Facebook privacy news; with current estimates of more than 87 million users affected, this is an important reminder of the emerging legal and social challenges facing governments, businesses and corporations when handling personal and sensitive information in today’s global knowledge economy.[1]
Internet is now a resource that is almost freely available. As Dr Hamadoun Toure, former head of UN’s telecommunication agency notes, internet is a ‘basic infrastructure – just like roads, waste and water.’[2] In globalised society, ‘everyone must access [the internet] to participate.’[3]
But…take a moment. Let’s think for a bit.
As one takes a step back and think about the issues closely, questions emerge. Just as the internet presents new ways of how communications and relationships intersect, it also presents new issues in a global society rich with information and data.
These questions could include:
- how should an entity protect information provided by its consumers?
- are current regulations enough to protect information held by those same entities?
Furthermore these are also the same policy questions facing regulators in US now:
- should Congress impose regulations on Facebook, and how will this affect social media?
- if Congress does not impose regulations, will the public react negatively?
- can social media corporations be trusted to self-regulate?
If it is agreed that further regulation is required, then the real question is how will the nature of that regulation be?
Too much regulation and risk hindering innovation and productivity. Too few regulation, then the same exploitation may manifest in different forms. [4] Perhaps now, with the lessons learnt from Facebook, that discussion now begins in earnest.
Returning to the Facebook privacy scandal, we outline how we understand the situation.
What happened between Facebook and Cambridge Analytica?
Facebook learnt of unauthorised access to its data during 2015 when The Guardian reported on the issue.[5] However, it seems not much was done as reported by The Economist. Interestingly, The Economist also state Facebook threatened litigation against Guardian Media Group if this scandal was exposed. [6]
Why was this case? We ask, you, the reader, to ponder.
After the scandal came to the fore, Mark Zuckerberg posted a timeline of events. We summarise his timeline as follows:[7]
2007
First, facebook was launched with a view of apps being social. This included: [8]
- calendar showing friend’s birthdays;
- map showing where friends lived;
- address book showing your pictures; and
as part of this, allowed people to access apps to share their friend list and their friends’ information.
2013
Aleksandr Kogan, a Cambridge University researcher, created a personality quiz app. The app was installed by around 300,000 people. Those people indirectly shared friend’s information. As consequence, Zuckerberg states ‘tens of millions’ could be affected. [9]
2014
Facebook changed their Platform to limit data that apps could access. This prevented similar apps like Kogan’s from accessing information of a person’s friend unless authorised. Approval was required by Facebook before developers could request sensitive information from people.
2015
Facebook learnt from The Guardian that Kogan shared data with Cambridge Analytica. This contravened Facebook’s policies because developers could not share data without consent. Subsequently, Facebook demanded Kogan and Cambridge Analytica to formally certify they deleted all improperly acquired data.
What steps is Facebook now taking?
In the same post, Mark Zuckerberg highlighted implementing preventative and remedial steps including: [10]
- to investigate all apps that had access to large amounts of information prior to 2014 and conduct a full audit of any app with suspicious activity;
- further restrictions on developers’ data access including:
- remove access to data if user has not used the developer’s app within three (3) months;
- restrict access to data only to name, profile photo and email address;
- sign a contract to ask anyone for access to posts or other private data; and
- implement a tool at the top of a user’s New Feed with apps used, and able to revoke apps permission to user’s data.
Additionally on 14 April 2018, Facebook’s newsroom released a statement of steps taken. Some of these are:[11]
- restrictions on the usage of Events API (short for Application Programming Interface, and to learn more about API see here) that allows access to guest lists and posts on event walls;
- any third party using Groups API will need approval from Facebook and an admin;
- future access to Pages API will need to be approved by Facebook; and
- approval required for apps that request access to information such as check-ins, likes, photos, posts, videos, events and groups.
Outside of US, what is happening in Australia?
On 20 March 2018, the Office of the Australian Information Commissioner (“OAIC”) released a statement that OAIC was pending further information before investigation (see here).[12] Soon after, on 5 April 2018, the OAIC announced investigations were formally open. The Acting Privacy Commissioner, Ms Falk stated:
‘The investigation will consider whether Facebook has breached the Privacy Act 1988 (Privacy Act). Given the global nature of this matter, the OAIC will confer with regulatory authorities internationally.’[13]
Significant responsibilities are required of APP entities (see here for an explanation of an APP entity by OAIC) to ensure reasonable steps are taken so that personal information held are not misused, interfered or loss.[14] As part of ensuring the protection of privacy, the OIAC may investigate an APP entity for potential breaches. [15]
As OAIC’s investigates Facebook privacy issues, AMK Law will be reporting the investigations and keeping you up to date.
Our Thoughts
Coupled with last mentioned in our article, Are you ready for the new changes to Australian privacy law in 2018?, that new mandatory notification laws requires APP entities as of 23 February 2018 to report to the OAIC if unauthorised disclosures were likely to occur. Prior to this, notifying the OAIC was voluntary.
The critical question then is, is the introduction of mandatory notification sufficient to prevent a similar Facebook and Cambridge Analytica scandal?
We discussed the test of ‘likely.’ With mandatory measures in effect, it is a timely introduction that should prevent a similar event like Facebook privacy and Cambridge Analytica scandal occurring in Australia. Data breaches that are likely to occur must be reported.
Moreover only time will tell how OAIC will address Facebook’s possible misuse of more than 300,000 Australians’ data affected by the same scandal.[16] The events are an important reminder that in today’s global knowledge economy, issues around regulating and protecting personal and sensitive information are gaining greater prevalence and importance for all individuals, businesses and governments alike.
If you have any concerns or queries concerning Australian privacy law or Facebook privacy, then contact us AMK Law may be able to help in answering those issues.
Important disclaimer: The material contained in this publication is of a general nature only and it is not, nor is intended to be, legal advice. This publication is based on the law as it was prior to the date of you reading of it. If you wish to take any action based on the content of this publication, we recommend that you seek professional legal advice.
[1] Jake Kanter, 2nd Cambridge Analytica whistleblower says apps and quizzes like ‘Sex Compass’ gathered data from way more than 87 million Facebook users (18 April 2018) Business Insider Ausralia Australia <https://businessinsider.com.au/facebook-data-scandal-bigger-than-87-million-users-2018-4?r=US&IR=T>; Mike Schroepfer, An Update on Our Plans to Restrict Data Access on Facebook (4 April 2018) Facebook Newsroom <https://newsroom.fb.com/news/2018/04/restricting-data-access/>.
[2] BBC News, Internet access is ‘a fundamental right’ (8 March 2010) BBC News <https://news.bbc.co.uk/2/hi/technology/8548190.stm>.
[3] Ibid.
[4] Alex Hern, Five things we learned from mark Zuckerberg’s Facebook hearing (12 April 2018) The Guardian <https://theguardian.com/technology/2018/apr/11/mark-zuckerbergs-facebook-hearing-five-things-we-learned>.
[5] Mark Zuckerberg (22 March 2018) Facebook <https://facebook.com/zuck/posts/10104712037900071>.
[6] The Economist, If Facebook will not fix itself, will Congress? (11 April 2018) The Economist <https://economist.com/news/united-states/21740387-if-facebook-will-not-fix-itself-will-congress-fit-it-mr-zuckerberg-goes-washington>.
[7] Mark Zuckerberg (22 March 2018) Facebook <https://facebook.com/zuck/posts/10104712037900071>.
[8] Ibid.
[9] Ibid.
[10] Ibid.
[11] Mike Schroepfer, An Update on Our Plans to Restrict Data Access on Facebook (4 April 2018) Facebook Newsroom <https://newsroom.fb.com/news/2018/04/restricting-data-access>.
[12] Timothy Pilgrim, Statement from the Australian Information and Privacy Commissioner on Facebook and Cambridge Analytica (20 March 2018) OAIC ) <https://oaic.gov.au/media-and-speeches/statements/facebook-and-cambridge-analytica>.
[13] Angeline Falk, Investigation into Facebook opened (5 Aril 2018) OAIC <https://oaic.gov.au/media-and-speeches/statements/facebook-and-cambridge-analytica#statement-from-the-australian-information-and-privacy-commissioner-on-facebook-and-cambridge-analytica>.
[14] Privacy Act 1998 (Cth) sch 1 sub-cl 11.1.
[15] Privacy Act 1998 (Cth) s 40.
[16] Mike Schroepfer, An Update on Our Plans to Restrict Data Access on Facebook privacy (4 April 2018) Facebook <https://newsroom.fb.com/news/2018/04/restricting-data-access/>.