personal information” and “Helps Keep You and Your Data Safe” were used to promote the app while the user data was harvested and shared with the parent company.
The Federal Court agreed with the ACCC’s allegations that Australian consumers were misled between February 2016 and October 2017 by Onavo Protect, which said it “would keep users’ personal activity data private, protected and secret, and that the data would not be used for any purpose other than providing Onavo Protect’s products”.
During that period, Onavo was downloaded more than 270,000 times by Australian users.
The proceedings against the Meta subsidiaries were instituted in December 2020.
United States-based Onavo and Israel-based Onavo Mobile were acquired by Meta for $200 million in 2013. Onavo Mobile was renamed Facebook Israel following the acquisition.
Through the proceedings, Facebook Israel and Onavo made a joint submission agreeing that its app store listings failed to mention that data gathered on Australian users’ online activities was used for other purposes, including a ‘business intelligence tool’.
In a separate US Federal Trade Commission proceeding alleging Facebook illegally maintained a monopoly, references were made to the use of the Onavo Protect app to identify future acquisition opportunities to maintain the monopoly.
One internal Facebook Israel document filed in the federal court highlighted that the app would give the firms “a sample of users who we are able to know nearly everything they are doing on their mobile device”.
Data collected through Onavo Protect was then aggregated and anonymised to provide information that could be used by advertisers to “identify local competitors, notice big trends, find overlaps in use, benchmark your performance in significant-margin differences, notice a shift in consumer attention,” the document reads.
ACCC chair Gina Cass-Gottlieb said that the case against Meta’s subsidiaries was made with the knowledge that many Australian consumers are “concerned about how their data is captured, stored and used by digital platforms”.
“We believe Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading,” Ms Cass-Gottlieb said on Wednesday.
“In the case of the Onavo Protect app, we were concerned that consumers seeking to protect their privacy through a virtual private network were not clearly told that in downloading and using this app they were actually facilitating the use of their data for Meta’s commercial benefit.”
In May, Meta was fined $2 billion and ordered to stop the transfer of European Union citizens’ personal data to the United States after it was found to breach European data laws. At the time Meta said it would appeal the decision.
In response to the Federal Court declaration a Meta spokesperson said: “The ACCC acknowledged in the joint filing that the Onavo Protect listings were not deliberately misleading and disclosures were made in the app’s Terms of Service and Privacy Policy. Furthermore, all user data was anonymised and aggregated before it was used by Meta.”
Editor’s note: This story has been changed to include a statement from Meta.
Do you know more? Contact James Riley via Email.