Meta's $50M settlement with the OAIC fails to clarify the Privacy Act civil penalty regime

Important aspects of Australian privacy law remain unresolved 8 min read

The Australian Information Commissioner (Commissioner) has settled proceedings against Meta Platforms, Inc. and Meta Platforms Ireland Ltd (Meta) with a $50 million payment program. The program forms part of an enforceable undertaking in relation to allegations that Meta's conduct in relation to the Cambridge Analytica saga amounted to a breach of the Privacy Act 1988 (Cth) (Privacy Act).  

These proceedings commenced in March 2020, and were the Office of the Australian Information Commissioner's (OAIC) first attempt to exercise its civil penalty powers. On 17 December 2024, the OAIC released an enforceable undertaking resolving the matters.

The enforceable undertaking provides Australians affected by the Cambridge Analytica events an avenue for redress through a compensation scheme. The proceedings against Meta have been discontinued and there have been no admissions from Meta as to any breach of the Privacy Act.

Whilst the $50 million compensation scheme is (in aggregate) the most substantial compensation sum that has been paid by an organisation in Australia for purported breaches of the Privacy Act, the settlement of proceedings means that important aspects of Australian privacy law—including the application of the civil penalty regime—remain unresolved. Whilst framed as a win for Australian privacy law and Facebook users, it provides a somewhat anticlimactic resolution to the proceedings, with no conclusion as to whether, or how, Meta's acts may have breached Australian law.

For more background, read our 2020 proceedings Insight and our discussion of the decision in relation to the extra-territorial application of the Privacy Act, since amended¹, to the US and Ireland based Meta entities.

Key takeaways

• The Commissioner has accepted an enforceable undertaking by Meta to provide a $50 million payment to provide redress for eligible individuals affected by Meta's conduct in relation to the Cambridge Analytica incident.
• As a result of accepting the enforceable undertaking, the Commissioner has withdrawn civil penalty proceedings against Meta on this issue in the Federal Court.
• The Commissioner’s acceptance of this enforceable undertaking is not a finding that Meta has contravened the Privacy Act or the APPs.
• The application of penalty provisions and the quantum of civil penalties under the Privacy Act remains uncertain.
• Given the proceedings arose in respect of conduct prior to the 2022 increases to maximum Privacy Act penalties, the risk profile and appetite for future Privacy Act civil penalty proceedings will likely be significantly higher and may have seen a different result for these proceedings.

What is Meta required to do?

Meta is required to set up a payment program—a payment scheme run by an independent third-party administrator—that will permit claimants to apply to the administrator for a payment from the $50 million contribution amount. Residual funds not exhausted in the payment scheme by claimants will be paid into the Federal Government's Consolidated Revenue Fund.

Who can claim? A 'genuine belief' in a 'generalised concern'

Individuals who either used the This is Your Digital Life app, or who were Facebook friends of an individual who installed the app during the period 2 November 2013 and 17 December 2015, are eligible to make a claim. According to the enforceable undertaking, this is approximately 311,000 Australian users.

However, in order to claim, an individual must also satisfy the program administrator that they hold a genuine belief that they have suffered loss or damage, either:

• specific economic and/or non-economic loss and/or damage; or
• a 'generalised concern or embarrassment',

as a direct consequence of the concerns raised by the Commissioner in relation to Meta's alleged conduct. The enforceable undertaking contemplates that this may be verified by a statutory declaration.

This threshold is both low (merely requiring 'generalised concern or embarrassment') but also high (requiring to give some satisfaction to the administrator by a statutory declaration).

Given the passage of time since the relevant period (being greater than 10 years ago), as well as the nature of the intrusion of privacy, we anticipate that most claimants will fall into the 'generalised concern or embarrassment' category, rather than being able to establish specific damages.

Meta must make 'reasonable best efforts' to publicise the program and notify individuals who are eligible (a somewhat unique standard of effort that likely speaks to the long negotiations of the undertaking).

Other representations made

Meta has also made various representations, acknowledged by the Commissioner, in relation to improved practices. These include, but are not limited to, implementation of granular data permissions processes, dedication of significant and increased resources to monitor third-party apps and enforce Meta’s terms and policies, and monitoring compliance by third-party app developers of consumer apps with Meta’s Platform Terms.

$50 million: was it one breach or many?

The Commissioner does not explain the $50 million quantum of the contribution amount. As flagged above, civil penalty amounts have substantially increased due to 2022 amendments to increase penalties from $1.7 million for each serious and/or repeated interference with privacy, to whichever is the greater of:

• $50 million;
• three times the value of any benefit obtained through the misuse of information; or
• 30% of a company’s adjusted turnover in the relevant period.

Given the settlement and no findings of breach, there is no resolution to the quantum of civil penalty amounts and whether this involved a single 'serious or repeated' interference with privacy, or multiple. A significant aspect of the Commissioner's initial Statement of Claim was that the Commissioner sought a civil penalty for each act of purported unauthorised disclosure of personal information by Facebook, rather than for a single breach. The settlement compensation amount is clearly indicative of more than a single instance of issues under the previous (and lower) civil penalty regime, but is nowhere near the potential scale of affected users. Indeed, whilst $50 million sounds significant, across the approximately 311,127 Australian users, this would amount to only $160 per claimant in compensation on average.

What else remains unresolved by this enforceable undertaking?

The enforceable undertaking and withdrawal of the civil penalty proceedings also leave the following issues unresolved:

• the application of the extraterritoriality application of the Privacy Act (noting this did receive consideration during the preliminary proceedings); and
• the core question as to whether there was a breach of the principles of Australian privacy law.

Despite the time and resources likely expended to date on the proceedings, we have not seen instructive judicial consideration and helpful precedent for interpreting various principles in privacy law that sit in a grey area, eg the boundary of 'related' purposes and individuals' 'reasonable expectations' and consideration of 'reasonable steps'. Judicial guidance on at least some of these issues may be left to the civil proceedings that the Commissioner has brought more recently against each of Australian Clinical Labs and Medibank.

The influence of Privacy Act reforms on the current and future landscape

Given the passage of time and intense public scrutiny of data handling practices, it is not surprising that aspects of these proceedings now relate to laws which have been amended (even taking into account the equally slow pace of Privacy Act reform).

The Privacy and Other Legislation Amendment Bill 2024, which was passed in November 2024, sees an expansion of the enforcement mechanisms available to the OAIC and a tiered approach to civil penalties. Other regulatory reforms which would have impacted this case had they been in force at the relevant time, include:

• references to 'repeated' in section 13G being removed to clarify that a single act or practice may amount to a serious interference with privacy; and
• a set of (non-exhaustive) matters that can be taken into account when determining if an interference with privacy is 'serious' being introduced—largely codifying existing OAIC guidance on the matter.

In addition, the 2022 amendments under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) amended the scope of the extraterritoriality provision to remove the requirement that information must be 'collected or held' in Australia. This has resulted in a potentially overly broad expansion, and further consideration of this provision may be on the slate for the next tranche of potential privacy reform² (see our discussion of the application of the 2022 amendments in the landmark Clearview AI Inc case) that confirmed this expanded extraterritorial reach.

We also expect that further 'tranche 2' Privacy Act reforms will introduce a higher standard of privacy compliance for organisations.

What does this mean for APP Entities?

Settlement of the civil penalty proceedings allows the OAIC a cleaner slate in 2025, allowing it to pursue its civil penalty proceedings against Australian Clinical Labs and Medibank without being weighed down by concurrent litigation against one of the largest entities in the world. It also allows it to focus on leveraging its new lower tier enforcement powers.

Organisations should anticipate the OAIC to persist with enforcement activities using its new powers, advocate for further reforms to the Privacy Act, and leverage its enforcement authority to drive changes aligned with these reforms.

In 2025, organisations should consider their privacy risk profile and continue to uplift their data handling practices, rather than waiting for clarity on further reforms.