Australia’s privacy watchdog is taking Facebook to court. It’s a good start.

Katharine Kemp, UNSW and Kayleen Manwaring, UNSW

On Monday, the Office of the Australian Information Commissioner (OAIC) brought proceedings against Facebook in the Federal Court, asking the court to impose financial penalties for serious interference with the privacy of more than 300,000 Australians.

To our knowledge, this is the first time the privacy regulator has sought civil penalty orders under the Privacy Act.

Facebook responded by saying it had made “major changes” to its platforms “in consultation with international regulators”.

This response is none too comforting, given Facebook’s current data practices (which include collecting data of consumers who have never used Facebook). The company also has a history of misrepresentations regarding data privacy.

What is Facebook being sued for?

In 2014, Facebook users were offered an app called “This is Your Digital Life”, which paid users to take a personality quiz. The app harvested the data not only of the person taking the quiz but also of their Facebook friends, who had no knowledge of the app or the data collection.

The app developer then sold that information to a political lobbying company, Cambridge Analytica, which used the personal data for political profiling. This profiling was apparently used to aid in the election of US President Donald Trump in 2016, among other things.

Worldwide, approximately 87 million Facebook users were affected. In Australia, only 53 users downloaded the app, but still, around 311,000 people were affected.

The OAIC alleges that Facebook contravened the Privacy Act by allowing users’ personal data to be used for purposes that were not properly disclosed, and by failing to take proper steps to protect users’ personal data.

Better late than never

The OAIC’s action follows similar action against Facebook by regulators around the world. In 2018, the UK privacy regulator fined Facebook the maximum GBP500,000 over the Cambridge Analytica breach. Last year, the US Federal Trade Commission (FTC) settled with Facebook on a record-breaking US$5 billion payment in respect of related conduct.

While the OAIC’s action should be encouraged, we should not overestimate the impact on Facebook.

If the Federal Court finds the alleged contraventions occurred, Facebook could face fines of up to A$1.7 million for each contravention. (There is likely to be debate over what constitutes a single contravention, and therefore how many contraventions there were.) That may sound hefty, but we should put it in context.

When the US$5 billion settlement with the FTC was announced last year, Facebook’s share price went up. The settlement represented only about 7% of Facebook’s 2019 revenue of more than US$70 billion.

Facebook is still collecting data about non-Facebook users

Facebook responded to this week’s announcement of the OAIC action by saying it has upgraded privacy protections:

We’ve made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data.

But has the leopard changed its spots? While Facebook has made some adjustments to the settings available to Facebook users, it continues, for example, to track the activities of consumers on third-party websites, when a Facebook user is not logged in and even when the consumer has never been a Facebook user.

Facebook says it collects information about anyone who visits a website or app that uses “Facebook Products”, which includes anywhere you see Facebook “Like” buttons or an option to “sign in with Facebook”.

You don’t need to click on the “Like” button or sign in with Facebook for this to happen. According to Facebook, it collects this information “without any further action from you”.

Facebook does this by placing a cookie on your computer or device when you visit the third-party website. It then collects data about what you do online, including your use of other websites and apps, and information about your device, which can be highly individual.

As the Australian Competition and Consumer Commission pointed out last year, it’s unlikely non-Facebook users could even find out about this practice.

What could they do with our data?

According to its Cookie Policy, Facebook can broadly use this data to offer you products and to “understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in”.

In 2018, Facebook told the US House of Representatives that it does “not use web browsing data to show ads to non-users or otherwise store profiles about non-users”. However, its Cookie Policy does not reflect these claims, and it has not said it will stop collecting this data.

More than that, Facebook has in the past claimed it will limit data use, before going back on it later. When Facebook acquired WhatsApp in 2014, it told regulators it would be unable to automatically match Facebook and WhatsApp user accounts after the merger. The European Commission has since fined Facebook for making incorrect or misleading representations in this respect.

Similarly, the action brought by the US FTC referred to repeated misrepresentations by Facebook about the extent to which users could control the privacy of their data.

Facebook may have made some changes, but it is still an advertising business with a history of privacy infringements that makes tens of billions of dollars each quarter from collecting and monetising oceans of personal data.

Other companies are similarly focused on extracting personal data at the expense of privacy. Consumers should hope this is only the first of many more actions by the privacy regulator.The Conversation

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Authors

  • Dr Katharine Kemp is a Senior Lecturer at the Faculty of Law, UNSW Sydney, and Academic Lead of the UNSW Grand Challenge on Trust. Katharine’s research focuses on competition law (particularly misuse of market power), consumer protection and data privacy regulation. She has published widely in these fields, including "Misuse of Market Power: Reform and Rationale" (Cambridge University Press, 2018), "Competition Law of South Africa" (LexisNexis) with PJ Sutherland, and numerous peer-reviewed journal articles. Katharine is the Co-Leader of the "Data as a Source of Market Power" research stream for The Allens Hub for Technology, Law and Innovation, with Dr Rob Nicholls of the UNSW Business School. She is also the convenor of the new postgraduate course, "Financial Law and Regulation in the Age of Fintech" (LAWS8174), and lectures Contracts at UNSW Law. Before joining the faculty, Katharine was a Research Fellow on the UNSW Digital Financial Services Research Team, conducting in-depth research into the regulation of digital financial services in developing countries in particular, including through fieldwork in these countries. She has also practised as a commercial lawyer in major law firms, as a barrister in Melbourne, and consulted to the Competition Commission of South Africa during the six years that she lived and worked in South Africa. She is a Member of the Centre for Law and Market Regulation, a Member of the Australian Privacy Foundation and a Member of the Advisory Board of the Future of Finance Initiative in India.

    View all posts
  • Dr Kayleen Manwaring is a Senior Lecturer, School of Taxation & Business Law, UNSW. Prior to joining the School, Kayleen also taught law in the Business & Economics Faculty at Macquarie University. Until March 2012, she spent many years working as a commercial lawyer and in law firm management, in Sydney and London. Her work in practice primarily focused on technology acquisition and licensing, intellectual property, and communications. Her research interests lie at the intersection between emerging technologies, particularly information technology, and the law of contract, consumer protection and competition law, intellectual property law and corporations law. She has recently completed a major research project on the implications for consumer contracts of the Internet of Things and associated technologies. She teaches corporations and business associations law, intellectual property law and information technology law.

    View all posts