Late last month, in our coverage of the largest GDPR fines in 2021, we outlined that there hadn’t been any movement in Australia’s OAIC v Facebook case. The Facebook appeal proceedings relate to the 2018 Cambridge Analytica scandal, which involved the breach of 311,127 Australian Facebook users’ data and over 87 million Facebook users globally. Launched in 2020, the proceedings have stalled with skirmishes over which Facebook entities should be part of the proceedings.
On 7 February 2022, the Australian Federal Full Court ruled on Facebook’s appeal. Let’s take a look at what that means:
Before we delve into the proceedings in Australia, we’ll first outline why Facebook is even involved.
In short, it’s because users were required to log in to the ‘This is Your Digital Life App’ using their Facebook account. No other options were presented. At this point, users were also asked for permission to access personal information held by Facebook about them and for access to the personal information of their Facebook friends. These permissions were subject to the user’s privacy settings and consent was granted for Cambridge Analytica (the third-party app developer) to ask Facebook to provide them with access to that user’s personal information and that of their friends. Facebook provided the information.
Cambridge Analytica then permitted that information to be used for the purpose of targeting people as part of political campaigns. It is alleged that this collection and use is a breach of the consent obtained from the users of the app since users would not have reasonably expected the data to be used in this manner.
In March 2020, the Australian Information Commissioner (the Commissioner) launched proceedings against Facebook Inc (US parent company) and Facebook Ireland n the Australian Federal Court. The filed documents alleged that Facebook breached the Privacy Act 1988 when it failed to allow users to exercise reasonable choice and control over the disclosure of the personal information they shared via the This Is Your Digital Life app. Specifically, it is alleged that Facebook breached Australian Privacy Principle 6 and Australian Privacy Principle 11.
“APP 6 provides that ‘if an APP entity holds personal information about an individual that was collected for a particular purpose, the entity must not use or disclose the information for another purpose (the secondary purpose), unless the individual has consented to the use or disclosure’ (or another exception applies).
APP 11 provides that ‘if an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances, to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure’.”
Since Facebook Inc and Facebook Ireland (the respondents listed in the proceedings) are both incorporated outside of Australia, the Commissioner was required to apply for leave to serve the documents. To receive permission to serve documents in a foreign country, the Commissioner needed to demonstrate to the Federal Court that:
This is largely a procedural requirement, however, it did require the Commissioner to demonstrate that Facebook Inc and Facebook Ireland are organisations subject to the Privacy Act or that they fall under the Extra-territorial operation of the Privacy Act.
This is an important issue for all international organisations whose activities affect Australian citizens but who may not have a physical presence (office, employees etc) in Australia.
The Federal Court approved the Commissioner’s request to serve the related documents in April 2020.
In May 2020, Facebook applied to have the April 2020 orders set aside. In practical terms, this would mean the Commissioner would be unable to continue with the proceedings against Facebook. A single judge of the Federal Court dismissed the application in September 2020 – which was sought by Facebook Inc and Facebook Ireland.
Facebook Inc then appealed the Federal Court’s decision to dismiss its application to have those orders set aside. Until 7 February 2022, there hadn’t been any movement relating to these legal proceedings.
On 7 February 2022, the Full Bench of the Federal Court of Australia dismissed Facebook Inc’s appeal.
The Court heard about Facebook’s data processing practices, and considered the following two broad questions:
The Court deemed that the answer to these two questions is yes.
Facebook Inc’s argument that it “had not technically conducted business in Australia or collected and held personal information in Australia” was thrown out. and therefore the appeal should be dismissed. In practice, this means that the Commissioner is permitted to serve the legal proceedings against Facebook Inc and Facebook Ireland – as per the orders in April 202.
Facebook was also ordered to pay the Australian Information Commissioner’s costs for the appeal.
It’s important to bear in mind that this does not mean the Commissioner has successfully argued that Facebook breached the Privacy Act 1988. Instead, it means that the Commissioner has won the right to serve Facebook Inc with the originating documents relating to the legal proceedings and continue with the landmark claim against them.
The FTC imposed a $5 billion penalty and a suite of new privacy restrictions on Facebook in the wake of the scandal and the UK Information Commissioner’s Officer agreed to a £500,000 fine being paid by Facebook for the same circumstances. Given that the OAIC was slow to initiate proceedings against Facebook and given the relatively small number of individuals whose privacy was breached and the lower fines applicable to breaches of the Australian Privacy Act, we aren’t anticipating the Australian penalty against Facebook to be as severe as the British or American fines. As a result, we also wouldn’t be surprised to see Facebook and the OAIC come to a settlement outside of court.
We will keep you updated as the matter progresses.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
