The Australian Information Commissioner has announced it has commenced proceedings against Facebook in the Federal Court of Australia, alleging the social media platform has committed serious and/or repeated interferences with privacy in contravention of Australian privacy law. The proceedings seek civil pecuniary penalties against Facebook of up to AUD $1,700,000 per contravention.

The Commissioner alleges that the personal information of Australian Facebook users was disclosed to the This is Your Digital Life app for a purpose other than the purpose for which the information was collected, in breach of the Privacy Act 1988.

The information was exposed to the risk of being disclosed to Cambridge Analytica and used for political profiling purposes, and to other third parties.

The statement of claim alleges that, from March 2014 to May 2015, Facebook disclosed the personal information of Australian Facebook users to This Is Your Digital Life, in breach of Australian Privacy Principle 6. Most of those users did not install the app themselves, and their personal information was disclosed via their friends’ use of the app.

At the time, Facebook said 311,127 Australians between March 2014 and May 2015 had data shared with the app, accounting for 0.4% of users affected by the breach.

However, the the Australian Information Commissioner says only 53 people in Australia installed the app.

The statement of claim also alleges that Facebook did not take reasonable steps during this period to protect its users’ personal information from unauthorised disclosure, in breach of Australian Privacy Principle 11.

The Commissioner says these were systemic failures to comply with Australian privacy laws by one of the world’s largest technology companies.

Under Australian Privacy Principle (APP) 6, if Facebook held personal information that was collected for a particular (primary) purpose, it could not disclose that personal information for a secondary purpose unless it had the individual’s consent or certain exceptions applied.

The statement of claim says that on each occasion on which Facebook disclosed the personal information of the Affected Australian Individuals to the “This is Your Digital Life” App, it breached the Privacy Act.

Under APP 11, Facebook was required to take such steps as were reasonable in the circumstances to protect the personal information Facebook held from unauthorised disclosure.

The claim says that steps that Facebook should have taken to comply with APP 11 included at least the following:

• conducting an initial assessment and regular review of whether the “This is Your Digital Life” App’s requests for Users’ information complied with Facebook’s policies;
• maintaining records of the personal information disclosed, and regularly reviewing these records to audit the nature and scope of disclosures;
• implementing measures to ensure that any consent was obtained directly, before or at the time of disclosure, and was clear and specific.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.