By Malcolm McBratney, Partner, Teneille Meyer, Lawyer, and James Jessup, Law Graduate
A settlement of $US5 billion was reached between Facebook and the US Federal Trade Commission (FTC) recently – an unprecedented figure in the history of digital privacy regulation and it brings with it a string of privacy obligations Facebook must now comply with. In this article, we explore this penalty and the related Australian response to misuse of consumer data by big digital platforms.
In a statement announcing the historic $US5bn settlement, the FTC alleged that Facebook engaged in deceptive practices by collecting phone numbers for the purpose of two-factor authentication but was then using the phone numbers for other purposes. It also alleged that Facebook misrepresented the steps needed to take control of facial recognition data, among other things.
Broadly speaking, the penalty is a response to Facebook misusing the data of its consumers by failing to explicitly inform them of how it will be used and who it will be shared with – this was argued by the FTC to be deceptive. The US settlement has enjoyed a positive reception from Australia. The Office of the Australian Information Commissioner released a statement which said the penalty “is a globally significant order that demonstrates the concerns of privacy regulators around the world.”
The settlement is significant not only because of the dollar figure (in fact it could be argued that the dollar figure is not significant, accounting for only 9% of Facebook’s 2018 revenue), but also because Facebook has accepted an element of accountability for the data misuse of the past – a large factor of which is the lack of consumer control of their data.
Coincidentally, the Australian Competition and Consumer Commission (ACCC) just recently announced in its ‘Digital Platforms Inquiry Final Report’ that it too is investigating Facebook over representations made by them in relation to their sharing of data to third parties. They are looking at whether the data representations raised issues under the Australian Consumer Law (ACL). It is also investigating Facebook to determine whether any of their standard terms might be considered unfair contract terms under the ACL.
Consumer control of data has played a significant role in both the FTC settlement, and the Digital Platforms Inquiry Final Report handed down by Australia’s ACCC – the ACCC report is unrelated to action by the FTC, but when both are taken together, they signify a current global trend of privacy regulators to take data protection incredibly seriously.
The Digital Platforms Inquiry released by the ACCC recommends an update of the Australian privacy legislation to better protect consumers. Recommended updates include:
- Strengthening notification requirements when collecting consumer data
- Strengthening consent requirements relating to use of data
- Enable the erasure of personal information
- An introduction of a direct right of action for individuals
- Higher penalties for breach of the Privacy Act
What effect will this have on Australians?
At the moment, Australians will likely be able to enjoy upcoming changes Facebook will make as a result of the FTC settlement – no doubt other big data companies will see the settlement as a call to action to start taking consumer privacy seriously, so we will benefit from their changes too.
Australian businesses should also see this as a reason to consider how they collect data and to consider their privacy obligations to consumers. Not least because we may soon have a slate of new legislative changes on the horizon, and it will be best for businesses to anticipate the changes (outlined in the Digital Platforms Inquiry) and implement them now.
Early indications from Ministerial statements suggest that the Australian Government is likely to implement the recommendations, but the extent to which they will be implemented remains uncertain.
Following our recent articles on British Airways and Marriott International, this is another timely reminder to consider when your business last reviewed and updated its privacy and data breach compliance procedures.