On 9 March 2020, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against social media giant, Facebook.
It is alleged that between 12 March 2014 and 1 May 2015, Facebook seriously and repeatedly interfered with the privacy of 311,127 Australian Facebook users by disclosing their personal information (including sensitive information) to a third party application, which was then sold to political consulting firm Cambridge Analytica.
What is ‘Personal Information’?
The term personal information can include a wide range of information or opinion about an identified person (or a person who is reasonably identifiable). Broadly speaking, it covers health information, credit information, employee record information and ‘sensitive information’.
Importantly, sensitive information includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information.
The Alleged Breach
Each Facebook user supplies sensitive information when creating and using their account without even thinking about it. For example, when a user discloses their religious and political views, relationship status, joins specific groups, likes specific posts or pages and even in some cases when sending or receiving messages private messages.
The Privacy Act 1988 (NSW) (“Privacy Act” ) contains 13 Australian Privacy Principles (“APP“) that are legally binding on specific agencies and organisations who collect and use personal information. The Commissioner has alleged that Facebook’s conduct amounts to a direct breach of these principles for two reasons:
- Facebook collected the personal information of users for a particular purpose (primary purpose) but disclosed this information for another purpose (secondary purpose), without the consent of users; and
- Facebook failed to take reasonable steps to protect the personal information of users from unauthorised disclosure.
Each disclosure of personal information relating to 311,127 Australian Facebook users is a breach of the APP’s, amounting to serious and repeated interference with the privacy of users in contravention of the Privacy Act.
- Only collect the information you or your business believes is reasonably necessary to deliver a product or service.
- Only use the information you or your business collect for the primary purpose disclosed, and not for any secondary purpose (unless consent has been provided or disclosure allowed in accordance with the exceptions provided by the APP).
- Make sure you and your business take reasonable steps to implement practices, procedures and systems that will protect personal information.
Image Credit - Mehaniq © Shutterstock.com