Australia’s Information Commissioner is suing Facebook over the social media platform's handling of user data that fuelled the Cambridge Analytica scandal.

The Office of the Australian Information Commissioner (OAIC) opened proceedings in the Federal Court against the social media giant yesterday, alleging breaches of the Privacy Act through “seriously and/or repeatedly [interfering] with the privacy of approximately 311,127 Australian Facebook users”.

Each contravention of the Privacy Act has a maximum penalty of $1.7 million and, with over 300,000 breaches, could see Facebook facing a total fine of more than $500 billion should the action succeed.

In the court filings, the OAIC claims Facebook disclosed personal data of users through the “This is Your Digital Life” app.

The app – a personality quiz that was subsequently removed from the platform – scraped profile data from not only the people who installed it but their friends as well thanks to a feature in Facebook’s API.

This is Your Digital Life then passed the mass of information onto controversial data analytics company Cambridge Analytica which allegedly used the data to influence elections.

In 2018, Facebook confirmed information from 80 million users had been harvested through the app. More than 300,000 of those were Australian.

Because the private data was collected and distributed for reasons beyond those for which it was collected, the OAIC claims Facebook is in breach of Australian law.

“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed.

“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.

“We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”

Two years too late

Regulation and legal proceedings tend to lag a long way behind the ‘move fast and break things’ ethic of Silicon Valley – a criticism that Shadow Attorney General, Mark Dreyfus, leveled against the government.

"We are concerned that the Information Commissioner is only acting now, two years after we first became aware of allegations Cambridge Analytica had breached the privacy of 300,000 Australians," Dreyfus said in a joint statement with two other Labor MPs.

"This is a full year after the US, and 18 months since the UK regulator took similar action against Facebook, raising serious questions about whether the OAIC has been adequately resourced by the Morrison Government."

It took five months for the government to deliver its soft response to an enquiry into tech giants by the competition watchdog that ended up spawning more lengthy enquiries but little in the way of concrete action.

The loose treatment of private user data by powerful tech companies has been a long-standing issue for privacy advocates. Recently it was revealed images from public social media profiles were scraped by an Australian facial recognition company, Clearview AI, which has used the images to make a tool that is used by law enforcement to instantly identify suspects.

Director of advocacy group Responsible Technology Australia, Chris Cooper, said in response to the OAIC court filing that the government should keeping putting regulatory pressure on social media giants like Facebook.

"Despite the many benefits of social media, we should also recognise it can and does cause harm to Australian society,” Cooper said in a statement.

“This summer alone we have seen the proliferation of fake news about bushfires and COVID-19 impact directly on our communities – we are now realising we need greater transparency about how these platforms operate and use our data.

"Saying it's the responsibility of the individual user to manage how their data is used is no longer good enough. Even if you try to opt out entirely, social media is pervasive and affects us all, which is why we need a systemic overhaul of how we regulate social media.”