Social network giant Facebook is facing the prospect of fines of more than $1 billion in Australia in relation to privacy breaches that date back six years to the Cambridge Analytica scandal of 2014-2015.
The Australian Information Commissioner lodged proceedings against Facebook in the Federal Court on Monday alleging the company had committed serious and repeated breaches of Australian privacy law.
Specifically, the papers allege that the personally information of 311,127 Australians was disclosed by Facebook to the This is Your Digital Life app for a purpose other than for that which it had been collected for in breach of the Privacy Act.
The Australian Privacy Commissioner Angelene Falk said all entities operating in Australia had to be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian law.
“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” Ms Falk said.
“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy,” she said.
“We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”
The Federal Court can impose a civil penalty of up to $1.7 million for each serious and/or repeated interference with privacy (at the penalty rate applicable in 2014–15 when the breaches occurred).
In a statement of claim filed with the Federal Court on Monday, the Australian Information Commissioner said that a fundamental principle of the Privacy Act was that organisations are responsible for the personal information that they hold. In effect, and contrary to this principle, , Facebook in effect transferred responsibility for protecting personal information to its Users and the operators of third-party apps.
It said the opaque nature of Facebook’s settings and policies hampered the ability of Australian users to understand that their data was disclosed to the app. The design of the Facebook website was such that Users were unable to exercise consent or control over how their personal information was disclosed.
“Facebook’s disclosures, and its failure to take steps to prevent them, were systemic failures to comply with Australian privacy laws by one of the world’s largest technology companies,” the Statement of Claim said. “Failure to hold Facebook to account is apt to undermine public confidence in Australia’s privacy laws.”
“Accountability for breaches of the Privacy Act that interfere with Australians’ privacy will encourage entities to comply with applicable privacy laws and to build privacy protections into the design and operation of their services,” it said.
The Statement of Claim also alleges that to date Facebook had been unable to provide the Information Commissioner with a precise record of what personal information of Australian users had been given to the developers on the This is Your Digital Life app.
“That significant failing produces a circumstance in which anomalies may not be detected, or effectively investigated, in order to protect the personal information that the entity still holds,” the claim said.
“It underscores the shortcomings in Facebook’s attempts to protect its Users’ personal information from unauthorised disclosure.”
The court filing is understood to have followed a two year investigation by the Office of the Australian information Commissioner into the Cambridge Analytica disclosures. The OAIC is late to the game, with privacy regulators in Europe, the United States and Canada already having taken legal action.
The action in the Federal Court relates to disclosures of personal information that took place in the period from March 12 2014 to May 1 2015.
In the US, the Federal Trade Commission fined Facebook US$5 billion after it found the company had disclosed personal information of 87 million American users to Cambridge Analytica. Cambridge Analytica had been selling data analytic services to political campaigns all over to world, including to the Donald Trump during the 2016 US presidential election.