This is your digital life (of no consent or control): The Australian Information Commissioner takes Facebook to Court

By Cameron Abbott, Rob Pulham and Rebecca Gill

In a first for Australia, the Australian Information Commissioner (Commissioner) has launched proceedings in the Federal Court of Australia, seeking penalties against Facebook for serious and/or repeated interferences with privacy. The contraventions relate to the conduct disclosed by the Cambridge Analytica scandal, which involved the This is Your Digital Life app (App). We’ve previously blogged about the App here.

It is unclear how the penalties will be calculated in this proceeding. The penalty rate applicable to the relevant period (being from March 2014 to May 2015) is a maximum of $1.7 million. Some have suggested that fines may be in the billions if the maximum rate is applied to each individual affected as a single “contravention” (with possibly over 300,000 contraventions in total!). This may be fun to calculate, but highly unlikely to be applied in reality.

Either way, penalties for future conduct are likely to become even more significant once the penalties are increased to 10% of a company’s Australian revenue, as promised by the Commonwealth Government with legislation expected this year.

Interestingly, the Commissioner’s claim focuses on the following allegations:

  • unauthorised disclosures, being that although only 53 Australians installed the App, approximately 311,127 Australian Facebook users were affected as the App also requested information on the installers’ friends;
  • systemic failures (in that deficient systems and processes were the root of Facebook’s failure) to take reasonable steps to protect the personal information held by Facebook from unauthorised disclosures. In particular, the Commissioner claims that an organisation like Facebook should have:
    • initially assessed and regularly reviewed whether the App’s requests for users’ information complied with Facebook’s policies;
    • maintained and regularly reviewed records of personal information disclosed; and
    • implemented measures to ensure that any consent was obtained directly, before or at the time of disclosure, and was clear and specific.

More information on the proceeding, including the statement of claim, can be found on the Office of the Australian Information Commissioner’s website here.

For other actions taken against Facebook by regulators overseas in regards to the Cambridge Analytica scandal, check out our blog post here, and watch this space.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.