The Australian privacy regulator’s case accuses Facebook of serious and repeated breaches of privacy law, saying its actions left the data of about 311,127 Australian Facebook users exposed to being sold and “used for purposes including political profiling, well outside users’ expectations”. The proceedings were brought against Facebook Inc, the tech giant’s US entity incorporated in Delaware. Its other entity, Ireland Ltd, is registered in its European namesake.
Because both entities exist outside of Australia, the regulator had to convince a court it had a prima facie case that both companies carried out business in Australia and may have contravened Australia’s privacy laws.
The federal court ruled in April that such a case existed, and gave the OAIC leave to serve documents on Facebook’s US-based entity, Facebook Inc.
Media captionHow the Facebook-Cambridge Analytica data scandal unfolded US regulators have approved a record $5bn (£4bn) fine on Facebook to settle an investigation into data privacy violations, reports in US media say. The FTC began investigating Facebook in March 2018, following reports that Cambridge Analytica had accessed the data of tens of millions of its users.
A month later, Facebook Inc applied to have the court’s ruling set aside.
Facebook Inc argued it did not carry out business in Australia at the time of the Cambridge Analytica scandal.Facebook lost that argument on Monday, when Justice Thomas Thawley found against the company. Thawley is yet to deliver any reasons for his judgment. But in a statement, the OAIC said the court was “satisfied that the commissioner had established a prima facie case that Facebook Inc was carrying on business in Australia, and was collecting and holding personal information in Australia at the relevant time”.
“While these matters remain to be established at trial, the court held the matters were sufficiently arguable to justify service outside of Australia and subjecting Facebook Inc to proceedings in Australia,” the OAIC said.It said Facebook’s Irish entity had not applied to have the ruling set aside.
A Facebook spokeswoman said: “We are aware of the court’s decision today and we are reviewing it carefully.”
In the April ruling, the federal court said the evidence suggested that Facebook Ireland was the provider of the Facebook service to Australian users, making it responsible for the collection and storage of personal information of those users.
But it also said the evidence suggested that Facebook Ireland was providing the service to Australian users as an agent for the US-based Facebook Inc.
“The contractual relationship between Facebook Ireland and Facebook Inc is such that a prima facie case is also shown as against Facebook Inc,” the court ruled in April.The data harvested by Cambridge Analytica was collected through a personality quiz app, named This is Your Digital Life.
Only 53 people in Australia installed the app, according to court documents. But the app was also able to access the data of friends.
The OAIC alleged the data of 311,127 Australians was exposed in total.
Each contravention of the Privacy Act brings a potential maximum penalty of $1.7m. The OAIC is alleging multiple breaches but has not indicated whether it will seek financial penalties for each affected user.