Australia's privacy watchdog is suing Facebook for exposing the personal data of more than 300,000 Australians as part of the Cambridge Analytica data-slurp scandal.
In a case lodged (PDF) with the Federal Court today, the Australian Information Commissioner, Angelene Falk, accused Facebook of exposing the data of 311,127 Australians between March 2014 and May 2015 through the This Is Your Digital Life app, a quiz that harvested the data of 87 million users worldwide.
The app, created by academic Aleksandr Kogan, was able to suck up so many users' profiles because Facebook's policies for developers using its Graph API at the time allowed apps to gather data not only from users, but also all of their friends.
The data was then sold on to consultants Cambridge Analytica, which used the data for political profiling, serving clients such as Donald Trump's election team and the Leave campaign in the UK Brexit referendum. Although Cambridge Analytica registered a business in Australia shortly after Trump's election, it was not used by any of the country's political parties.
"The design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed," Falk said in a statement.
"Facebook's default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy."
The suit seeks a maximum penalty of AU$1.7m (£870,000) per person, meaning Facebook faces a AU$529bn (£266bn) fine if the court awarded the max civil penalty for each of the 311k+ people affected.
Last July, the US Federal Trade Commission fined Facebook a record $5bn for "deceiving users" about their control over private data. The UK's Information Commissioner's Office also fined Facebook £500,000 – the maximum penalty available to the ICO under the 1998 Data Protection Act – for the leaks in 2018. The updated Data Protection Action 2018, which applies to any incident after 25 May 2018, gives the commissioner power to fine companies up to 4 per cent of their global turnover.
In the previous cases, the data exposed included users' names, dates of birth, email addresses, locations, friends lists, pages like, and in some cases, direct access to their private messages and timelines. The Australian Information Commissioner said Facebook did not know the exact nature of the data it exposed through Kogan's quiz, but that it failed to take reasonable steps to protect users' personal data.
A Facebook spokesperson said: "We've made major changes to our platforms in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data."
"We're unable to comment further as this is now before the Federal Court."
Over in the US, a federal judge in San Francisco last week refused to approve a Facebook settlement over a 2018 data breach that exposed the personal information of 29 million people. The settlement required the social media giant to adopt a series of data security improvements and to submit to annual third-party security audits for the next five years.
But Judge William Alsup last week accused Facebook of using "smoke and mirrors" to obscure if anything in the agreement was new. "I've seen this game before," he said. "People agree to do something they've already agreed to do, and the plaintiff wants a lot of money for that. That's a trick. We don't allow tricks."
The company has 21 days to amend the settlement and submit a sworn statement explaining whether each commitment in the proposed settlement is unique. ®