In a case lodged in the federal court on Monday, the Australian information commissioner Angelene Falk has alleged Facebook committed serious and repeated interferences with privacy in contravention of Australian privacy law because data collected by Facebook was passed onto the This is Your Digital Life app by Cambridge Analytica for political profiling, which was not what it was collected for.
Data included people’s names, dates of birth, email addresses, city location, friends list, page likes and Facebook messages for those who had granted the app access to the messages.
“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” Falk said.
“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.”
At the time, Facebook said 311,127 Australians between March 2014 and May 2015 had data shared with the app, accounting for 0.4% of users affected by the breach.
However, the court documents reveal just 53 people in Australia installed the app.
87m users worldwide were affected by the scandal.
The OAIC says in its court filing that the design of Facebook made it so that users were unable to consent or control over how their data was disclosed, and to date, Facebook has not been able to tell the OAIC which Australian users were affected.
The Guardian and Observer revealed data analytics firm Cambridge Analytica worked with Donald Trump’s election team and the Leave campaign in the UK Brexit referendum.
The data was used to build a software program to predict and influence voters. Facebook discovered the information had been harvested by a third party in late 2015 but failed to alert users at the time.
In a statement, a Facebook spokeswoman said the company had been engaging with the OAIC on this matter for two years.
“We’ve made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data,” she said.
“We’re unable to comment further as this is now before the federal court.”
Each contravention comes with a maximum penalty of $1.7m. The OAIC is alleging multiple breaches but did not indicate whether penalties would be sought for all 311,127 users affected.
The relief sought-just asks the court to order Facebook to “pay civil pecuniary penalties” under the Privacy Act “as applicable for contraventions that occurred during the relevant period.”
According to the court documents, Cambridge Analytica provided written confirmation in January 2016 that all users’ personal information obtained through the app had been deleted, but the company did not take any independent steps to ensure the data had been deleted or destroyed.
In the UK Facebook was fined £500,000 for the breach, while in the US, the federal trade commission fined the company US$5bn. In October last year, the OAIC was criticized for taking its time in resolving the investigation.