Privacy watchdog sues Facebook over Cambridge Analytica scandal

The OAIC claims “serious and/or repeated” interference with over 300,000 Australians whose privacy was affected.

Facebook / network connections / privacy / security / breach / wide-eyed fear
Pete Linforth / The Digital Artist (CC0)

The Office of the Australian Information Commissioner (OAIC) has filed a lawsuit against Facebook in a Federal Court alleging its systems, which allowed Cambridge Analytica to harvest user data from an app, violated Australian privacy laws.

The Australian privacy watchdog has accused Facebook in legal proceedings of “serious and/or repeated” interference with over 300,000 Australians whose privacy was affected by contacts who’d installed a personality quiz app. Data from the app was shared with controversial and now defunct UK political consultancy Cambridge Analytica, which used the data for political profiling ahead of the 2016 US presidential election.

OAIC’s lawsuit alleges Facebook failed to take independent steps to ensure that Kogan or Cambridge Analytica and its parent SCL had destroyed improperly accessed data as per agreements Facebook made with the parties in June 2016.

The lawsuit follows a two-year investigation by the OAIC into Facebook data that may have been illegally harvested by Cambridge Analytica from the Your Digital Life Facebook app, which was made by Dr Aleksandr Kogan.

Just 53 Australian users installed the app but the privacy breach affected around 311,127 Australian Facebook users who were part of the 87 million Facebook users worldwide whose profile data were exposed to Cambridge Analytica.

Facebook faces fines of up to A$1,700,000 per serious and/or repeated interference with privacy in the Australian lawsuit, according to the OAIC. Any fines arising from the Australian lawsuit could bulk up those issued by the US and UK last year. The US Federal Trade Commission fined Facebook a record US$5 billion fine in December 2019, a month after Facebook accepted the UK’s Information Commissioners Office . Facebook could have been fined far more in the UK if the breach had occurred after the May 2018 introduction of the EU’s General Data Protection Regulation, which permits fines of up to 4% of annual global revenue.

The OAIC alleges the design of Facebook’s platform in 2014-15 didn’t allow users to make a reasonable choice about how their personal information was disclosed, thereby violating Australia’s Privacy Act of 1988.

OAIC privacy commissioner Angelene Falk said all organizations operating in Australia must comply with the country’s laws about handling personal information with transpararency. “We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” she said. “Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy. … “We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations,” she added.

Facebook said in a statement that it had implemented meaningful changes during the course of OAIC’s investigation: “We’ve actively engaged with the OAIC over the past two years as part of their investigation. … We’ve made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data. We’re unable to comment further as this is now before the Federal Court.”

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)