Facebook owner Meta has been stung $20m by the Federal Court for deceptive conduct over a data mining VPN product. However, the social media giant’s penalty could have been far higher, the judge warned.

While the penalties could have been over $145 billion, the judge ruled the $20 million dollar fine agreed between the parties would ‘sting’ the business. Earlier on Wednesday, Meta reported quarterly revenue of US$32bn and a profit of US$7.7bn.

The case against Meta and its subsidiaries Facebook Israel and Onava was launched in December 2020, with the Australian Competition and Consumer Commission (ACCC) alleging “Facebook did not properly disclose to customers the fact that Onavo Protect was harvesting data about app and internet usage on devices where it was installed.”

During the three years the Onavo Protect app was available for download in Australia, it was downloaded over 270,000 times. The service was available for active use between December 2016 and May 2019.

In an agreed statement of facts tendered during the action, the parties admitted Onava shared with Meta data about users’ internet and app activity, including records of every app they accessed and time they spent using those apps to support Meta’s market research activities. None of this was disclosed to users of the product.

On Wednesday, Justice Abraham handed down fines of $10m to both Facebook Israel and Onava along with a share of the ACCC’s costs.

In the ruling, the Judge pointed out that under the Australian Consumer Law, the penalties could have been far higher, stating: “Although the precise number of occasions on which an Australian consumer viewed the Listings for Onavo Protect is unknown, during the Available Period, it was installed by Australian users on 271,220 separate occasions”.

“Even if only half of the total downloads were made by separate Australian consumers, it still implies a maximum penalty of more than $145 billion.”

However she went on to say, “I am satisfied the agreed penalty of $20 million, in the circumstances, satisfies the significant element of deterrence required in this proceeding. It carries with it a sufficient sting to ensure that the penalty amount is not such as to be regarded by the parties or others as simply an acceptable cost of doing business.”

The penalty is the latest Onavo embarrassment for Meta and Facebook since the Israeli company was acquired by the Silicon Valley giant in 2013 for US$120m.

In 2019, the Onavo Protect VPN product triggered Apple revoking Facebook’s Enterprise Certificates after the scale of its privacy violations became known.

Apple’s move meant Facebook’s internal messaging and management apps became inoperable on iOS devices and while the certificates were reinstated at the end of the year the product had already been ‘sunsetted’ by its owners.

ACCC Chair Gina Cass-Gottlieb welcomed the ruling, saying: “We took this case knowing that many consumers are concerned about how their data is captured, stored and used by digital platforms. We believe Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading,”

“In the case of the Onavo Protect app, we were concerned that consumers seeking to protect their privacy through a virtual private network were not clearly told that in downloading and using this app they were actually facilitating the use of their data for Meta’s commercial benefit.”

The Federal Court of Australia has approved the penalty Facebook Israel and Onavo Inc jointly proposed with the ACCC regarding disclosures by the app Onavo Protect in the Apple App Store and Google Play Store in 2016 and 2017.

A Meta spokesperson told Information Age: "The ACCC acknowledged in the joint filing that the Onavo Protect listings were not deliberately misleading and disclosures were made in the app’s Terms of Service and Privacy Policy. Furthermore, all user data was anonymised and aggregated before it was used by Meta.

"The Onavo Protect app did provide users with a free, useful VPN service and it did function properly as an online security tool. There was no allegation by the ACCC that the app did not function properly as an online security tool.

"Protecting the privacy and security of people’s data is fundamental to how Meta’s business works. Over the last several years, we have built tools to give people more transparency and control over how their data is used, and we design every new product and feature with privacy in mind."