OAIC and Facebook’s Enforceable Undertaking … Kind Of Good News??
This week, Meta (Facebook) and OAIC announced they had agreed to an enforceable undertaking (EU), which includes payment of $50 million to affected users. There is little doubt that this is the “largest ever payment” dedicated to addressing the privacy concerns in Australia, with previous damages and compensations in the $10,000s rather than millions.
The enforceable undertaking concludes the civil penalty suit commenced in 2020 against Facebook, relating to the Cambridge Analytica scandal from 2018. The ‘agreement’ was reached as part of a court-ordered mediation, which has been ongoing since February 2024. As part of the resolution, the Commissioner has withdrawn the civil penalty proceedings in the Federal Court.
This case was the first time the OAIC used its powers to seek a substantial penalty for serious or repeated infringements of the Privacy Act.
While good for impacted users, and not so good for the lawyers involved for either side (though they have had over 4 years working on the case), are there other downsides from the settlement?
Background
The OAIC action against Facebook was prompted by 2018 revelations that Facebook allowed Cambridge Analytica (the British political consulting firm) to access personal data of millions of users. That data was allegedly used to influence voter behaviour during the 2016 U.S. presidential election and also in the UK as part of the Brexit campaign.
In Australia, the Commissioner alleged that Facebook breached privacy laws in 2014 and 2015 by giving the personal information of some Australian Facebook users (thought to be less than 60) to the This is Your Digital Life app. These users were then exposed to the political consulting firm Cambridge Analytica and risked being used for political profiling. Facebook had argued it was not responsible for the allegedly unlawful access to Australians’ personal data.
The scandal led to several legal actions and settlements across various jurisdictions including:
- UK Information Commissioner’s Office Investigation: In 2018, the UK’s ICO conducted an investigation into Facebook’s data practices following the Cambridge Analytica revelations. Facebook was fined £500,000, the maximum penalty under the Data Protection Act 1998, for failing to safeguard user data
- US Class-Action Lawsuit Settlement: In December 2022, Meta agreed to pay $725 million to settle a private class-action lawsuit related to the improper sharing of user data with Cambridge Analytica and other third-party companies.
And there’s another big case brewing. The decision to enter an enforceable undertaking with the OAIC may not be unrelated to news earlier this month that the U.S. Supreme Court has allowed a multibillion-dollar stockholder class-action lawsuit against Meta to proceed. In this case, investors allege that Meta failed to disclose the risks associated with user data misuse by Cambridge Analytica, leading to significant stock price declines in 2018.
The possible billion-dollar outcome of this suit, somewhat dwarfs the Australian payment.
It is worth noting that since these civil penalty proceedings started Meta in March 2020, the penalties for serious or repeated infringements have increased from $1.7 million for each interference, to the greater of $50 million, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period. If brought today, it might be expected that substantially higher penalties could be sought.
What does Meta think?
A spokesperson for Meta said the company entered into the Enforceable Undertaking on a no-admissions basis.
“It is in the best interest of our community and shareholders that we close this chapter on allegations that relate to past practices no longer relevant to how Meta’s products or systems work today,” the statement read.
“We look forward to continuing to build services Australians love and trust with privacy at the forefront.”
Who will be eligible for payment?
The $50million payment to the Australian Information Commissioner will be open to users impacted by the Cambridge Analytica scandal
The Commissioner said that the settlement “represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter, gives potentially affected Australians an opportunity to seek redress through Meta’s payment program, and brings to an end a lengthy court process.”
The Enforceable Undertaking requires Meta to set up a payment scheme, which will be run by an independent third-party administrator (to be appointed by Meta). The scheme will be open to individuals who:
- held a Facebook Account between 2 November 2013 and 17 December 2015;
- were present in Australia for more than 30 days during that period; and
- either installed the This is Your Digital Life app or were Facebook friends with an individual who installed the app.
The payment scheme will be structured into two tiers of payments:
- The first will permit individuals to apply for a base payment if they believe they experienced generalised concern or embarrassment because of the matter.
- The second category will provide for specific payment, likely to be higher than the base payment, to those who can demonstrate they have suffered loss or damage.
Not sure if this is you? Meta is required to identify those eligible, help notify them, and to tell the third-party administrator to publicise the scheme.
It’s been estimated that only 53 people in Australia installed the app. However, the OAIC estimates that an additional 311,074 Facebook users who were Facebook “friends” of people who installed the app may also have had their personal information compromised.
The third-party administrator will also establish a timely internal review avenue for individuals in relation to the payment scheme. The Office of the Australian Information Commissioner anticipates individuals may be able to start applying to the payment program in the second quarter of 2025.
Any residual funds not exhausted in the payment scheme will be paid into the Commonwealth’s Consolidated Revenue Fund. Meta also paid a contribution to the Commissioner’s legal costs.
Details for accessing the payment scheme will be made public by the administrator in the second quarter of 2025. But if you don’t want to wait, Meta previously set up a webpage (here) that will tell you if you were affected.
Is it enough?
This is the first time the Commissioner has sought a civil penalty order under the Privacy Act – a power the office has had since 2014. The action was commended in 2020, 2 years after the issues were made public and following significant interventions by other regulators. As well as the UK ICO fine already referred to, the US Federal Trade Commission settled with Meta on a record-breaking US$5 billion (A$7.86 billion) payment in 2022.
Given that the issue had already been broadly prosecuted overseas, it should have reasonably straightforward in Australia. However, December 2024 is more than 4.5 years from the commencement of the action and with an outcome that is a ‘no admission’ agreed enforceable undertaking.
Enforceable undertakings are very useful in resolving complex cases, without the need for protracted and expensive litigation.
However, they are of little value to the broader community, as they provide no findings or interpretations of privacy principles and no binding judicial decision. They are of no jurisprudential value to the privacy community, eager for more detailed analysis of Australia’s Privacy Act.
There have been some interesting legal skirmishes along the way. They include Facebook’s argument that it is not subject to the Australian Privacy Act because it doesn’t carry on a business in Australia or collect or hold personal information in Australia. Not surprisingly, given the pervasiveness of Facebook in Australia, this argument was thrown out in 2002 (see our coverage here).
While the OAIC should definitely conserve its limited resources, it would be helpful to have more precedents in this space to guide the practices of technology providers and other covered entities.
As far as we know, the OAIC is continuing in its action against Australian Clinical Labs (see our post here), relating mainly to their failure to secure personal information, as well as Optus and Medibank. The ACL case was commenced a week after the OAIC’s regulatory actions (in particular, its lack thereof) were criticised in Senate Estimates. In those hearings, Greens Senator David Shoebridge noted that the OAIC had been notified of 1,748 data breaches in the last two financial years but “not a single penalty has been issued”.
Perhaps these decisions will help throw more light on judicial interpretations of the Australian Privacy Principles.
Resources
- Read the enforceable undertaking.
- OAIC announcement