Social media giant Meta could pay over $1.1 billion ($US725 million) in damages to settle privacy claims arising from its data sharing partnership with UK firm Cambridge Analytica, whose work with Meta-owned Facebook violated the privacy of up to 87 million users.

The proposed settlement would finally end a long-running saga that began in 2018 and “has already been extremely expensive, complex, and lengthy,” a recent court filing noted in warning that further litigation would likely drag on for years and “involve complexity at almost every level.”

“The risk of long-lasting litigation is further increased by the considerable resources available to both Facebook and to their counsel,” the proposed settlement document notes.

The Cambridge Analytica scandal emerged after revelations that the data of 87 million Facebook users – including an estimated 311,127 Australian users – was “improperly shared” with the company, which subsequently shut its doors after igniting a long-running discussion about digital giants’ indiscriminate harvesting, analysis, and sale of massive volumes of personal data.

The case revolved around the use of a personality-testing app called MyDigitalLife, which was downloaded by around 300,000 Facebook users but gave Cambridge Analytica indiscriminate access to the Facebook friends of those users – extending the scope of its data collection activities exponentially.

The data was not only shared with the analytics firm, class-action litigants Keller Rohrback LLP and Bleichmar Fonti and Auld LLP said, but was sold by Facebook to partners including Netflix, Lyft, Yandex, Airbnb, and more.

The $1.1 billion settlement would be an “outstanding result” and the largest-ever privacy settlement in history, the filing notes, pipping Facebook’s $1 billion ($US650 million) settlement in 2021 over its use of biometric information, and the $775 million ($US500 million) settlement in 2020 over Equifax’s own privacy compromise.

If approved, the proposed settlement “will provide meaningful relief to the class in this complex and novel privacy case,” co-lead counsellors Derek Loeser of Keller Rohrback LLP and Lesley Weaver of Bleichmar Fonti and Auld said in a joint statement as the details of the settlement were released.

“We have reached this point only because our teams of lawyers and professionals have dedicated years of hard work to this case,” the lawyers said.

Counting the cost of privacy breaches

The proposed Meta settlement comes as beneficiaries of the Equifax settlement finally begin receiving the funds they are due under that class action, which was finalised in January 2020 but only began disbursing funds to recipients in December 2022.

The amounts of those payments – which are being taken from a $661 million ($US425 million) restitution fund – cover a range of expenses, Equifax explained, including credit monitoring for US consumers affected in the breach; “actual out of pocket losses” related to the breach; and “other consumer benefits such as identity restoration services.”

The Equifax breach – which saw four Chinese hackers charged with a 2017 hack that compromised the data of around 145 million Americans – set the high water mark for large-scale compromise of personal identity details, with US government authorities spelling out the credit reporting options available to victims.

Reports suggested that demand for the Equifax settlement was so high that many claimants were receiving just a fraction of the expected $194 ($US125) payment, with estimates suggesting that only 248,000 people had received the full amount and others receiving a proportionally adjusted amount.

Whatever financial benefits the new Meta settlement provides for its victims, it is the latest reminder of the importance of proper data security and data handling practices – and the risks that come when those practices are compromised.

Last year’s high-profile breaches of Medibank and Optus – which demonstrated just how exposed Australians’ personal data is to compromise and exploitation – stoked sentiment for stronger penalties for companies and their executives, with APRA last year promising greater scrutiny of executive pay at compromised companies.

With an average of 22 Australian online accounts breached every minute during the fourth quarter of 2022, according to Surfshark’s Data Breach World Map, Australia had the highest density of data breaches in the world – spiking by 489 per cent in the quarter as more than 1.88 million Australian user profiles were stolen during October and November alone.