Australian Court Orders Meta Platforms to Pay $14 Million in Fines for Misleading User Data Collection

Australia's Federal Court has ruled that Meta Platforms, the owner of Facebook, must pay fines amounting to A$20 million (approximately $14 million US) for collecting user data through a smartphone application marketed as a privacy protection tool without disclosing its true actions. The court also ordered Meta, through its subsidiaries Facebook Israel and the now-defunct app Onavo, to cover A$400,000 in legal costs to the Australian Competition and Consumer Commission (ACCC), which filed the civil lawsuit.

The imposed fine concludes one aspect of Meta's legal troubles in Australia related to its handling of user information, which came under scrutiny after the global scandal involving data analytics firm Cambridge Analytica during the 2016 US election. Nonetheless, Meta still faces another civil court action initiated by Australia's Office of the Information Commissioner concerning its dealings with Cambridge Analytica within Australia.

The court judgment pertains to a virtual private network (VPN) service, known as Onavo, which Facebook offered from early 2016 to late 2017, promoting it as a means to safeguard users' personal information. VPNs function by concealing a user's online identity, giving their device a different online address. However, the court found that Facebook used the Onavo app to collect users' location, app usage, and website visits for its own advertising purposes, a fact that was not adequately disclosed to users.

Justice Wendy Abraham, in her written judgment, stated that the lack of sufficient disclosures might have denied tens of thousands of Australian consumers the opportunity to make informed choices about the collection and use of their data before downloading and using Onavo Protect.

The potential penalty for Meta's actions could have been much higher, with each breach of consumer law carrying a A$1.1 million fine, and the app being downloaded 271,220 times in Australia. However, the court treated the contraventions as a single course of conduct, leading to the agreed A$20 million fine.

Both sides agreed to the penalty, and Justice Abraham emphasized that the amount should serve as a significant deterrent rather than just a cost of doing business. She noted that Meta's massive global revenue of $116 billion last year made it crucial to ensure the penalty had a substantial impact.

Meta responded to the judgment in a statement, saying that the ACCC acknowledged they never intended to mislead customers and highlighting their efforts to provide more transparency and control over user data in recent years.

In response, ACCC Chair Gina Cass-Gottlieb stressed the importance of consumers having clear information to make informed choices about the use of their data.

The ruling sends a clear message to tech companies about the need for transparency and adherence to consumer protection laws when handling user data. Compliance and data privacy teams within such companies will likely need to review their data collection and disclosure practices to avoid similar penalties in the future.

Implications for Compliance and GRC Professionals

• Ensure Transparency: Compliance professionals should ensure that their organizations are transparent about data collection and usage practices, providing clear information to users to make informed choices about their data.
• Review Data Handling: Data privacy teams need to conduct thorough reviews of how user data is collected, processed, and used to avoid potential breaches of consumer protection laws.
• Stay Updated on Regulations: Compliance professionals must stay abreast of changing data protection regulations and ensure their organizations adapt their practices accordingly to avoid legal repercussions.
• Proactive Compliance Measures: Implementing robust compliance measures and risk assessments can help companies avoid potential violations and fines in relation to data protection laws.
• Enhance User Control: Offering users more control over their data, such as opt-out options and data deletion requests, can build trust and demonstrate commitment to data privacy compliance.

By taking these actions, companies can work toward preventing data breaches, ensuring compliance with regulations, and building trust with their users.