The Office of the Australian Information Commissioner (OAIC) has today filed proceedings against Facebook, in relation to the use and disclosure of information obtained by Facebook through its 'This is Your Digital Life' app.

OAIC allegations

The OAIC is alleging that Facebook has committed serious and/or repeated interferences with the privacy of its users, by disclosing information to This Is Your Digital Life between March 2014 and May 2015 without the consent of users, in breach of the Australian Privacy Principles (APP 6). The OAIC also alleges breaches of APP 11, by failing to take reasonable steps to prevent unauthorised disclosure of personal information.

Alleging systemic failures by Facebook to comply with Australian Privacy Laws, Privacy Commissioner, Angelene Falk, has released a statement remarking that "Facebook's default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy". Commissioner Falk has also remarked that "these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”

Potential financial implications

The decision to launch proceedings in the Federal Court provides some certainty to a longstanding question about how this incident would be treated by the OAIC.

We anticipate that this decision will resolve a number of outstanding questions surrounding data misuse incidents, including namely whether Corporate Australia will be penalised for data misuse incidents and if so, what the measure of damages and / or fines will be.

Given the timing of the events underpinning the action and law reform since, the Federal Court can only impose a civil penalty of up to AUD 1.7 million for each serious and/or repeated interference with privacy (as per the penalty rate applicable in 2014–15).

Broader implications for data misuse incidents

This is a watershed moment in Australia's privacy history and one which will shape the class action and tech liability landscape going forward. We will continue to report on the implications of these proceedings to the market, including the implications for the insurance industry across various lines of business.

For more information about the implications of privacy litigation and the OAIC's powers, you can read our previous reports here and here. More information about the proceeding itself is available on the OAIC's website.