Australian Privacy Commissioner vs Facebook: Where to Next?

Australian Privacy Commissioner vs Facebook: Where to Next?
Meta CEO Mark Zuckerberg. Image: AP Photo/Andrew Harnik

Australian Information Commissioner and Privacy Commissioner Angelene Falk filed proceedings against Facebook Inc and Facebook Ireland in the Federal Court in March 2020. At the time, she alleged Facebook committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.

“My claim, following our investigation, is that the default settings on the platform, at that time, facilitated disclosure at the expense of privacy, and also that Facebook failed to have in place, reasonable steps to protect the personal information that it held,” Falk told senators on Tuesday.

The Privacy Commissioner back in 2020 applied for, and obtained, leave to serve the initiating court documents on Facebook Inc and Facebook Ireland. However, Facebook said it didn’t operate in Australia (a key part of the OAIC’s argument was the reference to entities “operating in Australia”) and sought an interlocutory action, arguing it had not technically conducted business in Australia, as it serviced U.S. users through Facebook Inc, and international users through Facebook Ireland.

Earlier this month, the Commissioner was given approval by the Federal Court to pursue legal action against Facebook.

“[The full court] determined that Facebook Inc, the U.S. company, in fact does have a case to answer,” Falk explained.

What happens next?

During Senate Estimates, Falk was asked where to next with the litigation, with senators hoping for a quick resolution on the matter.

Unfortunately, Falk said, the OAIC is only at the interlocutory stage of being able to serve Facebook, hoping to now progress to the hearing. The timetable of which will be up to the court.

“I’d be hopeful of a significant matter of this kind of public interest, that it could be heard in a timely manner,” she added.

Falk is seeking civil penalties. At the time of these alleged contraventions, this penalty was $1.7 million per contravention. And she alleges that over 300,000 Australians’ personal information was put at risk “by the unauthorised disclosures” and at “risk of monetisation and deployment for political profiling purposes by Cambridge Analytica”.

What was this all over?

These alleged serious and/or repeated interferences with privacy related to that Cambridge Analytica scandal that still plagues the Zuckerberg empire four years later.

The OAIC began investigating the case in April 2018 when it was discovered that Facebook had exposed the personal data of 311,000 Australians to Cambridge Analytica. This information was allegedly sold for political profiling and also used by other third parties. 87 million Facebook users worldwide were affected by the breach.

In launching legal proceedings (nearly two years after the incident) Falk said that Facebook’s default user settings at the time allowed personal information to be exposed so easily.

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” she explained.

So that’s $510 billion?

No, it doesn’t work like that.

The fine (if any) imposed on Facebook by the court will be determined based on its findings.

“My claim puts forward that it’s $1.7 million for each contravention that the court finds,” Falk said in response to a question from senators seeking the exact figure she expects Meta to be fined.

Why not Facebook (Meta) Australia?

Facebook’s office within Australia is limited to particular aspects of its business. It’s incorporated in the U.S. and also in Ireland. So it’s necessary for the Privacy Commissioner to proceed against Facebook’s corporate entities, she said.

Also worth noting is that while the OAIC has the power to initiate investigations, as well as the law behind the Commissioner to compel information from companies such as Facebook, Falk cannot seek penalties.

“I can make a determination and find a breach on my own initiative, but I’m not able to issue any penalty. I could order Facebook to change its practices for example, but in order to seek a financial penalty, that’s a matter for the Federal Court,” she said.

With amendments to the 33-year-old Privacy Act in the works at the moment, Falk has asked the Attorney General’s Department to consider giving the OAIC a strengthened enforcement role, a simplified civil proceeding procedure and also the ability to issue infringement notices.

Asked what type of message such proceedings is expected to send to tech giants operating in Australia, Falk had this to say:

“The message is that all global companies that are carrying on a business and collecting or holding personal information in Australia, must comply with Australian privacy law.”

This article has been updated since it was first published.