The Office of the Australian Information Commissioner (OAIC) has finally lodged proceedings against Facebook almost two years after the Cambridge Analytica scandal. The watchdog claims the social media giant seriously and repeatedly failed to comply with Australian privacy law prior to the incident becoming public knowledge.
The OAIC began investigating the case in April 2018 when it was discovered that Facebook had exposed the personal data of 311,000 Australians to Cambridge Analytica. This information was allegedly sold for political profiling and also used by other third parties. 87 million Facebook users worldwide were affected by the breach.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said that Facebook's default user settings at the time allowed personal information to be exposed so easily. "We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed," said Falk in a press release.
"We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations."
The statement of claim lodged by the OAIC states that from March 2014 to May 2015 impacted Australian Facebook users had their data disclosed via the This Is Your Digital Life app, despite many users worldwide not having the app installed. Instead, their personal data was exposed inadvertently by someone on their friends list who did use the app.
The OAIC says this violates Australian Privacy Principle 6, which involves the use and disclosure of personal information. The statement further claims that Facebook did not take "reasonable steps" to protect the personal information of its users from unauthorised disclosure, which is in violation of Australian Privacy Principle 11:
"All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” said Angelene Falk.
There is no court date currently set, but the Federal Court can impose a $1.7 million civil penalty for each serious or repeated offence. Gizmodo Australia has reached out to Facebook for comment.