Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Facebook and Cambridge Analytica

Investigation into Facebook opened

5 April 2018

Statement from the acting Australian Information Commissioner and acting Privacy Commissioner Ms Angelene Falk

Today I have opened a formal investigation into Facebook, following confirmation from Facebook that the information of over 300,000 Australian users may have been acquired and used without authorisation.

The investigation will consider whether Facebook has breached the Privacy Act 1988 (Privacy Act). Given the global nature of this matter, the OAIC will confer with regulatory authorities internationally.

All organisations that are covered by the Privacy Act have obligations in relation to the personal information that they hold. This includes taking reasonable steps to ensure that personal information is held securely, and ensuring that customers are adequately notified about the collection and handling of their personal information.

This is a timely reminder to all organisations of the value of good privacy practice to Australians. Organisations should regularly and proactively assess their information-handling practices to ensure that they are both compliant with privacy laws and in keeping with community expectations.

If anyone has concerns about how their personal information has been collected or managed they can, in the first instance, contact Facebook directly and if not satisfied with their response they can contact the OAIC at or on 1300 363 992.

Back to Contents

Statement from the Australian Information and Privacy Commissioner on Facebook and Cambridge Analytica

20 March 2018

I am aware of the reports that users’ Facebook profile information was acquired and used without authorisation. My Office is making inquiries with Facebook to ascertain whether any personal information of Australians was involved.

I will consider Facebook’s response and whether any further regulatory action is required. The Privacy Act 1988 confers a range of privacy regulatory powers which include powers to investigate an alleged interference with privacy and enforcement powers ranging from less serious to more serious regulatory action, including powers to accept an enforceable undertaking, make a determination, or apply to the court for a civil penalty order for a breach of a civil penalty provision.

If anyone has concerns about how their personal information has been collected or managed they can get in touch with my office at or on 1300 363 992.

Back to Contents