The Australian Information Commissioner commences civil penalty proceedings against Facebook under section 13G of the Privacy Act
March 10, 2020 |
Yesterday, 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook in the Federal Court. The actual citation is Australian Information Commissioner v Facebook Inc & Facbook Ireland Limited (court number NSD 246/2020).
It has taken 2 years for the Information Commissioner to conclude her investigations regarding Facebook’s actions in permitting personal information to be misused through the This is Your Digital Life app which was disclosed to Cambridge Analytica. The UK Information Commissioner resolved its investigation and issued a monetary penalty notice of 500,000 pounds in October 2018. The US Federal Trade Commission imposed $5 billion penalty for its breach of the previous order in July 2019.
This litigation will be significant as it is the first consideration of the operation of section 13G of the Privacy Act, a civil penalty proceeding for serious or repeated interference with privacy. Unfortunately the Information Commissioner has not proven to be an adept litigator to date though Facebook’s egregious conduct in permitting its users personal information to be misused is well documented. What is less clear is how the Commissioner will convince the Court that the statutory limit of $1.7million for an infraction is a limit on each breach. That will be a significant point of dispute.
The Australian Information Commissioner’s media release provides:
The Australian Information Commissioner has lodged proceedings against Facebook in the Federal Court, alleging the social media platform has committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.
The Commissioner alleges that the personal information of Australian Facebook users was disclosed to the This is Your Digital Life app for a purpose other than the purpose for which the information was collected, in breach of the Privacy Act 1988.
The information was exposed to the risk of being disclosed to Cambridge Analytica and used for political profiling purposes, and to other third parties.
“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed.
“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.
“We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”
The statement of claim lodged in the Federal Court today alleges that, from March 2014 to May 2015, Facebook disclosed the personal information of Australian Facebook users to This Is Your Digital Life, in breach of Australian Privacy Principle 6. Most of those users did not install the app themselves, and their personal information was disclosed via their friends’ use of the app.
The statement of claim also alleges that Facebook did not take reasonable steps during this period to protect its users’ personal information from unauthorised disclosure, in breach of Australian Privacy Principle 11.
Commissioner Falk considers that these were systemic failures to comply with Australian privacy laws by one of the world’s largest technology companies.
The concise statement filed with the Court provides:
1. The Australian Information Commissioner(Commissioner)alleges that, during the period 12 March 2014 to 1 May 2015 (the Relevant Period), Facebook Inc and Facebook Ireland Ltd (together, Facebook) seriously and/or repeatedly interfered with the privacy of approximately 311,127 Australian Facebook Users (Affected Australian Individuals) by disclosing their personal information (including sensitive information) to a third party application (the “This is Your Digital Life”App).
2. Facebook disclosed personal information of the Affected Australian Individuals. Most of those individuals did not install the “This is Your Digital Life” App; their Facebook friends did. Unless those individuals undertook a complex process of modifying their settings on Facebook, their personal information was disclosed by Facebook to the “This is Your Digital Life” App by default. Facebook did not adequately inform the Affected Australian Individuals of the manner in which their personal information would be disclosed, or that it could be disclosed to an app installed by a friend, but not installed by that individual.
3. Facebook failed to take reasonable steps to protect those individuals’ personal information from unauthorised disclosure. Facebook did not know the precise nature or extent of the personal information it disclosed to the “This is Your Digital Life” App. Nor did it prevent the app from disclosing to third parties the personal information obtained. The full extent of the information disclosed, and to whom it was disclosed, accordingly cannot be known. What is known, is that Facebook disclosed the Affected Australian Individuals’ personal information to the “This is Your Digital Life” App, whose developers sold personal information obtained using the app to the political consulting firm Cambridge Analytica, in breach of Facebook’s policies.
4. As a result, the Affected Australian Individuals’ personal information was exposed to the risk of disclosure, monetisation and use for political profiling purposes.
5. The Commissioner alleges that Facebook’s disclosure of the Affected Australian Individuals’ personal information for a purpose other than that for which it was collected breached Australian Privacy Principle (APP) 6.
6. The Commissioner further alleges that Facebook’s failure to take reasonable steps to protect the Affected Australian Individuals’ personal information from unauthorised disclosure breached APP 11.
7. These breaches amounted to serious and/or repeated interferences with the privacy of the Australian Affected Individuals, in contravention of s 13G of the Privacy Act 1988 (Cth) (Privacy Act).
B. IMPORTANT FACTS GIVING RISE TO THE CLAIM
(1) How Facebook works
8. The website www.facebook.com, which is also accessible via Facebook’s associated mobile applications (Facebook Website), allows users who create an account (Users) to build an online social network with other Users on the Facebook Website.
9. The accumulation of Users’ personal information is integral to Facebook’s business. Facebook encourages Users to share detailed personal information, such as their real name, date of birth, hometown, current city, employer, as well as “sensitive information” (as defined in the Privacy Act, s 6) about their relationships, political views, sexual orientation and religious beliefs. Through this, Facebook collects and holds a substantial volume of information about Users. Facebook monetises that information by selling advertising, including advertisements targeted at Users by reference to their particular demographics. In 2019, almost all of Facebook’s global US$70.69 billion revenue came from advertising.
(2) Apps and the “This is Your Digital Life” App
10. During the Relevant Period, apps could request personal information from Users’ Facebook accounts using a tool called the Graph Application Programming Interface (Graph API). Version 1 of the Graph API was in place during the Relevant Period (Graph API V1).
11. Through the Graph API V1, an app could request a wide range of information about not only those who had installed an app (Installers) but also their friends who had not installed the app (Friends). This included requests for sensitive information. Although Facebook had in place rules about what kinds of information an app could request, Facebook relied on app developers’ self-assessment that an app complied with its rules.
12. In response to a request from an app, Facebook disclosed information about Installers and Friends, subject to the User’s settings. However, a User’s “privacy settings” did not alone control how a User’s personal information was shared with apps, including apps installed by Users’ friends. Unless a User modified their “apps settings”, various categories of the User’s personal information, including sensitive information, would be disclosed to apps installed by their friends by default.
13. The “This is Your Digital Life” App was a personality survey or quiz. It was developed by Dr Aleksandr Kogan, a researcher, who later established Global Science Research Limited (GSR). It was not part of, and operated independently of, the Facebook Website. The Graph API allowed the “This is Your Digital Life” App to request information from the Facebook accounts of 305,000 Facebook Users globally who were also Installers of the app, of which approximately 53 were Australian. The Graph API also allowed the app to request from Facebook the personal information of approximately 86,300,000 Facebook Users globally (approximately 311,074 of whom were Australian Facebook Users) who were Friends (that is, they did not install the app themselves).
14. On 30 April 2014, a new version of the Graph API (Graph API V2) was launched by Facebook.Under Graph API V2, app developers wishing to request more than basic information from Friends and Installers had to undergo a manual app review process (App Review). Such requests would only be approved where, among other things, the additional information clearly improved the User’s experience of the app. However, Facebook allowed apps using Graph API V1 a 12-month ‘grace period’ (Grace Period) to migrate to Graph API V2.
15. On 6 May 2014, the developers of the “This is Your Digital Life” App submitted an application for App Review. On 7 May 2014, Facebook rejected that application, on the basis that the app would not be using the data gained through extended permissions to enhance a User’s in-app experience. Despite this, Facebook permitted Dr Kogan and/or GSR to continue requesting Installers’ and Friends’ information using the Graph API V1 for a further 12 months until the end of the Grace Period on 1 May 2015. In effect, this meant that Dr Kogan and/or GSR were able to continue requesting Friends’ and Installers’ information under Graph API V1 until 1 May 2015.
C. ALLEGED CONTRAVENTIONS OF THE PRIVACY ACT
(1) Contraventions of APP 6 – Facebook disclosed personal information unlawfully
16. Under Australian Privacy Principle (APP) 6, if Facebook held personal information that was collected for a particular (primary) purpose, it could not disclose that personal information for a secondary purpose unless it had the individual’s consent or certain exceptions applied.
17. Facebook collected the Affected Australian Individuals’ personal information for the purpose of enabling those individuals to build an online social network with other Users on the Facebook Website. However, Facebook did not disclose those individuals’ personal information to the “This is Your Digital Life” App for that purpose.
18. On each occasion on which Facebook disclosed the personal information of the Affected Australian Individuals to the “This is Your Digital Life” App, it breached the Privacy Act.
(2) Contraventions of APP 11 – Facebook’s failure to take reasonable steps to protect personal information from unauthorised disclosure
19. Under APP 11, Facebook was required to take such steps as were reasonable in the circumstances to protect the personal information Facebook held from unauthorised disclosure. During the Relevant Period, the steps that Facebook should have taken to comply with APP 11 included at least the following:
19.1. conducting an initial assessment and regular review of whether the “This is Your Digital Life” App’s requests for Users’ information complied with Facebook’s policies;
19.2. maintaining records of the personal information disclosed, and regularly reviewing these records to audit the nature and scope of disclosures;
19.3. implementing measures to ensure that any consent was obtained directly, before or at the time of disclosure, and was clear and specific;
19.4. after 7 May 2014, when Facebook had rejected the “This is Your Digital Life” App’s application to access Graph API V2: (i) carrying out a review of the categories of data which the “This is Your Digital Life” App had previously requested and obtained about the Affected Australian Individuals; and (ii) ceasing the disclosure of the Affected Australians Individuals’ personal information (including sensitive information) to Dr Kogan and/or GSR.
20. By failing to take such steps, Facebook breached the Privacy Act. These failures were systemic, in that deficient systems and processes were the root of Facebook’s failure to take these reasonable steps. And these omissions were inconsistent with the objects of the Privacy Act and APP 11, which seek to promote the responsible and secure handling of personal information.
(3) Civil penalties
21. Under s 13G of the Privacy Act, an entity will be liable for a civil penalty if: (a) it does an act, or engages in a practice, that is a serious interference with the privacy of an individual (that is, a serious breach of the Privacy Act in relation to personal information about the individual); or (b) repeatedly does an act, or engages in a practice, that is an interferencewith the privacy of one or more individuals. Each contravention within the Relevant Period attracted a maximum penalty of $1,700,000.
22. In this case, each of the acts done, or practices engaged in, by Facebook set out above was a contravention of s 13G(a) and/or (b) of the Privacy Act.
D. RELIEF SOUGHT
23. The Commissioner seeks the following relief from the Court:
23.1. Declaratory relief under s 21 of the Federal Court of Australian Act 1976 (Cth);
23.2. Orders that Facebook pay civil pecuniary penalties under s 80W of the Privacy Act (as applicable for contraventions that occurred during the Relevant Period);
23.3. Costs
E. ALLEGED HARM
24. A fundamental principle underpinning the Privacy Act is that organisations are responsible for the personal information they hold. Contrary to this principle, Facebook in effect transferred responsibility for protecting personal information to its Users and the operators of third party apps. Its default settings facilitated the disclosure of personal information, including sensitive information, at the expense of User privacy. Its failure to take proper steps to protect Australians’ personal information exposed its Users’ data to disclosure, monetisation and deployment for political profiling purposes beyond its Users’ reasonable expectations.
25. The opacity of Facebook’s settings and policies hampered the Australian Affected Individuals in understanding that their data was disclosed to the app. The design of the Facebook website was such that Users were unable to exercise consent or control over how their personal information was disclosed. This was inconsistent with the objects of the Privacy Act, which seek to promote the protection of the privacy of individuals, and responsible and transparent handling of personal information by entities such as Facebook.
26. Facebook’s disclosures, and its failure to take steps to prevent them, were systemic failures to comply with Australian privacy laws by one of the world’s largest technology companies. Failure to hold Facebook to account is apt to undermine public confidence in Australia’s privacy laws. Accountability for breaches of the Privacy Act that interfere with Australians’ privacy will encourage entities to comply with applicable privacy laws and to build privacy protections into the design and operation of their services.
27. To date, Facebook has been unable to provide the Commissioner with a precise record of the Australian Affected Individuals’ personal information that Facebook disclosed to the “This is Your Digital Life” App’s developers. That significant failing produces a circumstance in which anomalies may not be detected, or effectively investigated, in order to protect the personal information that the entity still holds. It underscores the shortcomings in Facebook’s attempts to protect its Users’ personal information from unauthorised disclosure.
The Statement of Claim provides:
1. The Applicant (the Commissioner):
1.1. is the Australian Information Commissioner appointed under s 14 of the Australian Information Commissioner Act 2010 (Cth) (the Australian Information Commissioner Act);
1.2. is the Head of the Office of the Australian Information Commissioner, a statutory agency established under s 5 of theAustralian Information Commissioner Act.
2. The Commissioner’s functions are prescribed by Division 3 of the Australian Information Commissioner Act and include the “privacy functions” within the meaning of s 9 thereof.
Particulars
i. The privacy functions are functions conferred on the Commissioner by an Act (or an instrument under an Act), if the functions: (a) relate to the privacy of an individual; and (b) are not freedom of information functions.
ii. Division 2 of Part IV of the Privacy Act 1988 (Cth) (as in force on 5 November 2018) (the Privacy Act) confers privacy functions on the Commissioner. Under s 27(1)(a) of the Privacy Act, the Commissioner has the functions that are conferred on her by, or under, that statute or any other law of the Commonwealth.
iii. The Commissioner may apply, pursuant to Part VIB of the Privacy Act, to the Federal Court of Australia for an order that an entity that is alleged to have contravened a civil penalty provision under the Privacy Act pay the Commonwealth a pecuniary penalty.
3. The first respondent (Facebook Inc) is and was at all material times:
3.1. a corporation incorporated in Delaware, United States of America, and capable of being sued;
3.2. the parent company of a group of companies (Facebook or the Facebook Group) of which the second respondent (Facebook Ireland) is and was a member;
3.3. the ultimate owner of Facebook Ireland;
3.4. engaged in the business of supplying social network services through the operation of the Facebook website, www.facebook.com and associated mobile device applications (the Facebook Website), which allows users who create an account with the Facebook Website (Users) to build an online social network with other Users on the Facebook Website;
3.5. an organisation that had an Australian link within the meaning of s 5B(3) of the Privacy Act; 3.6. an entity, and an APP entity, within the meaning of the Privacy Act.
4. The second respondent, Facebook Ireland:
4.1. is and was at all material times a corporation incorporated in Ireland and capable of being sued;
4.2. in the period 12 March 2014 to 1 May 2015 (the Relevant Period):
4.2.1. was engaged in the business of supplying social network services through the operation of the Facebook Website which allowed Users to build an online social network with other Users on the Facebook Website;
4.2.2. provided the Facebook Website to Users located in Australia (Australian Users);
4.2.3. was an organisation that had an Australian link within the meaning of s 5B(3) of the Privacy Act;
4.2.4. was an entity and an APP entity within the meaning of the Privacy Act.
5. The allegations at paragraphs 6 to 39 relate to the Relevant Period unless otherwise pleaded.
B. REGISTRATION AND FEATURES OF FOR THE FACEBOOK WEBSITE
6. An individual could register to become a User of the Facebook Website by creating a User account or “profile” (Account), which involved the individual being required to:
6.1. supply personal information including their name, date of birth, gender and an email address or, from early 2015, a mobile phone number;
6.2. create a password;
6.3. accept Facebook’s Statement of Rights and Responsibilities, as alleged in paragraphs 11 and 12;
6.4. agree that they had read Facebook’s Data Use Policy, as alleged in paragraphs 13 to 15.
7. Upon creation of an Account, Users of the Facebook Website were able to:
7.1. search for other Users;
7.2. request other Users to establish a connection with them on the Facebook Website which, if accepted, allowed the Users to become “Friends”;
7.3. add further personal information into their Facebook profile including a profile picture, the person’s hometown, educational history, work experience, relationship status, occupation, political and religious views, interests and photographs;
7.4. create and “post” content on the Facebook Website, where:
7.4.1. a post could take various forms including: freeform text, photographs, videos, “check-ins” (indicating a User’s geographic location at a particular time), and links to websites (such as articles on news websites);
7.4.2. the User was able to alter the breadth of the audience to whom that post was visible, such that the post was:
7.4.2.1. “public” (viewable to all Users of the Facebook Website);
7.4.2.2. visible only to the User’s Friends;
7.4.2.3. visible to Friends and also Friends of those Friends; or
7.4.2.4. visible to specific Friends selected by the User;
7.5. interact with the other Users’ posts, including by:
7.5.1. “liking” the post, by clicking an adjacent icon to signify their appreciation of it;
7.5.2. “commenting” on the post in a freeform text box appearing below the post, where such comments were viewable by other Users viewing the original post (regardless of whether they were Friends with the User who had posted the comment);
7.5.3. “liking” and “commenting” on comments beneath an original post;
7.6. interact with the “pages” of businesses, brands, organisations, celebrities or topics, including by “liking” the page;
7.7. send and receive messages via “Facebook Messenger” or “Chats”.
8. The information that a User supplied to the Facebook Website in registering for and using an Account was “personal information” within the meaning of s 6 of the Privacy Act.
9. Certain personal information that a User supplied to the Facebook Website in using an Account was also “sensitive information” within the meaning of s 6 of the Privacy Act.
Particulars
i. The personal information that was sensitive information that Users could supply to the Facebook Website included information or an opinion about:
A. their “religious and political views”;
B. who they were “interested in”;
C. their “relationship status”;
D. the “groups” of which they were part, depending on the nature and identity of the “group”;
E. the posts they had “liked”, depending on the subject matter of the post;
F. the pages they had “liked”, depending on the subject matter of the page;
G. the Facebook messages they sent or received via “Facebook Messenger” or “Chats”, depending on the subject matter of the messages.
10. During the Relevant Period:
10.1. a User’s first name and surname, gender, and any profile picture and/or cover photo at all times remained “public”;
10.2. the visibility of all other information provided by a User to the Facebook Website could be altered by the User to make that information:
10.2.1. “public”;
10.2.2. visible only to the User’s Friends;
10.2.3. visible to Friends and also Friends of those Friends;
10.2.4. visible to specific Friends selected by the User; or
10.2.5. visible only to the User (“Only me”).
10.3. where a User did not alter the visibility of information provided by the User to the Facebook Website (as alleged in paragraphs 10.2 and 16 to 20), that information (save for a limited number of exceptions such as “posts” and birthdate information) defaulted to being “public”.
Particulars
i. “Posts”, up until 22 May 2014, defaulted to “public” and thereafter defaulted to being visible to the User’s Friends.
ii. Birthdate information defaulted to being visible to Friends and also Friends of those Friends.
iii. Further particulars may be provided following discovery and evidence.
C. FACEBOOK’S STATEMENT OF RIGHTS AND RESPONSIBILITIES AND DATAPOLICIES
C1. Statement of Rights and Responsibilities
11. In registering for an Account, a User was required to accept the Facebook Website’s Terms of Service (Statement of Rights and Responsibilities) (Statement of Rights and Responsibilities), of which certain terms provided:
11.1. that Facebook had designed its Data Use Policy to make disclosures about how a User could use the Facebook Website to share with others and how Facebook collected and could use a User’s content and information;
11.2. that for all of the content and information a User provided to the Facebook Website:
11.2.1. when a User used a third party application (app), the app could ask for the User’s permission to access the User’s content and information as well as content and information that others might have shared with the User; Particulars i. Third party apps were not part of, and operated independently of, the Facebook Website.
11.2.2. that Facebook required apps to respect Users’ privacy and that a User’s agreement with an app would control how the app could use, store and transfer that content and information;
11.2.3. when a User published content or information using the “public” setting, it meant that everyone, including persons off the Facebook Website, could access and use that information and associate it with the User (i.e., the User’s name and profile picture).
Particulars
i. During the Relevant Period, there were two iterations of theStatement of Rights and Responsibilities:
A. The version of the Statement of Rights and Responsibilities in place during that part of the Relevant Period from 12 March 2014 to 29 January 2015 was the version dated 15 November 2013.
B. The version of the Statement of Rights and Responsibilities in place during that part of the Relevant Period from 30 January 2015 was the version dated 30 January 2015.
ii. The Commissioner relies on the Statement of Rights and Responsibilities for its full force and effect as if set out in full herein.
12. The Statement of Rights and Responsibilities was not set out on the registration page of the Facebook Website, in that:
12.1. if an individual registering for an Account wished to view and read the Statement of Rights and Responsibilities, that person had to click on a link which took the person to a separate page displaying the Statement of Rights and Responsibilities;
12.2. an individual registering for an Account could complete the registration process, and accept the Statement of Rights and Responsibilities without clicking on the link which took the person to the Statement of Rights and Responsibilities.
C2. Data Use Policy
13. During the Relevant Period up to 29 January 2015, in registering for an Account, a User was required to agree that they had read the Facebook Data Use Policy, of which certain terms provided:
13.1. the “Facebook Platform” or “Platform” referred to the way in which Facebook helped a User share their personal information with apps that the User and the User’s Friends’ used;
13.2. if a User chose to make their personal information “public”, that information would be accessible to all apps the User and their Friends used;
13.3. if a User connected with an app, Facebook would give the app the “public profile” information for the User being:
13.3.1. the User’s name, profile pictures and cover photos, networks, gender, username and user ID;
13.3.2. the User’s Friend List (being the list of every person to whom the User has either sent a “Friend Request” that was accepted, or from whom they have accepted a “Friend Request”) (Friend List);
13.3.3. any other information set to “public”;
13.4. if a User connected with an app, Facebook would give the app information about the User and their Friends in order to make the User’s experience on the app more “personalised and social”;
13.5. the “Apps” setting on the Facebook Website allowed the User to:
13.5.1. control the apps the User used;
13.5.2. see the permissions the User had given to those apps;
13.5.3. remove the apps the User no longer wanted; or
13.5.4. turn off all apps;
Particulars
i. The version of the Data Use Policy in place during that part of the Relevant Period from 12 March 2014 to 29 January 2015 was the version dated 15 November 2013.
ii. The terms alleged are drawn from Section III of that version of the Data Use Policy entitled “Other websites and applications”.
iii. The Commissioner relies on the Data Use Policy for its full force and effect as if set out in full herein.
14. During the Relevant Period from 30 January 2015, in registering for an Account, a User was required to agree that they had read the Facebook Data Use Policy, the terms of which had the following effect:
14.1. if a User used an app, that app may receive information about what the User posted or shared on the Facebook Website;
14.2. if a User downloaded an app, Facebook would give the app the User’s “public profile” information which included the User’s username or user ID, age range and country/language, Friend List, as well as any information that the User shared with those Friends;
14.3. information collected by apps was subject to the apps’ own terms and policies;
14.4. the User could click on a link to “Learn More” about how the User could control the information about the User that the User or others share with apps.
Particulars
i. The version of the Data Use Policy in place during that part of the Relevant Period from 30 January 2015 was the 30 January 2015 version.
ii. The terms alleged are drawn from Section III of that version of the Data Use Policy, entitled “How is this information shared?”, under the heading “Apps, websites and third-party integrations on or using our Services”. iii. The Commissioner relies on the Data Use Policy for its full force and effect as if set out in full herein.
15. At no time during the Relevant Period was the Data Use Policy set out on the registration page of the Facebook Website, in that:
15.1. if an individual registering for an Account wished to view and read the Data Use Policy, that person had to click on a link which took the person to a separate page displaying the Data Use Policy;
15.2. an individual registering for an Account could complete the registration process, and agree that they had read the Data Use Policy without clicking on the link which took the person to the Data Use Policy.
D. MODIFICATION OF USERS’ SETTINGS
D1. Modification of privacy settings
16. After registration of an Account, a User was able to modify their Account’s privacy settings through the “privacy settings and tools” page accessed through a “settings” tab or icon on the Facebook Website.
17. The “privacy settings and tools” page contained a settings control titled “Who can see my stuff?”, where a User could alter the privacy level for posts, such that posts were either:
17.1. “public”;
17.2. visible only to the User’s Friends;
17.3. visible to Friends and also Friends of those Friends;
17.4. visible to specific Friends selected by the User; or
17.5. visible only to the User (“Only Me”).
18. Alternatively, a User could use the “audience selector tool” to select the privacy setting levels for individual posts, including status updates, photos and other features, such that content was:
18.1. “public”;
18.2. visible only to the User’s Friends;
18.3. visible to specific Friends selected by the User;
18.4. visible only to the User (“Only Me”).
19. If a User wished to modify the privacy settings for the User’s profile information (save for the information alleged in paragraph 10.1), a User could not do so via the “privacy settings and tools” page alleged in paragraph 17, but was instead required to:
19.1. access the User’s “Profile” page;
19.2. select the “About” tab;
19.3. adjust the default privacy setting (being “public”) for each piece of information contained in the User’s profile to either “Friends” or “Only Me”.
20. If a User wished to modify the privacy settings for the User’s Friend List, a User could not do so via the “privacy settings and tools” page alleged in paragraph 17, but was instead required to:
20.1. access the User’s “Profile” page;
20.2. select the “Friends” tab;
20.3. select the “Manage” icon (indicated by the image of a pencil), and select “edit privacy”;
20.4. adjust the default privacy setting (being “public”) in respect of the Friend List to either “Friends” or “Only Me”. D2. Modification of Apps’ settings
21. If a User wished to modify the settings in respect of information shared with apps installed by the User, the User could not do so via the “privacy settings and tools” page alleged in paragraph 17, but was instead required to:
21.1. access the page on the Facebook Website entitled “apps”;
21.2. select “apps you use”; Particulars i. During the Relevant Period, the name of the page varied among “apps you use”, “Platform” or “Apps, websites and plugins”.
21.3. select a particular app and:
21.3.1. adjust (by selecting or deselecting) the information, other than “public profile” information, that the User agreed to supply an app; or
21.3.2. “remove” the app, so that the app no longer requested the User’s personal information.
22. If a User wished to modify the settings in respect of information (other than posts) shared with apps installed by the User’s Friends, a User could not do so via the “privacy settings and tools” page alleged in paragraph 17, and was instead required to:
22.1. adjust the default privacy setting in respect of that information to “Only Me” in the manner alleged in paragraphs 18.4, 19.3 or 20.4; or
22.2. access the page on the Facebook Website entitled “apps” and take either of the following steps:
22.2.1. select “apps others use” and adjust (by selecting or deselecting) the information that the User agreed to supply an app installed by the User’s Friends, such information including the User’s profile picture, networks, status updates, and photos; or
22.2.2. on the “apps you use” page select “edit”, whereupon the User could select the option “do not share any information about me through the Facebook API”/”turn off platform”/”disable platform”, so that apps no longer requested the User’s personal information. Particulars i. The form and content of the “apps others use” pages varied during the Relevant Period as did the wording of the selection to modify the privacy settings in respect of information shared with apps installed by the User’s Friends. ii. Further particulars may be provided following discovery and evidence.
23. If a User wished to modify the settings in respect of posts shared with apps installed by the User’s Friends, a User was required to:
23.1. adjust the default privacy setting in respect of those posts to “Only me” in the manner alleged in paragraphs 17.5 or 18.4; or 23.2. take the steps alleged in paragraph 22.2. 24. If a User selected the option in paragraph 22.2.2, the User could not utilise Facebook Login, as alleged in paragraphs 28 to 30.
E. THE FACEBOOK PLATFORM AND THE GRAPH API
25. During the Relevant Period, Facebook provided an integrated software environment or framework (the Facebook Platform) which allowed apps to:
25.1. create a link, or interface, between the app and the Facebook Website’s “social graph”, being the network of connections through which Users communicated and shared information on the Facebook Website (the Graph Application Programming Interface or the Graph API);
25.2. by reason of this link or interface, interact with the Facebook Website and the information about Users collected by it.
26. The Facebook Platform facilitated integration between the Facebook Website and apps, in that it allowed:
26.1. Users to access apps with their Account credentials (username and password) as alleged in paragraphs 28 to 33 (Facebook Login);
26.2. apps to be launched and used by Users from within the Facebook Website.
27. During the Relevant Period, there were two versions of the Graph API being:
27.1. version 1, which was in place from 21 April 2010 to 30 April 2015;
27.2. version 2, which was in place from 30 April 2014. E1. Facebook Login
28. Facebook Login allowed an installer of an app who was also a User of the Facebook Website (Installer) to utilise their Account credentials (username and password) to login to the app.
29. Where an Installer wished to login to an app using Facebook Login, the Installer was required to:
29.1. open the app;
29.2. access the login page in respect of that app;
29.3. select a button labelled “sign in with Facebook”, which caused a “pop-up” screen to open which required the Installer to authenticate their Account credentials (username and password).
30. If an Installer authenticated their Facebook Website credentials through an app as alleged in paragraph 29, a screen or page appeared on the app requesting permission from the Installer for the app to request, through the Facebook Platform and the Graph API, certain categories of the Installer’s and their Friends’ personal information (including sensitive information) that they had provided to the Facebook Website through their Account (Permission Request).
31. With respect to apps that made requests of version 1 of the Graph API:
31.1. the personal information (including sensitive information) requested via Permission Requests for the Installer’s permission could include:
31.1.1. an Installer’s own personal information that the Installer had supplied to the Facebook Website (to the extent that the Installer had not disabled that information to be supplied to the app in the manner alleged in paragraph 21);
31.1.2. an Installer’s Friends’ personal information that they had supplied to the Facebook Website (to the extent that the Installer’s Friends had not disabled that information to be supplied to the app in the manner alleged in paragraphs 22 and 23);
31.2. the Permission Request did not give the Installer the option to select which aspects of their personal information or their Friends’ personal information, provided to the Facebook Website through their Account, could be requested by the app (except for limited “extended profile permissions” including read_friendlists, read_insights, read_mailbox, read_requests, read_stream, xmpp_login, user_online_presence, friends_online_presence).
32. With respect to the apps that made requests of version 2 of the Graph API:
32.1. the Permission Request gave the Installer the option of giving permission to Facebook to disclose to the app certain nominated categories of personal information that they had provided to the Facebook Website through their Account (except for “public profile” information, which was always provided);
32.2. subject to paragraph 32.3, the Permission request could only request the following information about Friends who had not installed those apps: 32.2.1. their names; 32.2.2. their profile pictures; 32.2.3. the fact that they were Friends with the Installer;
32.3. the further matter set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents.
33. If an Installer authorised a Permission Request as alleged in paragraph 30:
33.1.1. the developer of the app (Developer) could make requests of Facebook, through the Graph API, of personal information the subject of the Permission Request and Facebook would disclose that information to the Developer;
33.1.2. the Developer could make requests, through the Graph API, of updated personal information the subject of the Permission Request, and Facebook would disclose that information to the Developer, subject to the Installer’s or their Friends’ privacy settings on the Facebook Website at the time.
E2. Policies binding Developers
34. Developers using the Facebook Platform and the Graph API:
34.1. were required to comply with the Statement of Rights and Responsibilities and the Platform Policy;
34.2. were directed to read and agree to Facebook’s Data Use Policy.
35. The Platform Policy relevantly required Developers:
35.1. to provide a publicly available and easily accessible privacy policy that explained what information the Developer was collecting and how the Developer would use that data;
35.2. to delete all of a User’s personal information that the Developer had received from the Facebook Website (including the User’s Friends personal information) if that User asked the Developer to do so, unless the Developer was required to keep it by law, regulation or separate agreement with Facebook;
35.3. only to use an Installer’s Friend’s personal information in the User’s experience in the app;
35.4. not to transfer information that the Developer received from the Facebook Website (through the Facebook Platform and by making requests of the Graph API) to any advertising network, data broker or other advertising or monetisation-related service;
35.5. to request only the information and publishing permissions the app needed.
Particulars
i. During the Relevant Period, there were five iterations of the Platform Policy, all of which contained terms to the effect of those alleged in this paragraph.
ii. The Commissioner relies on the Platform Policy for its full force and effect as if set out in full herein.
E3. Use by Developers of the Graph API
36. At all material times before version 2 of the Graph API commenced on 30 April 2014:
36.1. any app could make requests of version 1 of the Graph API;
36.2. Facebook did not have in place any procedures to approve an app’s ability to make requests of version 1 of the Graph API;
36.3. other than automated checks which detected whether there was a privacy policy URL in the app’s settings place, Facebook did not review the policies offered to Users by an app, and instead relied on the Developer’s self-assessment that the app complied with Facebook’s policies and procedures, including the terms of the Platform Policy as alleged in paragraph 35.
37. When version 2 of the Graph API commenced, Facebook introduced a manual review and approval process, conducted by Facebook, whereby apps seeking Permission Requests for personal information other than the Installer’s “public profile” information, email address and Friends list were only approved to make requests of the Graph API where:
37.1. the additional Permission Requests clearly improved the User’s experience of the app;
37.2. the further matter set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents;
37.3. the further matter set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents;
37.4. the further matter set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents;
37.5. the further matter set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents (the App Review Process).
38. In around April 2014, Facebook informed all Developers whose apps were using version 1 of Graph API, that they would need to migrate to version 2 of the Graph API, allowing those Developers whose apps were using version 1 of the Graph API a 12-month grace period (between 30 April 2014 and 1 May 2015) (Grace Period) to transition to version 2.
39. During the Grace Period, Developers with apps using version 1 of the Graph API (being apps created on or before 30 April 2014) who:
39.1. made no application for additional Permission Requests pursuant to version 2 of the Graph API; or
39.2. had applied to Facebook Inc for additional Permission Requests pursuant to version 2 of the Graph API and that application had been refused through the App Review Process, could continue to operate in version 1 of the Graph API until May 2015 and without undertaking the App Review Process.
F. “THIS IS YOUR DIGITAL LIFE” APP
F1. The nature of the “This is Your Digital Life” app
40. In November 2013, Dr Aleksandr Kogan, a researcher employed by or affiliated with Cambridge University, developed and launched an app, known as “thisisyourdigitallife” on the Facebook Platform and version 1 of the Graph API (the “This Is Your Digital Life” app). Particulars i. The name of the app changed during the Relevant Period. It was initially known as “CPWLab App”, and thereafter the “GSRApp” thereafter “thisisyourdigitallife”.
41. The Developers of the “This is Your Digital Life” app were Dr Kogan and/or, from May 2014, Global Science Research Ltd (GSR), a company incorporated in England and Wales, of which Dr Kogan was a director and shareholder.
42. On 2 November 2013, Dr Kogan provided a description to Facebook of the “This is Your Digital Life” app.
Particulars
i. Dr Kogan’s description explained that the app “is a research app used by psychologists. The requested permissions provide the research team with a rich set of social behaviour that Users engage in. This app is used in studies where we link psychological traits and behaviour (typically measured using questionnaires) with digital behaviour data in the form of Facebook information. We aim to use this data to better understand how big data can be used to gain new insights into people’s well-being, personality traits, and other psychological constructs.”
43. By reason of the “This is Your Digital Life” app using the Facebook Platform and making requests of version 1 of the Graph API, Dr Kogan and/or GSR, as the Developers of the “This is Your Digital Life” app:
43.1. were required to comply with the Statement of Rights and Responsibilities and the Platform Policy;
43.2. were directed to read and agree to Facebook’s Data Use Policy.
F2. Requests by the “This is Your Digital Life” app of version 1 of the Graph API
44. From its launch in November 2013 to the conclusion of the Grace Period in May 2015, Installers could only access the “This is Your Digital Life” app by using the Facebook Login process as alleged in paragraphs 28 to 33, such that:
44.1. if an Installer authenticated their Facebook Account credentials through the app as alleged in paragraph 29, a page or screen appeared containing a Permission Request, requesting permission from the Installer for the app to request and utilise (through version 1 of Graph API):
44.1.1. certain of the Installer’s personal information (including sensitive information) that they had provided to the Facebook Website through their Account;
44.1.2. certain of the Installer’s Friends’ personal information (including sensitive information) that they had provided to the Facebook Website through their Account;
44.2. if an Installer authorised a Permission Request, as alleged in paragraph 44.1:
44.2.1. Dr Kogan and/or (from May 2014) GSR could make requests, through version 1 of the Graph API, of personal information thesubject of the Permission Request and Facebook would disclose that information to Dr Kogan and/or GSR, subject to the Installer’s or their Friends’ privacy and app settings on the Facebook Website at the time;
44.2.2. Dr Kogan and GSR could make requests, through version 1 of the Graph API, of updated personal information the subject of the Permission Request, and Facebook would disclose that information to Dr Kogan and/or GSR, subject to the Installer’s or their Friends’ privacy and app settings on the Facebook Website at the time.
45. From its launch in November 2013 until 17 December 2015:
45.1. approximately 53 Installers located in Australia installed the “This is Your Digital Life” app;
45.2. approximately 311,074 Friends (located in Australia) of Installers of the “This is Your Digital Life” app worldwide had their personal information requested by the app.
F3. Disclosure of Installers’ and their Friends’ personal information to third parties by Dr Kogan and/or GSR
46. At some point during 2014:
46.1. GSR entered into an agreement with SCL Group Limited (SCL), a political consulting firm based in London, England;
46.2. the subject-matter of the agreement was the sale to SCL, the parent company of Cambridge Analytica Ltd (Cambridge Analytica), by Dr Kogan and/ or GSR of the information collected by the “This is Your Digital Life” app pursuant to the process alleged in paragraph 44 (the Cambridge Analytica Agreement).
47. From the time that the Cambridge Analytica Agreement was entered into, and during the Relevant Period, pursuant to the Cambridge Analytica Agreement, Kogan and/or GSR sold personal information of Installers of the “This is Your Digital Life” app, and the personal information of those Installers’ Friends, to Cambridge Analytica and SCL.
48. During the Relevant Period, Kogan and/or GSR provided the following persons and entities with the personal information of Installers of the “This is Your Digital Life” app, and the personal information of those Installers’ Friends:
48.1. Eunoia Technologies Ltd (Eunoia Technologies);
48.2. Dr Michael Inzlicht, a researcher at the Toronto Laboratory for Social Neuroscience at the University of Toronto.
49. The provision by Dr Kogan and/or GSR to Cambridge Analytica, SCL, Eunoia Technologies and Mr Inzlicht of personal information of Installers of the “This is Your Digital Life” app and personal information of those Installers’ Friends, was in breach of Facebook’s policies and procedures by which Dr Kogan and/or GSR were bound, as alleged in paragraph 43.
50. On 6 May 2014, Dr Kogan and/or GSR sought the approval of Facebook, through the App Review Process, for the “This is Your Digital Life” app to:
50.1. collect personal information in the manner alleged in paragraph 44;
50.2. collect information of Installers and their Friends in addition to that which the Facebook Platform and version 1 of the Graph API already allowed the app to receive.
51. On 7 May 2014, Facebook rejected Dr Kogan’s and/or GSR’s application alleged in paragraph 50.
Particulars
i. Facebook rejected Dr Kogan’s application on the basis that the “This is Your Digital Life” app would not be using the data gained through extended permissions to enhance a User’s in-app experience.
52. Despite Facebook’s rejection of the application as alleged in paragraph 51, the “This is Your Digital Life” app continued to collect Installers’ and Installers’ Friends’ personal information through making requests of version 1 of the Graph API as alleged in paragraph 44 for the duration of the Grace Period until at least May 2015.
53. By no later than 11 December 2015, Facebook became aware that Dr Kogan and/or GSR had sold Users’ personal information to third parties.
54. On 17 December 2015, Facebook terminated the “This is Your Digital Life” app’s ability to make requests of the Facebook Platform and the Graph API.
55. On 18 December 2015, Facebook requested that Dr Kogan, GSR and Cambridge Analytica:
55.1. delete all the Users’ personal information they had received through the Facebook Platform and the Graph API;
55.2. identify any transferees of Users’ personal information they had obtained from the Facebook Platform and the Graph API.
56. Following the making of the requests alleged in paragraph 55:
56.1. on 18 January 2016, Cambridge Analytica provided written confirmation to Facebook that it had deleted the Users’ personal information that it had received from Dr Kogan and/or GSR and that its server did not have any backup copies of that information;
56.2. on 11 June 2016, Dr Kogan, in his personal capacity and on behalf of GSR, provided to Facebook signed certifications confirming that:
56.2.1. the Users’ personal information that he and GSR had obtained from the “This is Your Digital Life” app had been deleted;
56.2.2. GSR had disclosed to SCL:
56.2.2.1. forecasted survey responses (derived from Facebook page “likes”);
56.2.2.2. certain Installers’ and their Friends’ profile data including names, locations, birthdays and whether Users’ had “liked” any of a list of specific pages on the Facebook Website;
56.2.3. GSR had received payments totalling £750,000 from a single entity pursuant to the Cambridge Analytica Agreement and that those funds were used to operate GSR; 56.2.4. the individuals and entities to which GSR disclosed Installers’ and their Friends’ personal information obtained from the “This is Your Digital Life” app were Cambridge Analytica, SCL, Eunoia Technologies Ltd and Dr Inzlicht.
57. On 24 June 2016, a formal settlement agreement between Dr Kogan, GSR and Facebook became effective, which described the collection, use, sharing and disclosure of Users’ personal information obtained through the “This is Your Digital Life” app, the data derived from that information and a list of the parties to whom that information had been disclosed.
58. On 7 July 2016, Facebook obtained a signed certification from Dr Inzlicht confirming that all of the Installers’ and their Friends’ personal information (or data derived therefrom) received from Dr Kogan and/or GSR had been accounted for and destroyed.
59. On 16 August 2016, Facebook obtained a signed certification from Euonia Technologies certifying that all Installers’ and their Friends’ personal information (or data derived therefrom) received from Dr Kogan and/or GSR had been accounted for and destroyed.
60. On 3 April 2017, SCL confirmed in a signed certification that all the Installers’ and their Friends’ personal information (or data received therefrom) received from Dr Kogan and/or GSR had been accounted for and permanently deleted and that no third parties had been given access to that information or data.
61. Facebook did not take any independent steps to ensure that the Installers’ and their Friends’ personal information it had asked Dr Kogan, GSR, Cambridge Analytica, SCL, Dr Inzlicht and Eunoia Technologies to delete or destroy had in fact been deleted or destroyed.
G. BREACHES OF AUSTRALIAN PRIVACY PRINCIPLES AND SECTION 13G OF THE PRIVACY ACT
G1. APP 6
62. During the Relevant Period, as an APP entities, Facebook Ireland and Facebook Inc were bound by Australian Privacy Principle (APP) 6.1.
Particulars
i. At all times during the Relevant Period, APP 6.1 prescribed that, if an APP entity held personal information about an individual that was collected for a particular purpose (the primary purpose), the entity could not use or disclose that personal information for anotherpurpose (the secondary purpose) unless: (a) the individual consented to the use or disclosure of the information; or (b) APP 6.2 or 6.3 applied in relation to the use or disclosure of the information.
63. During the Relevant Period:
63.1. Facebook Ireland “held” personal information (including sensitive information) about individual Users located in Australia (Australian Users) within the meaning of that term as defined in section 6(1) of the Privacy Act.
Particulars
i. Facebook Ireland held personal information of Australian Users of the Facebook Website in Australia by reason of the following matters:
A. Between March 2014 and April 2018 (which includes the Relevant Period), Facebook Ireland, as the provider of the Facebook service in Australia, had the number of active Australian Users per month set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents.
B. Facebook Ireland’s Data Use Policy stated that it collected different kinds of information from or about Users.
C. The further matter set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents.
ii. Further particulars may be provided after discovery and evidence.
63.2. Facebook Inc “held” personal information (including sensitive information) about Australian Users.
Particulars
i. The further matter set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents.
ii. The further matter set out in the confidential annexure to this statement of claim which the Applicant will serve on the First and Second Respondents.
iii. Further particulars may be provided after discovery and evidence.
64. The personal information (including sensitive information) held by Facebook Ireland and/or Facebook Inc as alleged in paragraph 63, included the personal information (including sensitive information) of the individuals referred to in paragraph 45, to the extent that those Users installed or were Friends of Users who installed the “This is Your Digital Life” app during the Relevant Period (together the Affected Australian Individuals).
65. The personal information of the Affected Australian Individuals was collected for a particular purpose, being to enable those individuals to build an online social network with other Users on the Facebook Website (the primary purpose).
66. During the Relevant Period, through the operation of the Facebook Platform and the Graph API as alleged at paragraphs 25 to 33, Facebook Ireland and Facebook Inc disclosed the following categories of personal information of the Affected Australian Individuals to Dr Kogan and/or GSR (as the Developers of the “This is Your Digital Life” app):
66.1. “public” profile data (including name, gender, profile photo, networks and other information set as “public”);
66.2. birthdate;
66.3. current city (if included in the Australian User’s “About” section of their profile);
66.4. pages and posts the user “liked”;
66.5. Friend List;
66.6. Facebook messages (for a subset of Installers if those Installers had granted permission pursuant to a Permission Request);
66.7. email address, posts that appeared in the Installers’ News Feed or Timeline, and the Installers’ photos.
Particulars
i. As to how Facebook Ireland and Facebook Inc disclosed the personal information of the Affected Australian Individuals to the Developers of the “This is Your Digital Life App”, paragraph 44 is repeated.
iv. Further particulars of the categories of personal information of the Affected Australian Individuals which were disclosed may be provided after discovery and evidence.
67. Of the categories of personal information alleged in paragraph 66, the following included sensitive information of the Affected Australian Individuals:
67.1. pages and posts the user “liked”;
67.2. other “public profile” information to the extent that information was sensitive information;
67.3. Facebook messages (for a subset of Installers if those Installers had granted permission pursuant to a Permission Request);
67.4. email addresses, posts that appeared in the Installers’ News Feed or Timeline, and the Installers’ photos.
Particulars
i. The matters alleged in this paragraph are to be inferred from the facts and circumstances alleged at paragraphs 9, 31, 42 and 44 to 49 herein.
ii. Further particulars may be provided after discovery and evidence.
68. Facebook Ireland and Facebook Inc engaged in the disclosure alleged in paragraph 66 for a purpose or purposes other than the primary purpose.
Particulars
i. The “This is Your Digital Life” app did not operate with a view to enabling Users to build an online social network with other Users on the Facebook Website. It instead provided a separate service, on an external app, which allowed Installers to undertake a personality survey and, later, a personality quiz.
ii. By reason of the matters alleged at paragraph 42, Facebook was aware of Dr Kogan’s purpose in obtaining the personal information of Installers and their Friends, which purpose was other than a purpose of enabling Users to build an online social network with other Users on the Facebook Website. iii. Further particulars may be provided following discovery and evidence.
69. In the premises, on each occasion on which Facebook Ireland and Facebook Inc disclosed the personal information of the Affected Australian Individuals as alleged in paragraph 66, Facebook Ireland and Facebook Inc:
69.1. breached APP 6.1;
69.2. engaged in interferences with the privacy of those individuals for the purposes of s 13 of the Privacy Act.
70. The interferences with the privacy of the Affected Australian Individuals alleged at paragraph 69 were serious.
Particulars
i. The interferences with the privacy of the Affected Australian Individuals were serious because:
A. APP 6.1 requires that personal information will only be disclosed for a secondary purpose with the consent of the individual, unless an exception applies;
B. the interferences with privacy occurred in the context of a service which reversed this requirement, in that the Facebook Website was designed to disclose Users’ personal information to apps by default. In particular:
(1) the setting for information in a User’s profile was “public” by default, save for a limited number of exceptions such as “posts” and birthdates;
(2) the setting with respect to disclosure of personal information to apps used by Friends was set to disclosure by default, save for two exceptions: “interested in” and “religious and political views”.
C. Facebook did not adequately inform Users of the nature and circumstances in which it would disclose their personal information to apps installed by their Friends, such that it was difficult for Users to know that they needed to change their default settings in order to limit the disclosure of their personal information to apps;
D. the service design made it difficult for Users to exercise consent or control over the disclosure of their personal information to apps;
E. the interferences with privacy occurred in circumstances where:
(1) Facebook represented in April 2014 (when version 1 of the Graph API was still in force at least in respect of those apps, including the “This is Your Digital Life App”, taking advantage of the Grace Period) that from that point in time, it would no longer allow apps to collect Friend data and that “everyone has to choose to share their own data with an app themselves” (see speech of Mark Zuckerberg at F8 conference in 2014);
(2) Facebook nonetheless continued to disclose Friend data to apps, including the “This is Your Digital Life App”, which operated on Graph API version 1 until the end of the Grace Period; F. there was a risk that a large volume of personal information(including sensitive information) of the Affected Australian Individuals could be disclosed to the “This is Your Digital Life” app without their consent;
G. those interferences led to, or risked, the unauthorised disclosure of the Affected Australian Individuals’ personal information (including sensitive information) to other third parties, including for profit to Cambridge Analytica and SCL, without the consent of the Affected Australian Individuals. ii. Further particulars may be provided after discovery and evidence.
71. By reason of the matters alleged in paragraphs 62 to 70, on each occasion on which Facebook Ireland and Facebook Inc disclosed the personal information of the Affected Australian Individuals as alleged in paragraph 66, Facebook Ireland and Facebook Inc:
71.1. did an act, or engaged in a practice, that was a serious interference with the privacy of those Affected Australian Individuals;
71.2. contravened s 13G(a) of the Act.
72. Further, or in the alternative to paragraph 71, by reason of the matters alleged in paragraphs 62 to 70, Facebook Ireland and Facebook Inc:
72.1. repeatedly engaged in acts or practices that were interferences with the privacy of the Australian Affected Individuals;
72.2. contravened s 13G(b) of the Privacy Act.
G2. APP 11.1(b)
73. During the Relevant Period, as APP entities, Facebook Ireland and Facebook Inc were bound by APP 11.1(b).
Particulars
i. At all times during the Relevant Period, APP 11.1(b) relevantly provided that if an APP entity held personal information, the entity was required to take such steps as were reasonable in the circumstances to protect that information from unauthorised disclosure.
74. During the Relevant Period, Facebook Inc and Facebook Ireland held personal information (including sensitive information) of the Affected Australian Individuals.
Particulars
i. The particulars to paragraph 63 are repeated.
75. By reason of the matters alleged at paragraphs 73 and 74, during the Relevant Period, Facebook Ireland and Facebook Inc were required to take such steps as were reasonable in the circumstances to protect, from unauthorised disclosure, the personal information (including sensitive information) of the Affected Australian Individuals which they held.
76. During the Relevant Period, Facebook Inc and/or Facebook Ireland ought to have taken at least the following reasonable steps to protect the personal information of the Affected Australian Individuals from unauthorised disclosure:
76.1. an initial assessment and regular review of whether the “This is Your Digital Life” app’s:
76.1.1. requests for personal information from the Graph API;
76.1.2. privacy policy (to the extent that there was one), complied with the terms of the Statement of Rights and Responsibilities and the Platform Policy, including those referred to at paragraphs 11 and 35;
76.2. the maintenance of complete and accurate records of the personal information disclosed to the “This is Your Digital Life” app through the Facebook Platform and the Graph API;
76.3. regular review of the information retained in 76.2 to audit the nature and scope of the disclosures made;
76.4. from 7 May 2014 (when Dr Kogan’s and/or GSR’s application alleged in paragraph 51 was rejected):
76.4.1. carrying out a review of the categories of data which the “This is Your Digital Life” app had previously requested and obtained about Affected Australian Individuals;
76.4.2. ceasing the disclosure of personal information (including sensitive information) of the Affected Australian Individuals to the Developers of the “This is Your Digital Life App” by not permitting the app to continue to make requests of version 1 of the Graph API;
76.5. implementing measures to ensure that any consent to disclose personal information of the Australian Affected Individuals to the “This is Your Digital Life” app:
76.5.1. was obtained directly from those Affected Australian Individuals;
76.5.2. clearly and specifically informed Affected Australian Individuals about the kinds of information that would or could be disclosed and the purpose and consequences of disclosure;
76.5.3. was obtained before or at the time when the personal information of Affected Australian Individuals was disclosed to the “This is Your Digital Life” app. Facebook Inc and Facebook Ireland did not take such steps as were reasonable in the circumstances to protect the personalinformation (including sensitive information) of the Affected Australian Individuals from unauthorised disclosure, including by failing to take any or all the APP 11 Reasonable Steps.
77. In the premises, during the Relevant Period, Facebook Inc and Facebook Ireland:
77.1. breached APP 11.1(b);
77.2. engaged in interferences with the privacy of the Affected Australian Individuals for the purposes of s 13 of the Privacy Act.
78. The interferences with the privacy of the Affected Australian Individuals alleged at paragraph 77 were serious.
Particulars
i. The particulars to paragraphs 70 are repeated.
ii. Facebook Ireland and Facebook Inc solicited a large volume of personal information (including sensitive information) through the Facebook Website about Affected Australian Individuals without adequate protections in place to secure the information it held.
iii. Facebook Ireland and Facebook Inc used this large volume of personal information which it solicited for profit, including to generate advertising revenue.
iv. Facebook’s failure to take reasonable protective steps was systemic in respect of apps other than the “This is Your Digital Life” app that accessed version 1 of the Graph API.
v. From 2 November 2013, Facebook Inc and Facebook Ireland knewthat the Developers of the “This is Your Digital Life App” were using personal information disclosed to them through version 1 of theGraph API for a purpose or purposes other than the primary purpose. From May 2014, Facebook possessed even more detailed knowledge of the way in which the “This is Your Digital Life” app was using Friends’ personal information, but continued to disclose that information to the Developers of the app.
vi. Facebook kept no records of the personal information that it disclosed to the “This is Your Digital Life” app, meaning that it had no ability to take the steps set out at paragraph 76.3.
vii. The personal information of the Affected Australian Individuals that was disclosed by Facebook Inc and Facebook Ireland to the “This is Your Digital Life” app was disclosed or risked disclosure to third parties such as Cambridge Analytica, SCL and Eunoia Technologies.
viii. The failure to take the APP 11 Reasonable Steps had the potential consequence of disclosing a large volume of personal information (including potentially sensitive personal information) of individuals without those individuals’ consent.
ix. Further particulars may be provided after discovery and evidence.
79. By reason the matters alleged in paragraphs 73 to 78, Facebook Inc and Facebook Ireland:
79.1. engaged in acts or practices that were serious interferences with the privacy of each of the Affected Australian Individuals;
79.2. contravened s 13G(a) of the Act.
80. Further, or in the alternative to paragraph 79, during the Relevant Period, Facebook Inc and Facebook Ireland:
80.1. repeatedly engaged in acts or practices that were interferences with the privacy of the Affected Australian Individuals;
80.2. contravened s 13G(b) of the Act.
H. RELIEF SOUGHT
81. The Commissioner claims the relief set out in the Originating Application.
The filing and announcement by the Australian Information Commissioner is reported in the Australian with Facebook in Australia sued over Cambridge Analytica scandal BBC with Cambridge Analytica: Australia takes Facebook to court over privacy and the Guardian with Facebook sued by Australian information watchdog over Cambridge Analytica-linked data breach and the ABC with Australian privacy watchdog launches court action against Facebook over Cambridge Analytica access.
The Australian’s article, as a representative sample of the coverage, provides:
Facebook faces the threat of a $1bn-plus fine for exposing the personal data of more than 300,000 Australians.
Facebook in Australia has been accused of exposing for sale and “political profiling” the personal data of up to 311,127 Australians after a Facebook app was used by the Cambridge Analytica consultancy to steal personal data from potential voters for campaigning purposes.
The move, by Information and Privacy Commissioner Angelene Falk, comes after a two-year investigation into the impact of Cambridge Analytica on Australian users and actions by regulators in the US, Canada and Britain. The US Federal Trade Commission last year fined Facebook a record $US5bn after it found the company was responsible for helping expose the personal data of up to 87 million Americans. Cambridge Analytica’s clients included US President Donald Trump during his 2016 campaign.
In action lodged in the Federal Court on Monday, the OAIC claims Facebook “committed serious and/or repeated interferences with privacy in contravention of Australian privacy law”. Ms Falk alleges these were “systemic failures to comply with Australian privacy laws”.
The commissioner alleges that the personal information of Australian Facebook users was disclosed to the This is Your Digital Life app, later bought by Cambridge Analytica, in breach of the Privacy Act. This allowed it to be used for purposes including “political profiling, well outside users’ expectations”.
“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” Ms Falk said. “We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed.”
Despite only an estimated 53 Facebook users in Australia installing the This is Your Digital Life app between March 2014 to May 2015, it was potentially able to strip the Facebook data of 311,127 local users because it took data from all their Facebook friends as well as the primary user.
The commissioner alleges breaches under the Privacy Act for allowing the data to be disclosed by Facebook and failing to take “reasonable steps” to protect its users.
Crucially, to demonstrate a breach of the Privacy Act the commissioner need only demonstrate a failure on behalf of Facebook to protect users’ information or take reasonable steps.
It does not need to be shown that the information was shared or sold.
“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy,” Ms Falk alleges.
The maximum fine at the time of the alleged breaches was $1.7m. The OAIC is arguing, and the court has a right to find, each disclosure was equal to one breach, meaning Facebook could face a fine of more than $5bn. The Australian understands the OAIC views this to be an unlikely outcome, but the court would have scope to impose a large fine, easily in excess of $1.7m.
A spokesman for Facebook said: “We’ve actively engaged with the OAIC over the past two years as part of their investigation. We’ve made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data.”
.