On December 17, 2024, the Office of the Australian Information Commissioner (OAIC) announced that it had agreed to an AUD 50 million (approx. $31.7 million) settlement as part of an enforceable undertaking received from Meta Platforms, Inc. (Meta) to settle civil penalty proceedings for violations of the Privacy Act (as amended) (the Privacy Act). The OAIC noted that the settlement follows a court-ordered mediation, which had been ongoing since February 2024, as part of the Federal Court civil penalty proceedings the OAIC commenced in March 2020.

Background to the settlement

The OAIC alleged that the personal information of some Australian Facebook users was disclosed to the 'This is Your Digital Life' app in breach of the Privacy Act. In the enforceable undertaking, the OAIC stated that Meta allowed third-party apps, such as the 'This is Your Digital Life' app to access user information, as well as data from their Facebook friends, if permitted by privacy settings. The OAIC stated that the information was exposed to the risk of disclosure to Cambridge Analytica and other third parties, and risked being used for political profiling purposes.

Findings of the OAIC

In the enforceable undertaking, the OAIC alleged that Meta's systems and practices raised concerns about the protection of personal information of Australian Facebook users in relation to the Cambridge Analytica incident, and that, based on the OAIC's Investigation, Meta may have contravened Section 13G of the Privacy Act through serious or repeated breaches of Australian Privacy Principles (APPs) 6.1 and 11.1.

Outcomes

In light of the above, the OAIC agreed to an enforceable undertaking that requires Meta to set up a payment scheme, which will be run by an independent third-party administrator and will be open to individuals who:

• held a Facebook Account between November 2, 2013 and December 17, 2015;
• were present in Australia for more than 30 days during that period; and
• either installed the 'This is Your Digital Life' app or were Facebook friends with an individual who installed the app.

Specifically, the enforceable undertaking requires Meta to, within 60 days of the OAIC filing a Notice of Discontinuance in the Civil Penalty Proceedings, pay AUD 50 million (approx. $31.7 million) to the administrator for the administrator to use to make payments to claimants.

As part of the resolution, the OAIC explained that it has withdrawn the civil penalty proceedings in the Federal Court. 

You can read the press release here and the enforceable undertaking here.