The news that, on 9 March 2020, the Australian Information Commissioner launched action against Facebook in the Federal Court seeking a potential fine of $1 billion, has made significant headlines, although more for the size of the potential fine than the problem of difficult to use settings allowing unauthorised use of personal information.
However, looking at the facts and timeline of this, the decision to only now begin litigation raises the issue of what it means for other Australian businesses.
The facts to which the claim relates occurred between March 2014 and May 2015 and relate to the privacy of approximately 311,127 affected Australian individuals who were Facebook users who used or whose Facebook friends used the “This is Your Digital Life” application (app).
The claim is around the terms and conditions of access to the app and, in particular, the difficulty, complexity and “opacity” of the process for individuals to adjust and/or understand the privacy settings in relation to the app.
The fact that the app not only obtained information from users but also from friends of users who had given no consent is at the heart of the claim. The fact that it is now 2020, and that any harm likely occurred in 2015 and the intervening years, makes it difficult to celebrate the launch of this somewhat belated litigation.
The regulatory impact
To encourage companies to engage in robust privacy compliance, regulators need to be well resourced and able to take swift and appropriate action. The fact that litigation has commenced in March 2020 does not create any certainty of outcome or timing and may result in no fine ever being imposed.
Even if a $1 billion dollar fine is imposed on Facebook sometime in the future, will it have any impact?
On 24 July 2019 the US Federal Trade Commission imposed a US$5 billion penalty and forced Facebook into a 20 year settlement order around the way the company meets its privacy obligations.
Again, there was a delay as the 2019 fine related to 2012 violations by Facebook of privacy regulations.
The week after the US fine was announced, Facebook stock jumped 1.8 per cent.
If US$5 billion in 2019 is not enough to upset Facebook, then certainly the possibility of AU$1 billion at some time in the future is unlikely to cause a ripple in its privacy practices.
Implications for non-Facebook businesses of Australia
The focus on terms and conditions and the user settings as a gateway for a breach of privacy does send a warning to other businesses to consider transparency and simplicity in the design of user terms.
However, given that regulatory action is neither swift nor immediate and that the $1.7 million fine per breach may be regarded by some businesses as a “cost of doing business”, it may be that lax privacy practices continue and nothing changes.
We will follow the course, and impact, of this case with interest.