We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us
Privacy

Privacy assessments and decisions

  • On this page

Published:  

1. Background

1.1. This enforceable undertaking is given by Meta Platforms, Inc. (Meta) to the Australian Information Commissioner (Commissioner) under section 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) in conjunction with the discontinuance of Federal Court of Australia Proceeding No NSD 246 of 2020 (the Civil Penalty Proceedings) against all Respondents, on a without prejudice basis and without any admission of liability. The Civil Penalty Proceedings followed investigations by the OAIC concerning the Cambridge Analytica Incident, the facts of which are described below together with a background to the Civil Penalty Proceedings.

1.2. Meta offers this enforceable undertaking in its capacity as the provider of the Facebook service to users in Australia from 14 July 2018 onwards. Prior to 14 July 2018, and during the period in which the Cambridge Analytica Incident described below occurred, Meta Platforms Ireland Limited provided the Facebook service to users in Australia.

The Cambridge Analytica Incident

1.3. In April 2010, Meta launched the Graph Application Programming Interface (Graph API). The Graph API allowed third party apps to access, with permission from users who installed the third party app using the Facebook Login tool, certain information, e.g., their name, birthdate, etc., from installers of the app and their friends (if both users’ privacy settings allowed it). Under the first version of Graph API (Graph API Version 1), which was in place from 21 April 2010 to 30 April 2015 for pre-existing apps, third party apps could request access to certain information (1) from the installing user’s account; and (2) that the installing user’s Facebook friends had chosen to share with the installing user. The Graph API would provide the information sought on an automated basis, so long as the installing user authorised the request, the user and their friends had not opted out of the Facebook platform (which would allow the user to opt out of providing access to information to third party apps), subject to the privacy and application settings of the user and their friends.

1.4. In November 2013, Dr Aleksandr Kogan, a professor at Cambridge University, launched a third party app relevantly known as “thisisyourdigitallife” (the Life App) using Graph API Version 1. Before doing so, Dr Kogan agreed to Meta’s terms of service and its terms for developers of third party apps using the Facebook platform and the Graph API. The Life App, which presented itself to users as a quiz app, requested via a dialog box at the time of installation, installing users’ permission to access certain categories of their information as well as certain categories of information that their Facebook friends shared with them.

1.5. In December 2015, upon learning from media reports that Dr Kogan and his company, Global Science Research Limited (GSR), may have been transferring user information to Cambridge Analytica (UK) Ltd, a British data analytics company, and its parent company, Strategic Communication Laboratories (together, SCL) (in contravention of contractual obligations owed to Meta), Meta launched an investigation and terminated the Life App’s use of the Graph API and access to Facebook Login.

1.6. Based on this investigation, Meta concluded that Dr Kogan and GSR had violated its terms in several respects. Meta subsequently obtained certifications that Dr. Kogan, GSR, and other third parties (including SCL) with whom Dr Kogan had shared user information had deleted the information. The information that was transferred to SCL related primarily to users in the United States. Neither Meta, nor Meta Platforms Ireland Limited, are aware of any evidence that Dr Kogan provided SCL with information on Facebook users from Australia.

The OAIC’s Investigation and the Civil Penalty Proceedings

1.7. On 5 April 2018, the Commissioner initiated an investigation under section 40(2) of the Privacy Act 1988 (Cth) (Privacy Act) in relation to reports that Australian users’ information may have been improperly shared with Cambridge Analytica (UK) Ltd via the Life App. During the investigation, which extended to Meta, Meta Platforms Ireland Limited and Facebook Australia Pty Ltd, the Commissioner raised concerns that Meta may have interfered with the privacy of Australian individuals in contravention of Australian Privacy Principles (APPs) 1.2, 5, 6, 10 and 11 of the Privacy Act (Investigation).

1.8. On 9 March 2020, the Commissioner commenced the Civil Penalty Proceedings and concluded the above investigation. In the Civil Penalty Proceedings, as further particularised in the Amended Statement of Claim dated 2 June 2023, the Commissioner alleged that Meta’s systems and practices raised concerns about the protection of personal information of Australian Facebook users in relation to the Cambridge Analytica incident, and that, based on its Investigation, Meta and Meta Platforms Ireland Limited may have contravened section 13G of the Privacy Act through serious or repeated breaches of APPs 6.1 and 11.1. The Commissioner alleged that, throughout the time the Life App was available to Facebook users, approximately:

  • 1.8.1. 53 Facebook users located in Australia installed the Life App; and
  • 1.8.2. 311,074 Facebook users located in Australia could have had their personal information requested by the Life App as friends of installing Facebook users.

2. Meta’s Response to the Cambridge Analytica Incident

2.1. Meta acknowledges:

  • 2.1.1. that under the Privacy Act, Meta must not do an act, or engage in a practice, that breaches an APP;
  • 2.1.2. the Commissioner’s concerns identified in paragraphs 1.7 and 1.8.

2.2. Meta represents, and the Commissioner acknowledges, that:

  • 2.2.1. Meta no longer permits third party app developers to access from Meta an installing user’s friend’s information, unless that friend has also installed the app and authorised it to have access to that information;
  • 2.2.2. since the period relevant to the Civil Penalty Proceedings, being 12 March 2014 to 1 May 2015 (Relevant Period), Meta has dedicated significant and increased resources to monitoring third party apps and enforcing Meta’s terms and policies;
  • 2.2.3. since the Relevant Period, Meta substantially reduced the number of information fields available that third party app developers (via Facebook Login) may request an installing user’s permission to access, examples of information fields that have been removed include: (i) the installing user’s friends’ information, excluding the circumstances specified in paragraph 2.2.1; and (ii) the installing user’s religion, political views and relationship details;
  • 2.2.4. since the Relevant Period, Meta has continued to implement granular data permissions processes to allow a user who installs a third party app to decide which categories of certain information they will share with the third party app; and
  • 2.2.5. Meta monitors the compliance of third party app developers of consumer apps with Meta’s Platform Terms through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months.

3. Meta’s Enforceable Undertaking to the Commissioner

3.1. Meta offers this enforceable undertaking to the Commissioner under section 114 of the Regulatory Powers Act, including to address the concerns in paragraphs 1.7 and 1.8.

3.2. This undertaking comes into effect when:

  • 3.2.1. it is executed by Meta; and
  • 3.2.2. this undertaking, so executed, is accepted by the Commissioner (the Commencement Date).

3.3. This undertaking ceases to have effect upon the completion of the Payment Program (as defined at paragraph 4.1 below).

4. Undertaking to Establish Payment Program

4.1. Meta undertakes to implement a payment program open to Eligible Australian Users in recognition of the Commissioner’s concern that those users may have suffered loss or damage as a result of interferences with their privacy arising from the conduct the subject of the Commissioner’s concerns as identified in paragraphs 1.7 and 1.8 above in accordance with Parts 5 and 6 of this enforceable undertaking and fulfill each of its obligations set out in Parts 4 to 7 of this enforceable undertaking (Payment Program).

4.2. Meta undertakes to:

  • 4.2.1. engage an independent third party administrator (the Administrator);
  • 4.2.2. direct the Administrator to administer the Payment Program in accordance with:
    • 4.2.2.1. Parts 5 and 6 of this enforceable undertaking; and
    • 4.2.2.2. any instructions for the Payment Program given to the Administrator by Meta (Scheme Instructions); and
  • 4.2.3. complete the Payment Program within 2 years from the Commencement Date or such longer period as agreed between the Commissioner and Meta.

5. Eligible Australian Users

5.1. A person is an “Eligible Australian User” if the person:

  • 5.1.1.  held a Facebook Account at any time during the period of 2 November 2013 and 17 December 2015 ( Eligibility Period)
  • 5.1.2. was located in Australia for 30 days or more during the Eligibility Period; and
  • 5.1.3. during the Eligibility Period, either:
    • 5.1.3.1. installed the Life App using Facebook Login; or
    • 5.1.3.2. did not install the Life App but was Facebook friends with another Facebook user who had installed the Life App using Facebook Login.

5.2. Subject to paragraphs 5.3 to 5.5, an Eligible Australian User can register with the Administrator as a “ Claimant ” under the Payment Program if they submit to the Administrator within the registration period prescribed by the Administrator (Registration Period) a valid Registration Form and evidence in such form as prescribed, verifying that the person:

  • 5.2.1. is an Eligible Australian User under paragraph 5.1;
  • 5.2.2. holds a genuine belief that as a direct consequence of the conduct the subject of the Commissioner’s concerns identified in paragraphs 1.7 and 1.8, they have suffered loss or damage, being either:
    • 5.2.2.1. specific economic and/or non-economic loss and/or damage (beyond a generalised concern or embarrassment) (Class 1); or
    • 5.2.2.2. a generalised concern or embarrassment (Class 2).

5.3. The Registration Form will be prepared by the Administrator in consultation with Meta and may set the standard of verification and evidence that a Claimant must provide for each eligibility criterion by the end of the Registration Period, including by way of statutory declaration or identity verification as considered appropriate.

  • 5.3.1. For paragraphs 5.1.3 and 5.2.2.2, Meta must direct the Administrator to not require more than a valid statutory declaration.

5.4. Notwithstanding paragraphs 5.2 and 5.3, the Administrator may, in its absolute discretion, determine that a person will not be:

  • 5.4.1. an Eligible Australian User where the Administrator is unable to verify that the person meets the requirements of Part 5 of this enforceable undertaking based on the information available to the Administrator;
  • 5.4.2. a Claimant where the Administrator determines that:
    • 5.4.2.1. the person provided the Administrator with false information, or that the person’s registration is otherwise fraudulent;
    • 5.4.2.2. the person has previously registered as a Claimant;
    • 5.4.2.3. if the person registered to receive payment from Meta, or any of its affiliated or related entities, in a proceeding, investigation or other legal action in any jurisdiction outside of Australia that relates to, or arose out of, the factual background detailed in paragraphs 1.3 to 1.6 of this enforceable undertaking, such as the US settlement of In re: Facebook, Inc. Consumer Privacy User Profile Litigation, Case No. 3:18-md-02843-VC (N.D. Cal.); or
    • 5.4.2.4. the person is not otherwise eligible in accordance with the Scheme Instructions.

5.5. For the avoidance of any doubt, a person:

  • 5.5.1. is not a Claimant if the person has not registered in accordance with paragraphs 5.2 and 5.3 during the Registration Period; and
  • 5.5.2. cannot register as a Claimant in both Class 1 and Class 2.

6. Payment Program

6.1. Meta undertakes to, within 60 days of the Commissioner filing a Notice of Discontinuance in the Civil Penalty Proceedings, pay an amount of $50 million (the Contribution Amount) to the Administrator for the Administrator to use to make payments to Claimants (Payments) in accordance with paragraphs 6.2 to 6.9.

6.2. Following the payment of the Contribution Amount by Meta in accordance with paragraph 6.1, Meta will:

  • 6.2.1. notify the Commissioner that the Contribution Amount has been paid to the  Administrator;
  • 6.2.2. direct the Administrator to  make information available on a website established by the Administrator regarding the Payment Program, including how Eligible Australian Users can register with the Administrator as a  Claimant;
  • 6.2.3. use reasonable best efforts to:
    • 6.2.3.1. identify, based on Meta’s available records, persons that may be Eligible Australian Users; and
    • 6.2.3.2. facilitate electronic notice of the Payment Program to those persons;
  • 6.2.4. direct the Administrator to take reasonable steps to publicise the Payment Program within Australia.

6.3. The Payment that a Claimant receives will depend on whether the Administrator determines that the Claimant is a Class 1 or Class 2 Claimant.

6.4. In performing its obligations under Parts 5 and 6, the Administrator will apply any Scheme Instructions, including any cap to apply to Payments made to Claimants and the principle that all Class 2 Claimants be paid the same amount.

6.5. Subject to the Scheme Instructions, following the end of the Registration Period, the Administrator will:

  • 6.5.1. evaluate and determine, using evidence available to the Administrator at that time, in the Administrator’s absolute discretion whether:
    • 6.5.1.1. a person is an Eligible Australian User (in accordance with Part 5); and
    • 6.5.1.2. if a person registers as a Claimant in Class 1, the person has provided sufficient supporting evidence to substantiate their claim that they have suffered loss or damage in Class  1;
  • 6.5.2. determine the number of Claimants in each of Class 1 and Class  2;
  • 6.5.3. commence the process for determining the Payment that each Class 1 and Class 2 Claimant is entitled to receive, in accordance with this Part 6; and
  • 6.5.4. notify Meta that the process referred to in paragraph 6.5.3 above has begun, at which point Meta will within 24 hours notify the Commissioner thereof.

6.6. The Scheme Instructions will provide for the Administrator to include a timely internal review avenue for:

  • 6.6.1. any decision by the Administrator to reject a Claimant’s Class 1 registration and allocate the Claimant to Class 2; and
  • 6.6.2. assessment of any Payment amount that is to be made to a Claimant in Class 1.

6.7. Following the conclusion of the process in 6.5, in accordance with paragraphs 6.3 and 6.4, the Administrator will:

  • 6.7.1. finalise its determination including any internal review of any Payment that is to be made to a Claimant in either Class 1 or Class  2;
  • 6.7.2. once all determinations are completed in accordance with paragraph 6.7.1, notify Meta of:
    • 6.7.2.1. the total number of Claimants; and
    • 6.7.2.2. the aggregated amount to be distributed to all Claimants; and
  • 6.7.3. make a timely Payment to each such Claimant.

6.8. Following receipt of the notification set out at paragraph 6.7.2, Meta will within 24 hours notify the Commissioner thereof.

6.9. If the total aggregate sum of Payments made to Claimants under paragraph 6.7 is less than the Contribution Amount, Meta will direct the Administrator to pay the residual amount to the Australian Government’s Consolidated Revenue Fund.

6.10. If, when performing its obligations under Parts 5 and 6 of this enforceable undertaking, the Administrator informs Meta that it will not be able to comply with any deadline specified in this undertaking, Meta will:

  • 6.10.1. promptly inform the Commissioner, and the OAIC, of the extent and reasons for the  delay;
  • 6.10.2. in consultation with the Administrator, determine a date by which the Administrator will reasonably be able to complete the actions  specified;
  • 6.10.3. propose the modified date(s) to the Commissioner and seek to agree any necessary extension; and
  • 6.10.4. cause the Administrator to notify Claimants of the delay and the amended date(s) agreed with the Commissioner (if applicable).

7. Compliance

7.1. Subject to any confidentiality obligations owed by Meta, the OAIC may request in writing from time to time and Meta will provide to it, documents and information that are reasonably necessary for the purpose of assessing Meta’s compliance with Parts 4 to 6 of this enforceable undertaking.

7.2. Meta will use its best endeavours to provide documents and information in response to any request under paragraph 7.1 within 14 days of the request.

8. Other matters

8.1. Meta acknowledges that the Commissioner:

  • 8.1.1. will publish this enforceable undertaking as well as a summary of the undertaking, on the OAIC  website;
  • 8.1.2. may issue a statement on acceptance of this enforceable undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking; and
  • 8.1.3. may from time to time publicly refer to this enforceable undertaking, including any breach of this enforceable undertaking by Meta.

8.2. Meta acknowledges that:

  • 8.2.1. The Commissioner’s acceptance of this enforceable undertaking does not preclude the Commissioner’s power to investigate, power not to investigate further, or the exercise of any of the Commissioner’s functions under the Privacy Act in relation to: (i) the representative investigation opened by the Commissioner under sub-section 40(1) of the Privacy Act on 21 October 2019 (referred to by the Commissioner using the reference number CP18/01262); or (ii) any contravention that concerns conduct that is outside the scope of the Civil Penalty Proceedings or Investigation.
  • 8.2.2. If the Commissioner considers that Meta has breached this enforceable undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking under s 115 of the Regulatory Powers Act.

8.3. The Commissioner’s acceptance of this enforceable undertaking is not a finding that Meta has contravened the Privacy Act or the APPs.

8.4. Meta gives this enforceable undertaking on a without prejudice basis, and without any admission of liability as to the matters raised in the Investigation or Civil Penalty Proceedings. Any representations made or acknowledgments given by Meta in this enforceable undertaking, whether express or implied, are made without prejudice or admission of liability. In giving this enforceable undertaking, neither Meta nor any of its affiliated or associated entities are precluded from taking any position or relying on any facts or factual statements in any legal or regulatory proceedings in Australia or in any other jurisdiction in relation to any matter that was within the scope of the Commissioner’s investigations referred to in paragraphs 1.7 and 8.2.1, the Civil Penalty Proceedings or which otherwise relate to the Cambridge Analytica Incident described at paragraphs 1.3 to 1.6.

9. Confidentiality

9.1. The Commissioner acknowledges that information provided by Meta, or the Administrator, to the Commissioner and OAIC in accordance with this enforceable undertaking may contain sensitive commercial information (Commercial-in-confidence Information).

9.2. The Commissioner acknowledges that any such Commercial-in-confidence Information is provided by Meta, or the Administrator, in confidence.

9.3. The Commissioner:

  • 9.3.1. will only publish or otherwise disclose any Commercial-in-confidence Information with Meta’s written agreement, unless otherwise required by law; and
  • 9.3.2. will only use any Commercial-in-confidence Information for the purpose of exercising the Commissioner’s powers, or performing functions or duties in the Privacy Act.
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia