Meta settles civil penalty proceeding with Office of Information Commissioner arising out the Cambridge Analytica scandal for $50 million and an enforceable undertaking

December 17, 2024 |

In the dying days of 2024, when the focus is on presents, holidays and plum pudding (for some at least) Meta has settled the civil penalty proceeding in the Federal Court. Meta will also enter into an enforceable undertaking.   The $50 million will not be distributed immediately. Eligibility will depend on whether a person ws in Australia between November 2013 and mid December 2015 and installed This is Your Digital Life App or was a friend of someone who had that app installed.

This is a very welcome development.  The civil penalty proceedings power in the Privacy Act has until recently been underutilised.

The Commissioner’s media release provides:

The Australian Information Commissioner today agreed to a $50 million payment program as part of an enforceable undertaking (EU) received from Meta Platforms, Inc. (Meta) to settle civil penalty proceedings. The payment scheme will be open to eligible Australian Facebook users impacted by the Cambridge Analytica matter.

The Commissioner alleged that the personal information of some Australian Facebook users was disclosed to the This is Your Digital Life app in breach of the Privacy Act 1988 (Cth). The information was exposed to the risk of disclosure to Cambridge Analytica and other third parties, and risked being used for political profiling purposes.

The agreement announced today follows a court-ordered mediation, which has been ongoing since February 2024, as part of the Federal Court civil penalty proceedings the Commissioner commenced in March 2020.

“Today’s settlement represents the largest ever payment dedicated to addressing concerns about the privacy of individuals in Australia,” Australian Information Commissioner Elizabeth Tydd said.

“It represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter, gives potentially affected Australians an opportunity to seek redress through Meta’s payment program, and brings to an end a lengthy court process.”

As part of the resolution, the Commissioner has withdrawn the civil penalty proceedings in the Federal Court.

The EU requires Meta to set up a payment scheme, which will be run by an independent third-party administrator. Meta will appoint the third party to administer the payment scheme, who will be announced early next year. The scheme will be open to individuals who:

    • held a Facebook Account between 2 November 2013 and 17 December 2015;
    • were present in Australia for more than 30 days during that period; and
    • either installed the This is Your Digital Life app or were Facebook friends with an individual who installed the app.

The payment scheme will be structured into two tiers of payments. The first will permit individuals to apply for a base payment if they believe they experienced generalised concern or embarrassment because of the matter. The second category will provide for specific payment, likely to be higher than the base payment, to those who can demonstrate they have suffered loss or damage. The third-party administrator will also establish a timely internal review avenue for individuals in relation to the payment scheme. The Office of the Australian Information Commissioner anticipates individuals may be able to start applying to the payment program in the second quarter of 2025.

Any residual funds not exhausted in the payment scheme will be paid into the Commonwealth’s Consolidated Revenue Fund. Meta also paid a contribution to the Commissioner’s legal costs.

“The payment scheme is a significant amount that demonstrates that all entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law, and give users reasonable choice and control about how their personal information is used,” Commissioner Tydd said.

“This also applies to global corporations that operate here. Australians need assurance that whenever they provide their personal information to an organisation, they are protected by the Privacy Act wherever that information goes.”

“We remain committed to applying our powers under the Privacy Act to achieve proportionate outcomes to ensure that Australians’ privacy is protected, particularly with respect to technologies that have a high privacy impact. This groundbreaking outcome reflects the significant concerns of the Australian community,” Privacy Commissioner Carly Kind said.

Since then Australian Information Commissioner Angelene Falk commenced the civil penalty proceedings against Meta in March 2020, the penalties for serious or repeated interferences with privacy (which can only be imposed following the commencement of civil penalty proceedings in the Federal Court), have increased from $1.7 million for each serious and/or repeated interference with privacy, to whichever is the greater of $50 million, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.

Read the enforceable undertaking.

Details of payment scheme

    • Funds of $50 million will be available.
    • Individuals who were present in Australia for more than 30 days between 2 November 2013 and 17 December 2015, and either installed the This is Your Digital Life app, or who were Facebook friends of an individual who installed the This is Your Digital Life app, can apply for a base payment based on generalised concern or embarrassment, or an alternative amount if they can demonstrate specific loss or damage.
    • The third-party administrator will take reasonable steps to publicise the payment scheme.
    • Meta is required to make reasonable best efforts to notify those who are potentially impacted.
    • The payment scheme will be administered by a third-party administrator to be appointed by Meta. Payment is required to be made in a timely manner.
    • Details for accessing the payment scheme will be made public by the administrator in the second quarter of 2025.

The Enforceable Undertaking provides:

1. Background

1.1. This enforceable undertaking is given by Meta Platforms, Inc. (Meta) to the Australian Information Commissioner (Commissioner) under section 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) in conjunction with the discontinuance of Federal Court of Australia Proceeding No NSD 246 of 2020 (the Civil Penalty Proceedings) against all Respondents, on a without prejudice basis and without any admission of liability. The Civil Penalty Proceedings followed investigations by the OAIC concerning the Cambridge Analytica Incident, the facts of which are described below together with a background to the Civil Penalty Proceedings.

1.2. Meta offers this enforceable undertaking in its capacity as the provider of the Facebook service to users in Australia from 14 July 2018 onwards. Prior to 14 July 2018, and during the period in which the Cambridge Analytica Incident described below occurred, Meta Platforms Ireland Limited provided the Facebook service to users in Australia.

The Cambridge Analytica Incident

1.3. In April 2010, Meta launched the Graph Application Programming Interface (Graph API). The Graph API allowed third party apps to access, with permission from users who installed the third party app using the Facebook Login tool, certain information, e.g., their name, birthdate, etc., from installers of the app and their friends (if both users’ privacy settings allowed it). Under the first version of Graph API (Graph API Version 1), which was in place from 21 April 2010 to 30 April 2015 for pre-existing apps, third party apps could request access to certain information (1) from the installing user’s account; and (2) that the installing user’s Facebook friends had chosen to share with the installing user. The Graph API would provide the information sought on an automated basis, so long as the installing user authorised the request, the user and their friends had not opted out of the Facebook platform (which would allow the user to opt out of providing access to information to third party apps), subject to the privacy and application settings of the user and their friends.

1.4. In November 2013, Dr Aleksandr Kogan, a professor at Cambridge University, launched a third party app relevantly known as “thisisyourdigitallife” (the Life App) using Graph API Version 1. Before doing so, Dr Kogan agreed to Meta’s terms of service and its terms for developers of third party apps using the Facebook platform and the Graph API. The Life App, which presented itself to users as a quiz app, requested via a dialog box at the time of installation, installing users’ permission to access certain categories of their information as well as certain categories of information that their Facebook friends shared with them.

1.5. In December 2015, upon learning from media reports that Dr Kogan and his company, Global Science Research Limited (GSR), may have been transferring user information to Cambridge Analytica (UK) Ltd, a British data analytics company, and its parent company, Strategic Communication Laboratories (together, SCL) (in contravention of contractual obligations owed to Meta), Meta launched an investigation and terminated the Life App’s use of the Graph API and access to Facebook Login.

1.6. Based on this investigation, Meta concluded that Dr Kogan and GSR had violated its terms in several respects. Meta subsequently obtained certifications that Dr. Kogan, GSR, and other third parties (including SCL) with whom Dr Kogan had shared user information had deleted the information. The information that was transferred to SCL related primarily to users in the United States. Neither Meta, nor Meta Platforms Ireland Limited, are aware of any evidence that Dr Kogan provided SCL with information on Facebook users from Australia.

The OAIC’s Investigation and the Civil Penalty Proceedings

1.7. On 5 April 2018, the Commissioner initiated an investigation under section 40(2) of the Privacy Act 1988 (Cth) (Privacy Act) in relation to reports that Australian users’ information may have been improperly shared with Cambridge Analytica (UK) Ltd via the Life App. During the investigation, which extended to Meta, Meta Platforms Ireland Limited and Facebook Australia Pty Ltd, the Commissioner raised concerns that Meta may have interfered with the privacy of Australian individuals in contravention of Australian Privacy Principles (APPs) 1.2, 5, 6, 10 and 11 of the Privacy Act (Investigation).

1.8. On 9 March 2020, the Commissioner commenced the Civil Penalty Proceedings and concluded the above investigation. In the Civil Penalty Proceedings, as further particularised in the Amended Statement of Claim dated 2 June 2023, the Commissioner alleged that Meta’s systems and practices raised concerns about the protection of personal information of Australian Facebook users in relation to the Cambridge Analytica incident, and that, based on its Investigation, Meta and Meta Platforms Ireland Limited may have contravened section 13G of the Privacy Act through serious or repeated breaches of APPs 6.1 and 11.1. The Commissioner alleged that, throughout the time the Life App was available to Facebook users, approximately:

    • 1.8.1. 53 Facebook users located in Australia installed the Life App; and
    • 1.8.2. 311,074 Facebook users located in Australia could have had their personal information requested by the Life App as friends of installing Facebook users.

2. Meta’s Response to the Cambridge Analytica Incident

2.1. Meta acknowledges:

    • 2.1.1. that under the Privacy Act, Meta must not do an act, or engage in a practice, that breaches an APP;
    • 2.1.2. the Commissioner’s concerns identified in paragraphs 1.7 and 1.8.

2.2. Meta represents, and the Commissioner acknowledges, that:

    • 2.2.1. Meta no longer permits third party app developers to access from Meta an installing user’s friend’s information, unless that friend has also installed the app and authorised it to have access to that information;
    • 2.2.2. since the period relevant to the Civil Penalty Proceedings, being 12 March 2014 to 1 May 2015 (Relevant Period), Meta has dedicated significant and increased resources to monitoring third party apps and enforcing Meta’s terms and policies;
    • 2.2.3. since the Relevant Period, Meta substantially reduced the number of information fields available that third party app developers (via Facebook Login) may request an installing user’s permission to access, examples of information fields that have been removed include: (i) the installing user’s friends’ information, excluding the circumstances specified in paragraph 2.2.1; and (ii) the installing user’s religion, political views and relationship details;
    • 2.2.4. since the Relevant Period, Meta has continued to implement granular data permissions processes to allow a user who installs a third party app to decide which categories of certain information they will share with the third party app; and
    • 2.2.5. Meta monitors the compliance of third party app developers of consumer apps with Meta’s Platform Terms through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months.

3. Meta’s Enforceable Undertaking to the Commissioner

3.1. Meta offers this enforceable undertaking to the Commissioner under section 114 of the Regulatory Powers Act, including to address the concerns in paragraphs 1.7 and 1.8.

3.2. This undertaking comes into effect when:

    • 3.2.1. it is executed by Meta; and
    • 3.2.2. this undertaking, so executed, is accepted by the Commissioner (the Commencement Date).

3.3. This undertaking ceases to have effect upon the completion of the Payment Program (as defined at paragraph 4.1 below).

4. Undertaking to Establish Payment Program

4.1. Meta undertakes to implement a payment program open to Eligible Australian Users in recognition of the Commissioner’s concern that those users may have suffered loss or damage as a result of interferences with their privacy arising from the conduct the subject of the Commissioner’s concerns as identified in paragraphs 1.7 and 1.8 above in accordance with Parts 5 and 6 of this enforceable undertaking and fulfill each of its obligations set out in Parts 4 to 7 of this enforceable undertaking (Payment Program).

4.2. Meta undertakes to:

    • 4.2.1. engage an independent third party administrator (the Administrator);
    • 4.2.2. direct the Administrator to administer the Payment Program in accordance with:
      • 4.2.2.1. Parts 5 and 6 of this enforceable undertaking; and
      • 4.2.2.2. any instructions for the Payment Program given to the Administrator by Meta (Scheme Instructions); and
    • 4.2.3. complete the Payment Program within 2 years from the Commencement Date or such longer period as agreed between the Commissioner and Meta.

5. Eligible Australian Users

5.1. A person is an “Eligible Australian User” if the person:

    • 5.1.1.  held a Facebook Account at any time during the period of 2 November 2013 and 17 December 2015 ( Eligibility Period)
    • 5.1.2. was located in Australia for 30 days or more during the Eligibility Period; and
    • 5.1.3. during the Eligibility Period, either:
      • 5.1.3.1. installed the Life App using Facebook Login; or
      • 5.1.3.2. did not install the Life App but was Facebook friends with another Facebook user who had installed the Life App using Facebook Login.

5.2. Subject to paragraphs 5.3 to 5.5, an Eligible Australian User can register with the Administrator as a “ Claimant ” under the Payment Program if they submit to the Administrator within the registration period prescribed by the Administrator (Registration Period) a valid Registration Form and evidence in such form as prescribed, verifying that the person:

    • 5.2.1. is an Eligible Australian User under paragraph 5.1;
    • 5.2.2. holds a genuine belief that as a direct consequence of the conduct the subject of the Commissioner’s concerns identified in paragraphs 1.7 and 1.8, they have suffered loss or damage, being either:
      • 5.2.2.1. specific economic and/or non-economic loss and/or damage (beyond a generalised concern or embarrassment) (Class 1); or
      • 5.2.2.2. a generalised concern or embarrassment (Class 2).

5.3. The Registration Form will be prepared by the Administrator in consultation with Meta and may set the standard of verification and evidence that a Claimant must provide for each eligibility criterion by the end of the Registration Period, including by way of statutory declaration or identity verification as considered appropriate.

    • 5.3.1. For paragraphs 5.1.3 and 5.2.2.2, Meta must direct the Administrator to not require more than a valid statutory declaration.

5.4. Notwithstanding paragraphs 5.2 and 5.3, the Administrator may, in its absolute discretion, determine that a person will not be:

    • 5.4.1. an Eligible Australian User where the Administrator is unable to verify that the person meets the requirements of Part 5 of this enforceable undertaking based on the information available to the Administrator;
    • 5.4.2. a Claimant where the Administrator determines that:
      • 5.4.2.1. the person provided the Administrator with false information, or that the person’s registration is otherwise fraudulent;
      • 5.4.2.2. the person has previously registered as a Claimant;
      • 5.4.2.3. if the person registered to receive payment from Meta, or any of its affiliated or related entities, in a proceeding, investigation or other legal action in any jurisdiction outside of Australia that relates to, or arose out of, the factual background detailed in paragraphs 1.3 to 1.6 of this enforceable undertaking, such as the US settlement of In re: Facebook, Inc. Consumer Privacy User Profile Litigation, Case No. 3:18-md-02843-VC (N.D. Cal.); or
      • 5.4.2.4. the person is not otherwise eligible in accordance with the Scheme Instructions.

5.5. For the avoidance of any doubt, a person:

    • 5.5.1. is not a Claimant if the person has not registered in accordance with paragraphs 5.2 and 5.3 during the Registration Period; and
    • 5.5.2. cannot register as a Claimant in both Class 1 and Class 2.

6. Payment Program

6.1. Meta undertakes to, within 60 days of the Commissioner filing a Notice of Discontinuance in the Civil Penalty Proceedings, pay an amount of $50 million (the Contribution Amount) to the Administrator for the Administrator to use to make payments to Claimants (Payments) in accordance with paragraphs 6.2 to 6.9.

6.2. Following the payment of the Contribution Amount by Meta in accordance with paragraph 6.1, Meta will:

    • 6.2.1. notify the Commissioner that the Contribution Amount has been paid to the  Administrator;
    • 6.2.2. direct the Administrator to  make information available on a website established by the Administrator regarding the Payment Program, including how Eligible Australian Users can register with the Administrator as a  Claimant;
    • 6.2.3. use reasonable best efforts to:
      • 6.2.3.1. identify, based on Meta’s available records, persons that may be Eligible Australian Users; and
      • 6.2.3.2. facilitate electronic notice of the Payment Program to those persons;
    • 6.2.4. direct the Administrator to take reasonable steps to publicise the Payment Program within Australia.

6.3. The Payment that a Claimant receives will depend on whether the Administrator determines that the Claimant is a Class 1 or Class 2 Claimant.

6.4. In performing its obligations under Parts 5 and 6, the Administrator will apply any Scheme Instructions, including any cap to apply to Payments made to Claimants and the principle that all Class 2 Claimants be paid the same amount.

6.5. Subject to the Scheme Instructions, following the end of the Registration Period, the Administrator will:

    • 6.5.1. evaluate and determine, using evidence available to the Administrator at that time, in the Administrator’s absolute discretion whether:
      • 6.5.1.1. a person is an Eligible Australian User (in accordance with Part 5); and
      • 6.5.1.2. if a person registers as a Claimant in Class 1, the person has provided sufficient supporting evidence to substantiate their claim that they have suffered loss or damage in Class  1;
    • 6.5.2. determine the number of Claimants in each of Class 1 and Class  2;
    • 6.5.3. commence the process for determining the Payment that each Class 1 and Class 2 Claimant is entitled to receive, in accordance with this Part 6; and
    • 6.5.4. notify Meta that the process referred to in paragraph 6.5.3 above has begun, at which point Meta will within 24 hours notify the Commissioner thereof.

6.6. The Scheme Instructions will provide for the Administrator to include a timely internal review avenue for:

    • 6.6.1. any decision by the Administrator to reject a Claimant’s Class 1 registration and allocate the Claimant to Class 2; and
    • 6.6.2. assessment of any Payment amount that is to be made to a Claimant in Class 1.

6.7. Following the conclusion of the process in 6.5, in accordance with paragraphs 6.3 and 6.4, the Administrator will:

    • 6.7.1. finalise its determination including any internal review of any Payment that is to be made to a Claimant in either Class 1 or Class  2;
    • 6.7.2. once all determinations are completed in accordance with paragraph 6.7.1, notify Meta of:
      • 6.7.2.1. the total number of Claimants; and
      • 6.7.2.2. the aggregated amount to be distributed to all Claimants; and
    • 6.7.3. make a timely Payment to each such Claimant.

6.8. Following receipt of the notification set out at paragraph 6.7.2, Meta will within 24 hours notify the Commissioner thereof.

6.9. If the total aggregate sum of Payments made to Claimants under paragraph 6.7 is less than the Contribution Amount, Meta will direct the Administrator to pay the residual amount to the Australian Government’s Consolidated Revenue Fund.

6.10. If, when performing its obligations under Parts 5 and 6 of this enforceable undertaking, the Administrator informs Meta that it will not be able to comply with any deadline specified in this undertaking, Meta will:

    • 6.10.1. promptly inform the Commissioner, and the OAIC, of the extent and reasons for the  delay;
    • 6.10.2. in consultation with the Administrator, determine a date by which the Administrator will reasonably be able to complete the actions  specified;
    • 6.10.3. propose the modified date(s) to the Commissioner and seek to agree any necessary extension; and
    • 6.10.4. cause the Administrator to notify Claimants of the delay and the amended date(s) agreed with the Commissioner (if applicable).

7. Compliance

7.1. Subject to any confidentiality obligations owed by Meta, the OAIC may request in writing from time to time and Meta will provide to it, documents and information that are reasonably necessary for the purpose of assessing Meta’s compliance with Parts 4 to 6 of this enforceable undertaking.

7.2. Meta will use its best endeavours to provide documents and information in response to any request under paragraph 7.1 within 14 days of the request.

8. Other matters

8.1. Meta acknowledges that the Commissioner:

    • 8.1.1. will publish this enforceable undertaking as well as a summary of the undertaking, on the OAIC  website;
    • 8.1.2. may issue a statement on acceptance of this enforceable undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking; and
    • 8.1.3. may from time to time publicly refer to this enforceable undertaking, including any breach of this enforceable undertaking by Meta.

8.2. Meta acknowledges that:

    • 8.2.1. The Commissioner’s acceptance of this enforceable undertaking does not preclude the Commissioner’s power to investigate, power not to investigate further, or the exercise of any of the Commissioner’s functions under the Privacy Act in relation to: (i) the representative investigation opened by the Commissioner under sub-section 40(1) of the Privacy Act on 21 October 2019 (referred to by the Commissioner using the reference number CP18/01262); or (ii) any contravention that concerns conduct that is outside the scope of the Civil Penalty Proceedings or Investigation.
    • 8.2.2. If the Commissioner considers that Meta has breached this enforceable undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking under s 115 of the Regulatory Powers Act.

8.3. The Commissioner’s acceptance of this enforceable undertaking is not a finding that Meta has contravened the Privacy Act or the APPs.

8.4. Meta gives this enforceable undertaking on a without prejudice basis, and without any admission of liability as to the matters raised in the Investigation or Civil Penalty Proceedings. Any representations made or acknowledgments given by Meta in this enforceable undertaking, whether express or implied, are made without prejudice or admission of liability. In giving this enforceable undertaking, neither Meta nor any of its affiliated or associated entities are precluded from taking any position or relying on any facts or factual statements in any legal or regulatory proceedings in Australia or in any other jurisdiction in relation to any matter that was within the scope of the Commissioner’s investigations referred to in paragraphs 1.7 and 8.2.1, the Civil Penalty Proceedings or which otherwise relate to the Cambridge Analytica Incident described at paragraphs 1.3 to 1.6.

9. Confidentiality

9.1. The Commissioner acknowledges that information provided by Meta, or the Administrator, to the Commissioner and OAIC in accordance with this enforceable undertaking may contain sensitive commercial information (Commercial-in-confidence Information).

9.2. The Commissioner acknowledges that any such Commercial-in-confidence Information is provided by Meta, or the Administrator, in confidence.

9.3. The Commissioner:

    • 9.3.1. will only publish or otherwise disclose any Commercial-in-confidence Information with Meta’s written agreement, unless otherwise required by law; and
    • 9.3.2. will only use any Commercial-in-confidence Information for the purpose of exercising the Commissioner’s powers, or performing functions or duties in the Privacy Act.

The story is reported in the Guardian, the Age and the Australian (sort of).

The Age article provides:

Facebook users will receive a shared $50 million payment after parent company Meta agreed to a record settlement with Australia’s information commissioner, ending years of legal proceedings.

The commissioner launched Federal Court action against Meta in 2020 over the tech giant’s infamous Cambridge Analytica privacy scandal, in which hundreds of millions of Facebook users allegedly had their personal data released, without their consent, to British consulting firm Cambridge Analytica, which was then used for political advertising purposes.

The scandal led to the downfall of Cambridge Analytica, spurred a #deleteFacebook movement globally and bore a Netflix documentary, titled The Great Hack.

The landmark payment, announced on Tuesday, will end the legal proceedings, and will be paid out next year to potentially tens of thousands of Australian Facebook users. About 311,000 Australian Facebook users are understood to be affected.

In 2022, Meta paid $US1.1 billion in the US to settle legal action relating to the scandal. The $50 million in Australia will be the largest settlement paid by Meta over the scandal outside the US.

The settlements relate to a Facebook app called This Is Your Digital Life, which collected psychological data of millions of Facebook users and their friends. The information was harvested and sold to Cambridge Analytica, which used it to help the 2016 presidential election campaigns of Ted Cruz and Donald Trump. Facebook chief executive Mark Zuckerberg has apologised for the practice, calling it a “mistake” and a “breach of trust”.

“Today’s settlement represents the largest-ever payment dedicated to addressing concerns about the privacy of individuals in Australia,” Australian Information Commissioner Elizabeth Tydd said in a statement on Tuesday.

“It represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter, gives potentially affected Australians an opportunity to seek redress through Meta’s payment program, and brings to an end a lengthy court process.”

Tydd said Meta would appoint a third party to administer the payment scheme, to be announced early next year.

The payments would be available to “individuals who were present in Australia for more than 30 days between November 2, 2013 and December 17, 2015, and either installed the This Is Your Digital Life app, or who were Facebook friends of an individual who installed the This Is Your Digital Life app”, the regulator said.

Affected Facebook users could “apply for a base payment based on generalised concern or embarrassment, or an alternative amount if they can demonstrate specific loss or damage”, the regulator said.

A Meta spokeswoman said the social networking giant “settled on a no-admissions basis, as it is in the best interest of our community and shareholders that we close this chapter on allegations that relate to past practices no longer relevant to how Meta’s products or systems work today”.

“We look forward to continuing to build services Australians love and trust with privacy at the forefront,” the spokeswoman said.

The Guardian article provides:

Office of the Australian Information Commissioner announces deal with Meta over scandal that may have affected 300,000 users

Potentially hundreds of thousands of people who had their Facebook data harvested as part of the Cambridge Analytica scandal could be compensated, after Meta agreed to an A$50m settlement with Australia’s privacy regulator.

The settlement, announced by the Office of the Australian Information Commissioner (OAIC) on Tuesday, follows a four-year legal battle against Meta over the scandal, and two years since a US$725m legal settlement was reached in the United States.

The Australian information commissioner, Elizabeth Tydd, said the new settlement represented “the largest ever payment dedicated to addressing concerns about the privacy of individuals in Australia”.

“It represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter; gives potentially affected Australians an opportunity to seek redress through Meta’s payment program; and brings to an end a lengthy court process,” Tydd said.

In 2018, the Observer revealed Cambridge Analytica, a data analysis company, had harvested millions of Facebook profiles to aid the campaign of Donald Trump and the pro-Brexit campaign in the United Kingdom.

Under the guise of a personality quiz, the app on Facebook would collect information not only by the user who took the quiz, but also information about their friends on Facebook.

In Australia, the OAIC launched legal action in 2020, alleging the breach of privacy of Australian users, and in court documents estimated that only 53 people in Australia installed the quiz app, named This is Your Digital Life.

But the app also obtained the data of the friends of those who downloaded it, with an estimated 311,127 affected.

Under the enforceable undertaking agreed to by Meta, the social media platform will be required to set up a payment scheme run by a third-party administrator from early next year.

Those who will be eligible for compensation will need to have had a Facebook account between 2 November 2013 and 17 December 2015; been present in Australia for more than 30 days in that period; and either installed the This is Your Digital Life app or were Facebook friends with someone who had.

There will be two tiers of payment: one with a base payment if they’ve experienced generalised concern or embarrassment from the matter, and a second category where people will need to demonstrate they’ve suffered loss or damage.

The OAIC estimates people will be able to apply for compensation in the second quarter of 2025, with any leftover funds from the $50m to be paid into the Commonwealth consolidated revenue fund. Meta has also paid a contribution to the OAIC’s legal fees.

A spokesperson for Meta said the settlement was about closing a chapter on the allegations.

“We settled as it is in the best interest of our community and shareholders that we close this chapter on allegations that relate to past practices no longer relevant to how Meta’s products or systems work today,” the spokesperson said. “We look forward to continuing to build services Australians love and trust with privacy at the forefront.”

Much of the delay in the legal case in Australia came after Meta had attempted to argue it was not conducting business in Australia, which would have limited the OAIC’s ability to regulate the company in Australia. The argument was rejected by the high court.

Leave a Reply





Verified by MonsterInsights