OAIC's landmark case against Facebook to have major implications on Privacy Act

By Gavin Smith, David Rountree
Cybersecurity & Privacy Data Media, Advertising & Marketing Risk & Compliance Technology Telecommunications

In brief 13 min read

As Privacy Awareness Week this year called for individuals to #rebootyourprivacy and debate continues over the privacy protections for the COVIDSafe application, another step has been taken in the Australian Information Commissioner's (Commissioner) landmark case against Facebook, Inc and Facebook Ireland Ltd (together, Facebook) which will have major implications for the Privacy Act 1988 (Cth) (Privacy Act) and digital businesses operating from offshore entities.

The proceedings in the Federal Court are a continuation of the global fallout from the 'Cambridge Analytica' scandal and involve the Commissioner seeking civil pecuniary penalties against Facebook for breaches of the Australian Privacy Principles (APPs). Critically, this case will set precedents for determining both the quantum of future penalties under, and the scope of the extra-territorial application of, the Privacy Act.

It's a timely reminder to review all your data handling practices (as well as those of any third parties to whom you disclose customer personal information), specifically around any default and/or opt-out settings. This article considers some of the key issues at stake and the potentially broader impacts that might follow.

Key takeaways

  • The Commissioner's Statement of Claim alleges that Facebook breached both APP 6.1 and APP 11.1(b) in relation to 311,127 Australian Facebook users. The Statement of Claim also alleges that each of the circumstances giving rise to those breaches contravened section 13G of the Privacy Act on the grounds that they were serious interferences with the privacy of the affected individuals and, or in the alternative, meant Facebook had repeatedly engaged in acts or practices that were interferences with the privacy of affected individuals.
  • The core of the Commissioner's allegation in relation to APP 6.1 is that Facebook disclosed personal information for a purpose other than the primary purpose of collection, without either obtaining adequate consent or ensuring that the affected users were adequately informed of the disclosures that would occur. The Statement of Claim makes it clear that the basis of the claim is that it was difficult for users to know they needed to change their default settings to limit disclosures, and that the design of Facebook 'made it difficult for users to exercise consent or control over the disclosure of their personal information to apps'. This may have broad ramifications for the widespread use of default 'on' settings, bundled consents and broadly worded privacy notices.
  • The Commissioner's allegation in relation to APP 11.1(b) is that Facebook did not take reasonable steps to protect personal information by failing to have adequate practices and systems in place to ensure information was being disclosed appropriately and was subject to appropriate consents. These steps would have included continuously monitoring and auditing whether third-party recipients of personal information were complying with Facebook's policies, rather than simply relying (without verification) on those third parties complying. This will reinforce the need for APP entities to take proactive steps to monitor any personal information that has been disclosed to third parties in order to satisfy APP 11.

The proceedings will also set an important precedent on the scope of the extra-territorial application of the Privacy Act, particularly for digital business which operate from offshore entities.

  • The Commissioner has not asserted a breach of APP 1, despite referring to systematic breaches caused by deficiencies in Facebook's systems, practices and procedures. This may be because a failure to implement such practices, procedures and systems is not itself an act or practice in relation to personal information about an individual, and as such is not subject to the civil penalty provisions under the Privacy Act.
  • A particularly critical aspect of the Statement of Claim is that the Commissioner appears to be seeking a civil penalty for each act of disclosure of personal information by Facebook to Global Sciences Research Ltd (GSR), the operator of This is Your Digital Life app (TYDL), rather than for a single breach. This will have a material impact on the maximum penalty available. Instead of $1.7 million for a single interference, the penalty could theoretically be as high as $500 billion. The determination as to whether the acts or practice of disclosure constitute a single interference with the privacy of an individual, or multiple, will set a precedent in determining the quantum of future penalties under the Privacy Act.
  • The proceedings will also set an important precedent on the scope of the extra-territorial application of the Privacy Act, particularly for digital business which operate from offshore entities. They are also a reminder of the increased focus by the Office of the Australian Information Commissioner (OAIC) on active enforcement action and reflect the broader trend of a more stringent regulatory environment in relation to data.

Details of the proceedings

  • On 22 April, in the midst of the COVID-19 lockdown, an important procedural step was taken in the Commissioner's groundbreaking Federal Court proceedings against Facebook, when leave was granted for overseas and substituted service of the Commissioner's originating process documents.
  • The Commissioner commenced proceedings on 9 March 2020, and is seeking civil pecuniary penalties against Facebook in connection with a number of breaches of APPs 6 and 11 between March 2014 and May 2015. This is the first time the Commissioner has sought civil pecuniary penalties since the power was established in 2014.
  • The April hearings were largely process related and were heard on an ex parte basis, so they provide only relatively limited insight into the likely outcome of the full proceedings. However, the judgment does provide an overview of the issues that will be considered more fully by the Federal Court, including the alleged contravention of APPs 6 and 11, and the extra-territorial application of the Privacy Act.
  • The proceedings arise from the use of an API which Facebook made available to web developers of apps to be used on Facebook's social networking platform, and which was used in the TYDL application. This API enabled GSR to collect significant volumes of 'public' personal information (including profile data, Facebook messages, email addresses, photos and news feed posts) from Facebook users who had installed TYDL, as well as the Facebook friends of those users who had no interaction with the application.
  • Facebook's policies purported to restrict use of the data collected through this method by app developers, including by prohibiting the transfer of information to data brokers, advertising networks or for monetisation, and only permitting use of friends' personal information in a Facebook user's experience in the app. However, Facebook relied on self-assessments and did not monitor compliance or have appropriate procedures in place to ensure that data was being used in an appropriate manner.
  • GSR received personal and sensitive information of Facebook users and friends over a period spanning more than a year, and went on to sell the data to Cambridge Analytica and other third parties, enabling this detailed personal information to be used for profiling and election advertising.

Threshold issue – jurisdiction

As both Facebook entities are established overseas, a threshold matter which will need to be established by the Commissioner is that the Privacy Act applies to the acts and practices of Facebook by virtue of its extra-territorial application to organisations with an 'Australian link'. To be successful, the Commissioner will need to prove that Facebook, at the time, was 'carrying on business' in Australia, and collected and/or held personal information in Australia.

This was considered briefly in the initial judgment by the Federal Court, which found there was a prima facie case Facebook is bound by the Privacy Act, on the basis that:

  • Australian users contracted with Facebook Ireland, which described itself as the 'data controller for Australian Facebook users'; and
  • Facebook Ireland provided the Facebook service to Australian users as agent for Facebook Inc (in light of the contractual relationship between the Facebook entities).

This jurisdictional issue is likely to be significantly contested at any hearing and will set an important precedent for other digital or online-based businesses that transact with their users from overseas-based companies. In particular, the Federal Court judgment suggests the hearing may include debate about the facts which must be established in order to determine whether Facebook collected or stored personal information 'in Australia'.

Breaches of APPs

The Commissioner has asserted in her statement of claim that Facebook's conduct involved breaches of APP 6 and 11.

APP 6 - Use or disclosure of personal information

The Commissioner has asserted the following:

Resolving these questions will involve a court examining, for the first time, some of the grey areas in privacy law

  • The primary purpose for which Facebook collected users' personal information was to build an online social network on the Facebook website. Disclosing such information to a third party, such as GSR, to provide a separate service of conducting a personality survey is not consistent with this purpose.
  • While the statement of claim, somewhat curiously, does not go into detail on this point, the Commissioner is also, by implication, asserting that no relevant exemption in APP 6.2 or 6.3 applies. This includes any ability to disclose such information for a 'related' secondary purpose that would be 'reasonably expected' by the individuals (under APP 6.2(a)).
  • Perhaps most importantly, the Commissioner is also asserting that Facebook could not rely on having obtained a valid consent for the disclosure of user information to GSR in line with APP 6.1(a).

Resolving these questions will involve a court examining, for the first time, some of the grey areas in privacy law, including the boundary of 'related' purposes and individuals' 'reasonable expectations', as well as whether the level of transparency and unfriendly design features can undermine the quality of any 'consent' which has been obtained from an individual.

APP 11 - Security of personal information

The Commissioner has asserted that Facebook failed to comply with its obligations under APP 11(b) to take steps to protect users' personal information. This includes a failure to undertake the following steps that may have been reasonable to protect the information from unauthorised disclosure to GSR (and further unauthorised disclosure to Cambridge Analytica):

  • conducting initial and ongoing assessment of the information being disclosed to GSR, and whether information which was being requested by GSR complied with Facebook's policies;
  • maintaining and regularly reviewing records of the personal information being disclosed through TYDL;
  • implementing measures to ensure users' consent (both users of TYDL and friends of such users who also had their information collected) to disclose personal information to GSR was clear and specific and obtained directly from the relevant user prior to disclosure to GSR; and
  • once Facebook determined that GSR was using users' personal information for unauthorised purposes, ceasing disclosure of relevant data and taking independent steps to ensure GSR and relevant third parties had, in fact, deleted or destroyed such information.

Judicial consideration of these issues is likely to be highly fact dependent and involve a balancing of steps which would have been reasonable in the particular circumstances. However, the outcome of this case will be instructive for future potential enforcement activity alleging breach of APP 11.

Why not APP 1.2?

Of note, the Commissioner has not asserted that Facebook has breached APP 1.2, which requires an organisation to take reasonable steps to have appropriate practices, procedures and systems to ensure compliance with the APPs. This is despite the Commissioner's statement of claim repeatedly referring to systemic failures to have appropriate processes and systems.

We expect that this is because the civil penalty provisions require that there is an act or practice that breaches the APPs 'in relation to personal information about the individual'. As APP 1.2 goes to an entity's systems and processes, it is unlikely that a failure to implement such systems and processes will, of itself, relate to a specific individual's personal information or breach that individual's privacy. If this is the case, it may be that a breach of APP 1.2 cannot form the basis of any civil penalty proceedings. However, this position will not be tested in this case.

Application of penalty provisions

Importantly, in order to seek civil penalties for an interference with the privacy of an individual under the Privacy Act, the Commissioner must prove that the relevant breaches were serious and/or repeated (under section 13G). The Commissioner has relied on a number of factors to demonstrate the serious and repeated nature of the interferences with privacy, including:

  • the lack of systems and oversight over how third party apps collected (and the purpose for which they collected) user personal information, which enabled secondary uses and disclosures which were not reasonably expected or consented to;
  • the large volume of data which Facebook solicited from Australian users and disclosed to GSR, including the ongoing provision of data to GSR after a Facebook internal review rejected its application to use a new version of the API, and the failure to retain records of such disclosures;
  • a failure to be transparent and clearly communicate with users about default settings and their consequences, which meant users were unable to understand how their information was being handled or effectively consent to the disclosure of their information, transferring responsibility for protecting personal information from Facebook, as the regulated entity, to users;
  • that Facebook's complex website design made it difficult for users to effectively opt out (including requiring users to use two processes to opt out of having their data disclosed to apps); and
  • the risk of harm to individuals from their personal information being further disclosed in an unauthorised manner once out of Facebook's control (including for profit or political profiling purposes).

These issues echo some of the OAIC's key messages and priorities over the last few years and are likely reflective of the factors the Commissioner will consider when determining whether to bring enforcement action.

Quantum of the pecuniary penalty

A critical, headline grabbing, matter which will need to be determined by the Federal Court is the quantum of any penalty.

A critical, headline grabbing, matter which will need to be determined by the Federal Court is the quantum of any penalty. In order to do so, the court will need to determine whether the breaches alleged by the Commissioner constitute one single breach, or multiple breaches. Did Facebook breach the Privacy Act on each occasion that it disclosed data to GSR (with each disclosure being separately subject to a civil penalty)? Does the disclosure of a single individual's personal information constitute a separate disclosure and, therefore, a separate breach? Or, alternatively, did each request made by GSR for disclosure through Facebook's Graph API constitute a separate breach? It appears the Commissioner has framed her claim so that this issue can be determined by the court.

The consideration of this issue could potentially result in:

  • a radical multiplying effect on the potential penalty for Facebook, given that the personal information of approximately 311,127 Australian users was disclosed; and
  • a material impact on privacy regulatory risk more broadly, and the total potential exposure of companies that suffer large-scale breaches or misuse data of multiple users over an extended period.

Actions you can take now

  • Review your practices (and those of third parties to whom you disclose customer personal information) and ensure they comply with any public facing policies and statements.
  • Consider any default and/or opt-out settings for the use of personal information you have implemented and whether:
    • the data handling practice they relate to (particularly, any use or disclosure which customers might not reasonably expect); and
    • the process by which users may opt-out of such practices,

are sufficiently clear to your customers (including if any additional actions are required to fully opt-out). To the extent that you are relying on consent, consider whether this consent is sufficiently informed and validly obtained.

  • If important information about your data handling practices (such as third party disclosures) are set out in policy documents, consider either pulling out the key details of such policies onto the onboarding page, requiring customers to read through such documents prior to onboarding, or developing short-form plain English summaries.
  • Consider your practices around the disclosure of personal information to third parties, and whether:
    • those disclosures align with your customer-facing terms; and
    • sufficient steps are being taken to ensure the security and safety of such information.
  • Lastly, retain comprehensive (and auditable) records of the kinds of personal information you disclose to third parties in respect of your customers.