Australia’s privacy watchdog will soon enter negotiations with the Facebook owner to end protracted, costly legal proceedings over the Cambridge Analytica scandal, more than five years after it was first revealed.
The Office of the Australian Information Commissioner is still pursuing Meta, which owns Facebook, in the federal court over alleged privacy breaches affecting more than 300,000 Australian Facebook users caught up in the scandal.
The breaches were first exposed in the Guardian in early 2018 and regulators in the US and the UK issued fines to Facebook the following year.
The OAIC’s case, launched in 2020, has enjoyed some success in recent months. In March, it convinced the high court not to hear an appeal, a win that allowed it to continue prosecuting the alleged privacy breaches in the federal court.
The federal court has now ordered the privacy commissioner and Meta to enter mediation and must find a suitable mediator in September before entering one month’s worth of talks in October.
It means the case will not return before Justice Nye Perram until early November.
The court has also ordered that the case be split to initially determine whether Meta was liable for the privacy breaches. If that is established, the court can consider what penalty Meta might be forced to pay.
Meta declined to comment. A spokesperson for the OAIC said: “We will abide by the orders of the court and will act in accordance with the model litigant obligations under the legal services directions.”
Cambridge Analytica was revealed to have harvested the personal data of millions of Facebook users without their consent, before using the information predominantly for political advertising, including to assist the Brexit campaign and Donald Trump.
Only 53 people in Australia installed the quiz app at the heart of the scandal, named This is Your Digital Life. Despite the relatively small number of app users, court documents show that about 311,127 users had their data harvested, typically because they were friends of those who installed the app.
In announcing the court case in 2020, the privacy commissioner, Angelene Falk, said the exposed information was at risk of being disclosed to Cambridge Analytica and used for political profiling purposes.
“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” Falk said.
“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.”
One year prior to the Australian case, American regulators issued a record US$5bn penalty to the company for “deceiving” users about their ability to keep personal information private. The British information commissioner also fined the company £500,000 in October 2019.
The OAIC sought to sue the parent company Facebook Inc, based in the US, and its Irish subsidiary, Facebook Ireland Ltd. That prompted an early attempt by Facebook Inc to have the case against it effectively thrown out, arguing it did not carry out business or collect or hold personal information in Australia, so could not be held accountable for breaches under Australia’s privacy laws.
It repeatedly lost that argument, including in an appeal to the full bench of the federal court, which described aspects of Meta’s argument that it did not conduct business in Australia as “divorced from reality”.
Meta attempted to make the same case in the high court, but the OAIC intervened, asking the court to revoke its decision to give the company leave to appeal.
The high court agreed and threw out the case in March, allowing it to return to the federal court to finally make progress on the substantive case about the privacy breach.
“Today’s decision is an important step in ensuring that global digital platforms can be held to account when handling the personal information of Australians,” Falk said at the time.
“Entities operating in Australia are accountable for breaches of Australian privacy law and must ensure that their operations in Australia comply with that law.”