Australian Information Commissioner and Privacy Commissioner Angelene Falk filed proceedings against Facebook Inc and Facebook Ireland in the Federal Court in March 2020. At the time, she alleged Facebook committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.
“My claim, following our investigation, is that the default settings on the platform, at that time, facilitated disclosure at the expense of privacy, and also that Facebook failed to have in place, reasonable steps to protect the personal information that it held,” Falk told senators back in February last year.
The Privacy Commissioner in 2020 applied for, and obtained, leave to serve the initiating court documents on Facebook Inc and Facebook Ireland. However, Facebook said it didn’t operate in Australia (a key part of the OAIC’s argument was the reference to entities “operating in Australia”) and sought an interlocutory action, arguing it had not technically conducted business in Australia, as it serviced U.S. users through Facebook Inc, and international users through Facebook Ireland.
In February 2022, the Commissioner was given approval by the Federal Court to pursue legal action against Facebook.
“[The full court] determined that Facebook Inc, the U.S. company, in fact does have a case to answer,” Falk explained.
But, in September 2022, Facebook Inc sought, and was granted, special leave to appeal to the High Court of Australia in relation to the Full Federal Court’s decision.
After a change to the Federal Court Rules 2011, which came into effect in January 2023, the Commissioner applied to revoke the grant of special leave to Facebook Inc.
Then, yesterday, March 7, 2023, the High Court granted the Commissioner’s application to revoke the grant of special leave. This was on the basis that the matter no longer raised an issue of public importance.
As a result of the decision, Facebook Inc has been unsuccessful in setting aside the service of the Commissioner’s application. The proceeding will return to the Federal Court and the substantive proceeding seeking civil penalties against Facebook Ireland and Facebook Inc will now progress.
The OAIC is seeking civil penalties. At the time of these alleged contraventions, this penalty was $1.7 million per contravention. And the commissioner alleges that over 300,000 Australians’ personal information was put at risk “by the unauthorised disclosures” and at “risk of monetisation and deployment for political profiling purposes by Cambridge Analytica”.
What was this all over?
These alleged serious and/or repeated interferences with privacy related to that Cambridge Analytica scandal that still plagues the Zuckerberg empire four years later.
The OAIC began investigating the case in April 2018 when it was discovered that Facebook had exposed the personal data of 311,000 Australians to Cambridge Analytica. This information was allegedly sold for political profiling and also used by other third parties. 87 million Facebook users worldwide were affected by the breach.
In launching legal proceedings (nearly two years after the incident) Falk said that Facebook’s default user settings at the time allowed personal information to be exposed so easily.
“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” she explained.
So that’s $510 billion?
No, it doesn’t work like that.
The fine (if any) imposed on Facebook by the court will be determined based on its findings.
“My claim puts forward that it’s $1.7 million for each contravention that the court finds,” Falk said in response to a question from senators seeking the exact figure she expects Meta to be fined.
Why not Facebook (Meta) Australia?
Facebook’s office within Australia is limited to particular aspects of its business. It’s incorporated in the U.S. and also in Ireland. So it’s necessary for the Privacy Commissioner to proceed against Facebook’s corporate entities, Falk explained.
Also worth noting is that while the OAIC has the power to initiate investigations, as well as the law behind the Commissioner to compel information from companies such as Facebook, Falk cannot seek penalties.
“I can make a determination and find a breach on my own initiative, but I’m not able to issue any penalty. I could order Facebook to change its practices for example, but in order to seek a financial penalty, that’s a matter for the Federal Court,” she said.
With amendments to the 34-year-old Privacy Act in the works at the moment, Falk has asked the Attorney General’s Department to consider giving the OAIC a strengthened enforcement role, a simplified civil proceeding procedure and also the ability to issue infringement notices.
Asked what type of message such proceedings is expected to send to tech giants operating in Australia, Falk had this to say previously:
“The message is that all global companies that are carrying on a business and collecting or holding personal information in Australia, must comply with Australian privacy law.”
This article has been updated since it was first published.