Australian privacy regulators filed a lawsuit in federal court last Monday over Facebook ’s privacy breach in the Cambridge Analytica data breach. The Australian Information Commissioner’s office has accused the social media giant of “serious repeated interference in privacy laws.”
The Australian privacy regulator stated in its claim statement that Facebook had violated Australian privacy laws when Facebook disclosed users’ personal information to the “This Is Your Digital Life” application.
Facebook disclosed personal information of the Affected Australian Individuals. Most of those individuals did not install the “This is Your Digital Life” App; their Facebook friends did. Unless those individuals undertook a complex process of modifying their settings on Facebook, their personal information was disclosed by Facebook to the “This is Your Digital Life” App by default. Facebook did not adequately inform the Affected Australian Individuals of the manner in which their personal information would be disclosed, or that it could be disclosed to an app installed by a friend, but not installed by that individual.
Facebook failed to take reasonable steps to protect those individuals’ personal information from unauthorised disclosure. Facebook did not know the precise nature or extent of the personal information it disclosed to the “This is Your Digital Life” App. Nor did it prevent the app from disclosing to third parties the personal information obtained. The full extent of the information disclosed, and to whom it was disclosed, accordingly cannot be known. What is known, is that Facebook disclosed the Affected Australian Individuals’ personal information to the “This is Your Digital Life” App, whose developers sold personal information obtained using the app to the political consulting firm Cambridge Analytica, in breach of Facebook’s policies.
As a result, the Affected Australian Individuals’ personal information was exposed to the risk of disclosure, monetisation and use for political profiling purposes.
Currently, the maximum fine for serious or repeated violations of privacy laws is $1,700,000. More than a year ago, the UK’s Office of the Information Commissioner has investigated Facebook over the Cambridge Analytica data scandal and fined Facebook £500,000. The results of the Australian prosecution are pending.