Readers may recall the Facebook Cambridge Analytica scandal from April 2018
Facebook admitted more than 311,000 Australian users were amongst up to 87 million users worldwide whose data on Facebook was compromised by Cambridge Analytica. It resulted from Cambridge Analytica harvesting third party information, including from other Facebook account holders, without consent.
As at March 2020, it has had a sequel. The OAIC has commenced proceedings in the Federal Court in Australia alleging that Facebook committed serious and/or repeated breaches of privacy, in breach of the Australian Privacy Act. It is alleged that the information was obtained by Cambridge Analytica via the use of a “this is your digital life” quiz app, the information gathered from which was then used for political profiling. Compromised information included names, photos, birth dates, email addresses, cities, Facebook friend lists, page likes, and even messages. Armed with the information, it enabled the use of targeted digital adverts.
The data gathered was not just from those who took the quiz but also their social media networks. It is estimated that 87 million people were affected by the privacy breach. It could be much more.
While some 311,000 Australians had their data compromised by this app, the court documents allege that only 53 people in Australia had installed the offending app (and it is alleged elsewhere about 270,000 worldwide). One of the concerns was that the information was used for highly political purposes, including with apparent intent to influence the US election and the BREXIT referendum in the UK.
There can be shades of grey between cyber matters and privacy breaches.
The Privacy Act of Australia acts to protect those faced with the collection and use of personal information, where they may be exposed, without being offered the opportunity to choose or to be informed. Facebook did not adequately inform or protect users from the apps default manner, which collected and distributed their and/or their friends’ personal information. The OAIC claims this is a breach of 6 and 11 of the Australian Privacy Principles and s 13G Privacy Act.
Many affected people doubtless felt their information had been misappropriated.
A fundamental principle underpinning the Privacy Act is to hold organisations responsible.
The proceedings indicate the willingness of the OAIC to move well beyond the educational aspect that has underpinned much of its recent conduct and to take significant steps as a regulatory authority to prosecute apparent breaches of the law.
The proceedings will take some time to play out. Ultimately what the outcome will be is uncertain. It will, however, be an important test of the Australian Privacy Act.
Ensuring your organisation and/or individual privacy is compliant under Privacy Act 1988 (Cth) may not be on the forefront of your business or personal agenda. It is an obligation that requires attention.
If you have any questions in relation to this article, please contact Iain Freeman.