The Australian Information Commissioner yesterday initiated proceedings against Facebook in the Federal Court, alleging the social media platform has committed serious and/or repeated interferences with privacy in contravention of Australian privacy law. These proceedings come hot on the heels of the proceedings initiated by the ACCC against Google in relation to how Google handled certain personal information collected from its users late last year (our full article in relation to these proceedings can be found here) and the ACCC’s intense focus on the use of personal information by digital platforms (including both Google and Facebook) in its final report for the Digital Platforms Enquiry (for our summary of this report, please see here).
The increased regulatory action by the ACCC and the Australian Information Commissioner marks a new age in privacy regulation in Australia as we witness regulators using the full spectrum of their enforcement arsenal to ensure the protection of privacy.
In particular, the Commissioner alleges that the personal information of around 311,127 Australian Facebook users was disclosed to the This is Your Digital Life app for a purpose other than the purpose for which the information was collected, in breach of the Privacy Act 1988. In particular, the Commissioner alleges that the information was used and sold for purposes including political profiling, which is well outside users’ expectations.
The social media giant is no stranger to regulatory scrutiny, both in Australia and overseas. As you may recall, in 2018 it was revealed that Cambridge Analytica had harvested the personal data of millions of peoples’ Facebook profiles and used it for political advertising purposes. Facebook was fined 500,000 pounds in the UK and a record $5bn in the US for “deceiving” users about their ability to keep personal information private, after a year-long investigation into the Cambridge Analytica data breach.
“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed.
“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.
The statement of claim also alleges that Facebook did not take reasonable steps during this period to protect its users’ personal information from unauthorised disclosure, in breach of Australian Privacy Principle 11.
Commissioner Falk considers that these were systemic failures to comply with Australian privacy laws by one of the world’s largest technology companies.
These proceedings against Facebook serve as another important reminder to Australian businesses of the risks (including financial and reputational) of failing to comply with the relevant laws when it comes to handling personal information.
In order for organisations to stay on the right side of the law and not mislead individuals about their personal information it is clear that organisations must:
- Take a ‘privacy by design’ approach and think about privacy at the start of a project. This is best done by conducting a privacy impact assessment which can assess the use of data and put in place adequate controls, including security controls;
- Be open and transparent with individuals and consumers about how their personal information is being used – relying on bundled consent in privacy policies and collection statements for a secondary use and disclosure is increasingly becoming pretty risky given each of the Commissioner’s and the ACCC’s actions;
- Don’t be creepy! To avoid breaching the Privacy Act or otherwise misleading consumers about the way in which you use and disclose their personal information – be mindful of functional creep. Consider the reason why the consumer gave you their personal information in the first place and whether you are using their personal information for that purpose (again, conducting a Privacy Impact Assessment for new projects is crucial); and
- Keep personal information ‘secure’. This means taking reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure in accordance with APP 11. APP’s entities should also be wary that the disclosure of personal information for a purpose which is not permitted under the APPs may also constitute a breach of APP 11.