On Monday, the Office of the Australian Information Commissioner (OAIC) brought proceedings against Facebook in the Federal Court, asking the court to impose financial penalties for serious interference with the privacy of more than 300,000 Australians.
To our knowledge, this is the first time the privacy regulator has sought civil penalty orders under the Privacy Act.
Facebook responded by saying it had made “major changes” to its platforms “in consultation with international regulators”.
This response is none too comforting, given Facebook’s current data practices (which include collecting data of consumers who have never used Facebook). The company also has a history of misrepresentations regarding data privacy.
What is Facebook being sued for?
In 2014, Facebook users were offered an app called “This is Your Digital Life”, which paid users to take a personality quiz. The app harvested the data not only of the person taking the quiz but also of their Facebook friends, who had no knowledge of the app or the data collection.
The app developer then sold that information to a political lobbying company, Cambridge Analytica, which used the personal data for political profiling. This profiling was apparently used to aid in the election of US President Donald Trump in 2016, among other things.
Worldwide, approximately 87 million Facebook users were affected. In Australia, only 53 users downloaded the app, but still, around 311,000 people were affected.
The OAIC alleges that Facebook contravened the Privacy Act by allowing users’ personal data to be used for purposes that were not properly disclosed, and by failing to take proper steps to protect users’ personal data.
Better late than never
The OAIC’s action follows similar action against Facebook by regulators around the world. In 2018, the UK privacy regulator fined Facebook the maximum GBP500,000 over the Cambridge Analytica breach. Last year, the US Federal Trade Commission (FTC) settled with Facebook on a record-breaking US$5 billion payment in respect of related conduct.
While the OAIC’s action should be encouraged, we should not overestimate the impact on Facebook.
If the Federal Court finds the alleged contraventions occurred, Facebook could face fines of up to A$1.7 million for each contravention. (There is likely to be debate over what constitutes a single contravention, and therefore how many contraventions there were.) That may sound hefty, but we should put it in context.
Facebook is still collecting data about non-Facebook users
Facebook responded to this week’s announcement of the OAIC action by saying it has upgraded privacy protections:
We’ve made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data.
But has the leopard changed its spots? While Facebook has made some adjustments to the settings available to Facebook users, it continues, for example, to track the activities of consumers on third-party websites, when a Facebook user is not logged in and even when the consumer has never been a Facebook user.
Facebook says it collects information about anyone who visits a website or app that uses “Facebook Products”, which includes anywhere you see Facebook “Like” buttons or an option to “sign in with Facebook”.
You don’t need to click on the “Like” button or sign in with Facebook for this to happen. According to Facebook, it collects this information “without any further action from you”.
Facebook does this by placing a cookie on your computer or device when you visit the third-party website. It then collects data about what you do online, including your use of other websites and apps, and information about your device, which can be highly individual.
As the Australian Competition and Consumer Commission pointed out last year, it’s unlikely non-Facebook users could even find out about this practice.
What could they do with our data?
More than that, Facebook has in the past claimed it will limit data use, before going back on it later. When Facebook acquired WhatsApp in 2014, it told regulators it would be unable to automatically match Facebook and WhatsApp user accounts after the merger. The European Commission has since fined Facebook for making incorrect or misleading representations in this respect.
Similarly, the action brought by the US FTC referred to repeated misrepresentations by Facebook about the extent to which users could control the privacy of their data.
Facebook may have made some changes, but it is still an advertising business with a history of privacy infringements that makes tens of billions of dollars each quarter from collecting and monetising oceans of personal data.
Other companies are similarly focused on extracting personal data at the expense of privacy. Consumers should hope this is only the first of many more actions by the privacy regulator.
Authors: Katharine Kemp, Senior Lecturer, Faculty of Law, UNSW, and Academic Lead, UNSW Grand Challenge on Trust, UNSW