In the recent Australian Competition and Consumer Commission v Meta Platforms Inc judgement, the Federal Court imposed a $20 million pecuniary penalty on Meta’s subsidiaries, Facebook Israel and Onavo Inc, for breaching the Australian Consumer Law (ACL), by misleading users about the way those companies used customers’ data. The Court found that promotional statements for the Onavo Protect app did not adequately disclose that user data would be used for purposes beyond the app's functionality, including for commercial interests.
Action was taken against Onavo and Facebook Israel under the ACL. Although Meta was stated to not be involved in the contravening conduct, it was however noted by the Federal Court that Meta’s ‘substantial resources’ were reflected in the size of the penalty ($20m).
Representations about data handling practices
The Onavo Protect app, a free VPN service, was available in Australia from February 2016 to February 2019. The app was installed by over 270,000 Australians during this time. The app was promoted to consumers with these statements “Protect your Personal Info For Free” and “Onavo Protect helps keep you and your data safe online”.
While these represented that data would be securely handled, Onavo’s internal documents (disclosed in the Statement of Agreed Facts and Admissions (SAFA)) revealed that it internally referred to ‘[t]he best part about these apps … [as being] that it gives [Onavo] a sample of users who we are able to know nearly everything they are doing on their mobile device.’
In terms of the handling and use of data, during the period in which it was available, Onavo Inc and Facebook Israel collected and provided to Meta information that included:
- device information – device type, mobile carrier, IP address, location information; and
- users’ mobile applications and data usage – names and details of all apps installed on users device, use of each application and websites visited.
If an Australian user of the Onavo app also had a Facebook account, Meta’s platforms could algorithmically combine the Onavo App data with all of the information Meta platforms received from the users Facebook account.
Why this conduct amounted to a contravention of the ACL
While disclosures that consumers data would be used for purposes other than providing the VPN services were contained in the Terms of Service and Privacy Policy, the Federal Court found that these “disclosures were not sufficiently prominent or proximate to the [App] Listings”.
In announcing the judgement, the ACCC also observed that the Privacy Policy was lengthy (12 pages) and there was no summary.
Facebook Israel and Onavo admitted that the promotional statements, in the context of the facts discussed above, were likely to mislead or deceive in contravention of the ACL.
In imposing the significant $20 million penalty, the Federal Court emphasised that ‘the breadth and depth of the data and the purposes for which it was collected reinforce the seriousness of the admitted contraventions’.
A timely reminder that privacy has never been a more pressing concern for Australians
The case is an important reminder for businesses that they must ensure representations they make around their data handling practices are sufficient, clear, prominent, accessible and readily understood. It reinforces that care needs to be taken around representations relating to data handling practices to ensure that they are not misleading or deceptive – for example, conveying that data will be collected or used in a particular way when this is not the case.
The Office of the Australian Information Commissioner’s (OAIC) recently published 2023 Australian Community Attitudes to Privacy (ACAP) Survey has highlighted how privacy is a critical concern to consumers, reinforcing why this area is such a key priority for the ACCC. The survey of 1,916 participants found that 62% thought that protecting personal information was a major concern in their lives but only 32% felt in control of their privacy and 84% wanted more control over their personal information.
ACCC Chair Gina Cass-Gottlieb emphasised the importance of consumers having clear information about data usage:
We took this case knowing that many consumers are concerned about how their data is captured, stored and used by digital platforms. We believe Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading.
Key takeaways for Australian businesses
In conjunction with pending sweeping Privacy Act reforms which you can read about in our article, The most sweeping reforms to Australian privacy law in over twenty years, here, this case is a timely reminder that privacy remains a key concern for consumers and remains a top priority for regulators. The case reinforces that the ACCC is ready and willing to aggressively take enforcement action. In 2020, HealthEngine was fined $2.9m for misleading and deceptive conduct relating to disclosure of non-clinical personal health information. More recently, we wrote about Google being fined $60m for misleading consumers in the collection of their location data through Android devices.
Businesses attempting to passively comply with Privacy and Consumer regulations through a ‘box ticking’ approach to privacy, or inadequate or unclear disclosures, could be subject to investigations by the ACCC as well as the OAIC. This is irrespective of whether actions are undertaken maliciously, unintentionally, or in good faith.
Clear, accurate and concise information about the purposes for use and disclosure of users data must be prominent, readily accessible and timely.
Customers and regulators alike have increasingly heightened expectations of business privacy and data practices, and how such practices are communicated to consumers. Now has never been a better time to undertake a thorough, ground-up review of all business data collection, use, management and disclosure practices. MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, consumer law, data protection and software and IT service procurement. Please contact us if you would like assistance in ensuring privacy fitness.