9 March 2020

The Australian Information Commissioner has lodged proceedings against Facebook in the Federal Court, alleging the social media platform has committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.

The Commissioner alleges that the personal information of Australian Facebook users was disclosed to the This is Your Digital Life app for a purpose other than the purpose for which the information was collected, in breach of the Privacy Act 1988.

The information was exposed to the risk of being disclosed to Cambridge Analytica and used for political profiling purposes, and to other third parties.

“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed.

“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.

“We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”

The statement of claim lodged in the Federal Court today alleges that, from March 2014 to May 2015, Facebook disclosed the personal information of Australian Facebook users to This Is Your Digital Life, in breach of Australian Privacy Principle 6. Most of those users did not install the app themselves, and their personal information was disclosed via their friends’ use of the app.

The statement of claim also alleges that Facebook did not take reasonable steps during this period to protect its users’ personal information from unauthorised disclosure, in breach of Australian Privacy Principle 11.

Commissioner Falk considers that these were systemic failures to comply with Australian privacy laws by one of the world’s largest technology companies.

Background

The documents filed by the Office of the Australian Information Commissioner (OAIC) in the Federal Court are:

The OAIC is an independent statutory agency established to promote and uphold privacy and information access rights. It has a range of regulatory responsibilities and powers under the Privacy Act 1988, Freedom of Information Act 1982 and Australian Information Commissioner Act 2010.

The Privacy Act includes 13 legally binding Australian Privacy Principles (APPs) which apply to agencies and organisations covered by the Privacy Act (APP entities).

APP 6 provides that ‘if an APP entity holds personal information about an individual that was collected for a particular purpose, the entity must not use or disclose the information for another purpose (the secondary purpose), unless the individual has consented to the use or disclosure’ (or another exception applies).

APP 11 provides that ‘if an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances, to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.’

The Commissioner may apply to the Federal Court for a civil penalty order alleging that an APP entity has engaged in serious and/or repeated interferences with privacy in contravention of s 13G of the Privacy Act.

The Federal Court can impose a civil penalty of up to $1,700,000 for each serious and/or repeated interference with privacy (as per the penalty rate applicable in 2014–15).