Cambridge Analytica Scandal Fallout: Facebook Appeal Dismissed by Australia’s Federal Court
Late last month, in our coverage of the largest GDPR fines in 2021, we outlined that there hadn’t been any movement in Australia’s OAIC v Facebook case. The Facebook appeal proceedings relate to the 2018 Cambridge Analytica scandal, which involved the breach of 311,127 Australian Facebook users’ data and over 87 million Facebook users globally. Launched in 2020, the proceedings have stalled with skirmishes over which Facebook entities should be part of the proceedings.
On 7 February 2022, the Australian Federal Full Court ruled on Facebook’s appeal. Let’s take a look at what that means:
Why is Facebook involved in the proceedings relating to the use of a third-party app?
Before we delve into the proceedings in Australia, we’ll first outline why Facebook is even involved.
In short, it’s because users were required to log in to the ‘This is Your Digital Life App’ using their Facebook account. No other options were presented. At this point, users were also asked for permission to access personal information held by Facebook about them and for access to the personal information of their Facebook friends. These permissions were subject to the user’s privacy settings and consent was granted for Cambridge Analytica (the third-party app developer) to ask Facebook to provide them with access to that user’s personal information and that of their friends. Facebook provided the information.
Cambridge Analytica then permitted that information to be used for the purpose of targeting people as part of political campaigns. It is alleged that this collection and use is a breach of the consent obtained from the users of the app since users would not have reasonably expected the data to be used in this manner.
What led to the Facebook Appeal: Facebook Inc v Australian Information Commissioner
March 2020: Commencing Proceedings
In March 2020, the Australian Information Commissioner (the Commissioner) launched proceedings against Facebook Inc (US parent company) and Facebook Ireland n the Australian Federal Court. The filed documents alleged that Facebook breached the Privacy Act 1988 when it failed to allow users to exercise reasonable choice and control over the disclosure of the personal information they shared via the This Is Your Digital Life app. Specifically, it is alleged that Facebook breached Australian Privacy Principle 6 and Australian Privacy Principle 11.
“APP 6 provides that ‘if an APP entity holds personal information about an individual that was collected for a particular purpose, the entity must not use or disclose the information for another purpose (the secondary purpose), unless the individual has consented to the use or disclosure’ (or another exception applies).
APP 11 provides that ‘if an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances, to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure’.”
April 2020: Leave to Serve Granted
Since Facebook Inc and Facebook Ireland (the respondents listed in the proceedings) are both incorporated outside of Australia, the Commissioner was required to apply for leave to serve the documents. To receive permission to serve documents in a foreign country, the Commissioner needed to demonstrate to the Federal Court that:
- The Court has jurisdiction;
- The proceeding is of a kind mentioned in r 10.42 (which requires the proceeding to relate to the enforcement of Australian legislation, amongst other things); and
- The party has a prima facie case for all or any of the relief claimed in the proceeding.
This is largely a procedural requirement, however, it did require the Commissioner to demonstrate that Facebook Inc and Facebook Ireland are organisations subject to the Privacy Act or that they fall under the Extra-territorial operation of the Privacy Act.
This is an important issue for all international organisations whose activities affect Australian citizens but who may not have a physical presence (office, employees etc) in Australia.
The Federal Court approved the Commissioner’s request to serve the related documents in April 2020.
September 2020: Facebook Appeal to Set Aside the April 2020 Orders
In May 2020, Facebook applied to have the April 2020 orders set aside. In practical terms, this would mean the Commissioner would be unable to continue with the proceedings against Facebook. A single judge of the Federal Court dismissed the application in September 2020 – which was sought by Facebook Inc and Facebook Ireland.
Facebook Inc then appealed the Federal Court’s decision to dismiss its application to have those orders set aside. Until 7 February 2022, there hadn’t been any movement relating to these legal proceedings.
The Decision on the Facebook Appeal: Facebook Inc v The Commissioner
On 7 February 2022, the Full Bench of the Federal Court of Australia dismissed Facebook Inc’s appeal.
The Court heard about Facebook’s data processing practices, and considered the following two broad questions:
- Was Facebook Inc carrying on business in Australia?
- Did Facebook Inc collect or hold personal information in Australia?
The Court deemed that the answer to these two questions is yes.
Facebook Inc’s argument that it “had not technically conducted business in Australia or collected and held personal information in Australia” was thrown out. and therefore the appeal should be dismissed. In practice, this means that the Commissioner is permitted to serve the legal proceedings against Facebook Inc and Facebook Ireland – as per the orders in April 202.
Facebook was also ordered to pay the Australian Information Commissioner’s costs for the appeal.
It’s important to bear in mind that this does not mean the Commissioner has successfully argued that Facebook breached the Privacy Act 1988. Instead, it means that the Commissioner has won the right to serve Facebook Inc with the originating documents relating to the legal proceedings and continue with the landmark claim against them.
The FTC imposed a $5 billion penalty and a suite of new privacy restrictions on Facebook in the wake of the scandal and the UK Information Commissioner’s Officer agreed to a £500,000 fine being paid by Facebook for the same circumstances. Given that the OAIC was slow to initiate proceedings against Facebook and given the relatively small number of individuals whose privacy was breached and the lower fines applicable to breaches of the Australian Privacy Act, we aren’t anticipating the Australian penalty against Facebook to be as severe as the British or American fines. As a result, we also wouldn’t be surprised to see Facebook and the OAIC come to a settlement outside of court.
We will keep you updated as the matter progresses.