March 9, 2020

Watershed moment: Australian Privacy Commissioner launches proceedings for breach of privacy

The Office of the Australian Information Commissioner (OAIC) has today filed proceedings against Facebook, in relation to the use and disclosure of information obtained by Facebook through its 'This is Your Digital Life' app.

OAIC allegations

The OAIC is alleging that Facebook has committed serious and/or repeated interferences with the privacy of its users, by disclosing information to This Is Your Digital Life between March 2014 and May 2015 without the consent of users, in breach of the Australian Privacy Principles (APP 6). The OAIC also alleges breaches of APP 11, by failing to take reasonable steps to prevent unauthorised disclosure of personal information.

Alleging systemic failures by Facebook to comply with Australian Privacy Laws, Privacy Commissioner, Angelene Falk, has released a statement remarking that "Facebook's default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy". Commissioner Falk has also remarked that "these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”

Potential financial implications

The decision to launch proceedings in the Federal Court provides some certainty to a longstanding question about how this incident would be treated by the OAIC. 

We anticipate that this decision will resolve a number of outstanding questions surrounding data misuse incidents, including namely whether Corporate Australia will be penalised for data misuse incidents and if so, what the measure of damages and / or fines will be.

Given the timing of the events underpinning the action and law reform since, the Federal Court can only impose a civil penalty of up to AUD 1.7 million for each serious and/or repeated interference with privacy (as per the penalty rate applicable in 2014–15).

Broader implications for data misuse incidents

This is a watershed moment in Australia's privacy history and one which will shape the class action and tech liability landscape going forward.  We will continue to report on the implications of these proceedings to the market, including the implications for the insurance industry across various lines of business.

For more information about the implications of privacy litigation and the OAIC's powers, you can read our previous reports here and here. More information about the proceeding itself is available on the OAIC's website.

How can we help?

Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 1,000 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.

From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on: