The Australian Federal Court has hit Facebook Israel with a $20 million penalty over a misleading smartphone app.
Update 26/7: Added comment from ACCC
VPN service Onavo, which was acquired by Facebook Israel in 2013, was offered in Australia between 2016 and 2017 as a way for users to protect their privacy online by giving their phone a different IP address.
However, the app did not obviously disclose how the VPN collected and deployed user data. The app collected users’ location, time and frequency using other smartphone apps, and websites they visited for its own advertising purposes, judge Wendy Abraham said in a written judgment.
App store listings for Onavo Protect said: “Use a free, fast and secure VPN to protect personal information” and “Helps Keep You and Your Data Safe.”
“The failure to make sufficient disclosures … may have deprived tens of thousands of Australian consumers of the opportunity to make an informed choice about the collection and use of their data before downloading and/or using Onavo Protect,” Abraham wrote.
The Australian Competition and Consumer Commission (ACCC) brought the civil lawsuit against Meta, despite Onavo being owned by the company’s Israeli subsidiary. The two parties settled the case for $20 million.
“We took this case knowing that many consumers are concerned about how their data is captured, stored and used by digital platforms. We believe Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading,” said ACCC Chair Gina Cass-Gottlieb.
The scope of the app’s data collection was disclosed within its terms of service but, of course, no one reads those, and nor was it made obvious to users.
“In the case of the Onavo Protect app, we were concerned that consumers seeking to protect their privacy through a virtual private network were not clearly told that in downloading and using this app they were actually facilitating the use of their data for Meta’s commercial benefit,” added Cass-Gottlieb.
Abraham added that the court could have fined Meta hundreds of billions of dollars since Australians downloaded the app 271,220 times and each breach of consumer law carried a AU$1.1 million fine, but “the contraventions can be characterised as a single course of conduct”.
Despite the relatively small penalty, Abraham said that it “carries with it a sufficient sting to ensure [it is not regarded] as simply an acceptable cost of doing business.”
In a statement, Meta said “The ACCC acknowledged in the joint filing that the Onavo Protect listings were not deliberately misleading and disclosures were made in the app’s Terms of Service and Privacy Policy. Furthermore, all user data was anonymised and aggregated before it was used by Meta.
“The Onavo Protect app did provide users with a free, useful VPN service and it did function properly as an online security tool. There was no allegation by the ACCC that the app did not function properly as an online security tool.”
The company also added that “Over the last several years, we have built tools to give people more transparency and control over how their data is used, and we design every new product and feature with privacy in mind.”
Meta still faces a civil court action by Australia’s Office of the Information Commissioner over its dealings with Cambridge Analytica in Australia.
