The private messages, pictures, email addresses and the content of Facebook users’ posts are not “sensitive information”, the social media giant has argued in court as it fights a protracted case over the Cambridge Analytica scandal.
Australia’s privacy regulator has been locked in federal court proceedings with Facebook, now Meta, since 2020 over the Cambridge Analytica breach, in which tens of millions of users’ data was harvested using a personality quiz and used to aid political campaigns, including Donald Trump’s election.
Only 53 people in Australia installed the quiz app, named This is Your Digital Life, but the app also hoovered up the data of the friends of those who downloaded it.
The Office of the Australian Information Commissioner (OAIC) alleges about 311,127 Australian users had their data harvested and says the scandal represented a serious breach of Australian privacy laws by Facebook, which knew of the risks but failed to take reasonable steps to safeguard users’ sensitive information.
The case has been bogged down in a preliminary dispute over whether Facebook could be legally deemed to be conducting business in Australia, an argument that would have scuppered the OAIC’s attempt to hold it accountable here.
Meta lost in the high court earlier this year, prompting the company last week to finally file its defence.
Meta, the documents show, is fighting the allegations it is liable for a serious privacy breach involving Australian users’ data.
It says that no data from users outside the US was ever handed to data analytics firm Cambridge Analytica.
Facebook has also sought to cast doubt on the OAIC’s estimate of the number of Australian users who were affected, saying the true number was “substantially lower” than the 311,127 Australians alleged by the regulator.
Meta also denied the OAIC’s allegation that much of the harvested data can be considered “sensitive information” under Australia’s privacy laws.
That includes private Facebook messages, the content of posts, pictures and email addresses.
Much of the material was harvested without users’ knowledge, though Meta says the content of private messages was not taken without explicit permission by individuals.
Meta also said the first that it learned of the potential misuse of data was in December 2015, when an investigation was first published in the Guardian alleging academic Aleksander Kogan, who built the quiz app, may have transferred user data in breach of his contract with Facebook.
after newsletter promotion
“Thereafter, Facebook Inc immediately investigated the allegations and assessed what actions would be necessary and appropriate to enforce its policies and procedures,” the defence says. “On the day the Guardian story was published, Facebook Inc contacted Dr Kogan and demanded that he explain what data he had collected, how he had used it and to whom he had disclosed it.”
It deleted the quiz app from its platform later that month.
Meta’s defence described parts of the OAIC’s case as “embarrassing” and “defective”, including for failing to properly articulate the privacy principles that it is alleging were breached and for failing to specifically allege “the reasonable steps which it is alleged [Facebook] failed to take” to protect users’ data.
The parties entered mediation earlier this year and the case was expected to return to court in November. Both the OAIC and Meta were approached for comment. A Meta spokesperson said:
“While we can’t comment on the details of an ongoing case, the privacy of our users remains fundamental to our business. This case does not change that.”
Australia is well behind other western nations in holding Facebook accountable. UK authorities have already fined Facebook £500,000 for the breach, while the US Federal Trade Commission fined the company US$5bn.
Meta also paid US$725m in a class action alleging privacy violations in the US late last year.