The World v. Facebook – the Biggest Privacy Breach of all time

Unless you have been avoiding all radio, online and printing press for the last month – you would have heard about Facebook’s recent admission that it allowed over 83 million profiles and users’ data to be harvested and sold to external companies, including Cambridge Analytica. Even worse, these companies manipulated that data to target political advertising and advertising campaigns – influencing the 2016 US Presidential Elections and the 2016 Brexit Vote.

People are now be able to check if their data is part of the ‘harvested’ collection of material that was sold and used without that individuals permission. Facebook will also begin sending out delightful ‘notifications’ to users, if they have been a part of “the harvest”.

As this story continues to develop, I thought it would be helpful to consider what legal claims Australians may have if their Facebook data has been violated.

The Facebook – Cambridge Analytica timeline

But first, a quick refresh on the timeline of the Facebook & Cambridge Analytica exposé:

  • Between 2010 and March 2015, Facebook allowed app creators to install applications in to Facebook, which had the ability to ‘scrape’ data from the app user and the user’s friends. The Facebook platform reportedly allowed this information to be collected, in order to “improve user experience”, but there was a restriction on this information being used for advertising.
  • In 2013, Aleksander Kogan, a Russian-American academic at Cambridge University, developed a Facebook application (app) titled: thisisyourdigitallife. The app was partly owned his private company Global Science Research (GSR) and Cambridge Analytica. The app paid Facebook users to take a personality test and told users that it would collect that information for academic research. Unbeknownst to the quiz participants, by using the app it also collected the information of the app user’s Facebook friends – which meant that once several hundred thousand people had completed the questionnaires, the app owners had scraped the Facebook user data from millions of people. In New Zealand, only 10 people downloaded the app. Yet through those 10 people, the app creators were able to harvest 63,714 user profiles.
  • The questionnaire app included dozens of personality profile questions, such as whether someone prefers to be alone or loves large parties and took approximately 20 minutes to complete. Facebook purportedly granted Kogan & GSR the permission to extract this information as it was said to be for the purpose of academic research.
  • Cambridge Analytica is a UK based political consulting firm, which provides advisory services based upon data mining, data analysis and strategic communication. Conservative Republican businessman, AI computer expert and the largest donor to the Trump 2016 campaign, Robert Mercer, is a part owner of the firm.
  • Steve Bannon is another key player in this story. Prior to August 2016, he was the executive chairman of Breitbart News – an alt-right online news website, owned by Robert Mercer and family. In August 2016, Bannon took over as the Chief Executive Officer of Trump’s 2016 presidential campaign. In his role at Breitbart, Bannon introduced Robert Mercer to Cambridge Analytica and from 2014 took an active role in directing Cambridge Analytica’s analysts to prepare data analyses focused on US Facebook Users information. From Trump’s inauguration in January 2017 to August 2017, he served in the role as ‘Chief Strategist’ for the Trump administration.
  • Throughout 2014, Steve Bannon, then acting in a dual role at Breitbart and as an executive with Cambridge Analytica, spent over $1 million acquiring data, including Facebook profiles, for political and media analysis.
  • On 11 December 2015, the Guardian reported that Cambridge Analytica was helping Presidential hopeful Ted Cruz with psychological profile data, based upon tens of millions of Facebook users – in an attempt to give Cruz an advantage over Donald Trump.
  • After the December 2015 Guardian article, Facebook wrote to Cambridge Analytica and requested that it delete all Facebook data in its possession. Despite this request, Facebook did not follow up the request or make any public announcements about the suspected data theft. It is now clear that Cambridge Analytica did not delete the data as requested.
  • On 17 March 2018, the Observer in the UK and the New York Times, broke the story that a whistleblower, and former employee of Cambridge Analytica (CA)- Chrisopher Wylie – had revealed that CA had obtained ‘psychological profiles of 230 million Americans’ through the Facebook quiz app thisisyourdigitallife – and had assisted the 2016 Trump campaign (principally Steve Bannon) in using that data to target political advertising and messaging.
  • On 20 March 2018, the Federal Trade Commission in the US opened an investigation into whether Facebook had violated a settlement reached with the FTC in 2011 regarding privacy protections of users.
  • On 20 March 2018, the UK House of Commons Digital, Culture, Media and Sport Committee requested that Mark Zuckerberg, CEO of Facebook to appear before them to answer the Committee’s Fake News Inquiry.
  • On 22 March 2018, it was reported that Cambridge Analytica had offered or provided political data analysis services to over 100 international political campaigns – including the 2016 US Presidential Election, the UK Brexit referendum, the 2015 Nigerian elections; the 2017 Kenyan Presidential election;  the 2018 Mexican elections; and the 2014 Indian elections.
  • On 28 March 2018, Facebook announced that Mark Zuckerberg would not appear before the UK House of Commons, as requested, on the basis that he would instead testify before the US Congress on those issues.
  • On 5 April 2018, the Australian Privacy Commissioner announced it was launching a formal investigation into Facebook and the Cambridge Analytica scandal – to determine whether there had been any breaches of the Privacy Act 1988 (Cth).
  • On 10 April 2018, Mark Zuckerberg faced hours of questioning from the Senate Judiciary Committee (a sub-committee of US Congress) in Washington, as to how and why millions of users’ data was taken without consumers knowledge. The key take away from this grilling was the Senators expressed scepticism that Facebook was able to ‘self-regulate’ these privacy issues and were unsure if Facebook could be trusted to implement change.
  • The key focus for some of these Senators was the scope of an individuals right to privacy.

A Senator From Illinois asked Mr Zuckerberg whether he would be comfortable sharing with the Committee the name of the hotel he stayed in last night or the people he messaged last week. Zuckerberg confirmed: “No. I would probably not choose to do that publicly here.”

  • During his testimony, Zuckerberg stated that Facebook has found itself in “an arms race with Russia” and other foreign actors who are seeking to interfere with elections.

US Class Action

On 11 April 2018, a combined team of US and UK lawyers announced that they had launched a class action in Delaware (where Facebook and other defendants are  incorporated), against Facebook and Cambridge Analytica, GSR and SCL Group Ltd – for the misuse of millions of peoples’ data. A full copy of the class action can be accessed here.

The data extracted through the app included names, phone numbers, mail and email addresses, political and religious affiliations and other interests. The claim is based upon the following complaints: violations of the Stored Communication Act (US), fraud, negligence and wilful negligence.

The class action alleges that Facebook failed in its duty and promise to secure personal information of millions or users, and when it was aware of this failure (in 2015), it failed to take appropriate action.

The claim alleges that Facebook’s user policies are false and misleading, in particular the Facebook Data Use Policy, which during the relevant times stated:

“You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings.”

Facebook is alleged to have ‘known for years’ that its platform could be easily and readily used by third parties to steal users’ personal information, and this was not monitored by Facebook. Rather, Facebook misled users about the safety of their information.

Potential Australian litigation against Facebook and Cambridge Analytica

Yesterday it was announced that 53 people in Australia downloaded and used the thethisisyourdigitallife app through Facebook. The impact of these 53 people using the problematic app is that more than 311,127 Australian’s Facebook profiles were ‘scraped’ of data and harvested by Cambridge Analytica.

The potential scope of the litigation that could result from this data theft of personal information is enormous. Some of the causes of action that may be available to users whose data has been harvested include:

  1. Claims for Misrepresentation / Misleading or deceptive conduct – (s.18 of the Australian Consumer Law) – focusing upon the misrepresentations in Facebook’s data use policy and other public assurances, that have now been proven false.
  2. Claims for Breach of confidence – a tortious claim which must establish that the information taken was confidential, the information was imparted in circumstances importing an obligation of confidence; and there has been an unauthorised use or threatened use of the information.
  3. Complaints to the Privacy Commissioner – The Privacy Act imposes 13 Australian Privacy Principles on government bodies and organisations, including Facebook. If a privacy principle is breached by a company, the Act does not provide for an individual right to launch a legal proceeding  but instead you may complain to the Office of the Australian Information Commissioner (30 days after you have complained to the company directly and received an unsatisfactory response). If you receive a determination from a Commissioner (which can include an award of monies) then you may apply to the Federal Court of Australia to enforce the determination, or an injunction if an entity is proposing to continue to engage in the conduct the subject of the determination.
  4. On 23 February 2018, the  Notifiable Data Breaches (NDB) scheme came into force in Australia. It imposes compulsory notification requirements on businesses and Australian government agencies, if the organisation discovers a data breach that puts a member of the public at risk of serious harm. It is likely that Facebook may be required to make notifications pursuant to the new mandatory obligations. Failure to comply with the regime will enliven the existing Privacy Act enforcement and civil penalty framework.

Whilst there is no clear ‘tort of invasion of privacy’ in Australia (despite the ALRC calls for one to be introduced), there are definitely effective causes of action open to individuals who have been targeted by this unprecedented personal data breach.

Australian law firms are already lining up to take a slice of the ‘Facebook Class Action pie’, with Shine Lawyers already advertising for impacted Australians to register their interest in a potential class action suit.

I am of the view that the global outrage as to the flagrancy and enormity of this data breach is likely to result in greater regulation for online platforms for personal information, such as Facebook. No doubt the Australian legislators will be closely watching the UK legislative reaction and will likely adopt similar increased data protection regulations in the coming years.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s