The Cambridge Analytica scandal has taken Facebook to the helm of most privacy infringement cases in the past year. The Australian case against Facebook Inc and Facebook Ireland is a result of violations of the Australian Privacy Principles (“APP”) due to the leak of data in the Cambridge Analytica scandal which lead to the release of many Australian citizens’ data. Earlier this year in March 2020, the Office of the Australian Information Commissioner (“OAIC”) had been given the grant to purse Facebook over the data leak scandal as the practices of Facebook violated aspects of the Privacy Act 1988, Freedom of Information Act 1982 and Australian Information Commissioner Act 2010. The case against Facebook in Australia comes as an important precedent for data giants to strengthen their data sharing practices.
Australia has around 311,127 Facebook users. The Cambridge Analytica data leak had resulted in the release of information of around 87 (eighty-seven) million people, for which the United States and the United Kingdom have fined Facebook USD 5 billion and EUR 500,000 each. The Australian regulators on the other hand had sued Facebook for AUD 529 billion in March 2020. This is a result of the fact that penalty on each of the data leaks on individuals can add up to AUD 1.7 million and multiplying the amount with the 311,127 users in Australia would result in the hefty penalty of AUD 529 billion.
Let’s take a look at what really happened in the case proceedings.
The OAIC in their statement of claim alleged Facebook of violating APP 6.1, APP 11.1(b), and section 13(G) of the Privacy Act 1988 stating that Facebook had indulged in repeated practices infringing and interfering with the privacy of the 311,127 affected individuals.
APP 6.1: The OAIC’s allegation under APP 6.1 is that Facebook disclosed the personal information of users other than the for the purpose of collection, without obtaining necessary consents and disclosures. Facebook has also been alleged of not providing substantial disclosure to the fact that all users have an ‘opt-out’ clause with regards to disclosure of information to other apps.
APP 11.1: The OAIC’s allegation under APP 11.1 is that Facebook did not take reasonable measures to protect the information of its users. Facebook did not have the necessary mechanisms in place to ensure that the personal information of users was disclosed after obtaining the necessary consent. Facebook should have had auditing and monitoring mechanisms as to when data was being transferred to a third-party and if consents had been obtained.
The case is a consequence of data being shared, of Facebook users, with Global Science Research Limited which is the operator of This is Your Digital Life app (“TYDL”). Facebook had developed an API that enabled third-party apps such as TYDL to utilise Facebook’s users’ data. The case against Facebook also serves as an important aspect to claim against overseas entities.
The proceedings of the case against Facebook began on April 22, 2020, amidst the COVID 19 pandemic lockdown. The April 22 hearing was a description of the process and was heard on an ex parte basis. The Federal Court in the judgment also stated that the OAIC shall be allowed to serve Facebook outside the jurisdiction of Australia with respect to documents and interlocutory applications.
A more substantial analysis of the case against Facebook can be made once the OAIC has begun its proceedings against Facebook. The OAIC is most likely to serve Facebook Ireland soon as it is the “data controller of all Facebook users”, and is also contractually bound with various Facebook entities. It is interesting to see how Facebook has been under regulatory scrutiny ever since privacy regulations have been enacted in various jurisdictions. In India, with the launch of the Personal Data Protection Bill, 2019, will Facebook be subjected to the same fate, or in the light of the recent investment deals, with the corporate giant of India- Jio, and the go-ahead from the Indian Antitrust regulator, Competition Commission of India, will Facebook escape regulatory controversy? Only time will tell. Till then it has become increasingly pertinent for entities handling excessive data to revisit their data clauses and apply necessary consents as and when required. A proper disclosure must be made to the users of the data and if any third-party data transfer clause is present, the “opt-out” clause must be highlighted and not kept in a sentence within a 15 pager Privacy Policy.
Comments