Meta is facing a total of $20 million in fines in Australia due to misleading consumers about personal data usage. Facebook Israel and VPN service Onavo Protect promised to keep user data private and safe, but were sharing collected personal information with Meta for use in its targeted advertising systems.
Shut down in 2019, controversial VPN still haunting Meta
The decision stems from a proceeding initiated by the ACCC in December 2020. Founded in 2010 and acquired by Facebook in 2013, Onavo was an Israel-based business analytics outfit that raised eyebrows when mentions of its VPN product began appearing in the Facebook mobile app in 2016. Concerns about exactly how much “P” the VPN was offering came to a head in 2018, when Apple gave it the boot from the App Store due to violation of policies about monitoring the data usage of other apps. Continued backlash led to voluntary withdrawal of Onavo Protect from the Google Play Store in February 2019.
Facebook Israel and Onavo are each being assessed fines of $10 million for breach of Australian Consumer Law. The Australian Competition & Consumer Commission said that the Meta subsidiaries had failed to adequately disclose the extent of consumer data usage to Australians that made use of the VPN service between February 2016 and October 2017, about 270,000 people in total. The data in question was anonymized and aggregated, but still fell afoul of ACCC rules.
In addition to raising a storm of concerns about data usage while it was active, Onavo Protect was criticized for not clearly disclosing that it was owned by Facebook until 2018. And while consumer identities were anonymized, very detailed information was collected that could potentially be linked to individuals, such as records of every app used and for how long the user accessed each.
The immediate successor to Onavo, Facebook Research VPN, ran into even more trouble in terms of data usage issues. This app made its nature as a personal information gathering tool more up-front, but also misused an Apple enterprise certificate to allow for it to be installed outside of the App Store and specifically targeted teenagers as a primary demographic. The app installed a root certificate on devices and collected browsing history, unencrypted web traffic, and was even able to peer into private text messages. That app barely made it a month into 2019 before it was banned by Apple and got Facebook kicked out of the company’s Developer Enterprise Program.
Meta racks up international fines for data usage issues, but do they matter?
While Meta has been facing a variety of regulatory penalties around the world that never seems to end, it has seen relatively little blowback from the Onavo incident prior to this. At one time there were questions about its data usage contributing to the company’s ongoing antitrust woes, given that market research data collected by Onavo Protect is believed to have played into its acquisition decisions and allowed it to keep direct tabs on the apps of rivals.
The ACCC seems content to ding Meta for what are essentially inaccurate statements to consumers about data usage, however, and in an amount that has seemingly become a cost of doing business for the company. Despite some recent concerns about its future direction, plans for VR and an ongoing drop in Facebook users, Meta is still pulling down about $120 billion per year in revenue. The decision potentially carried a $1.1 million fine per instance, or for each of the roughly 271,000 people that downloaded the VPN, but the ACCC decided to classify the entire thing as a “single course of conduct” and felt that the fine amount packed a “sufficient sting.”
Meta faces other legal trouble in Australia, in the form of a long-running battle with the Australian Information Commissioner (OAIC). The agency filed a lawsuit against Facebook in 2020 over the Cambridge Analytica leaks, representing about 311,000 people in the country that had personal data siphoned without their knowledge or consent (from just 53 people that installed the tainted quiz app). The high court rejected Meta’s appeal in 2022, and in June of this year the company was ordered into mediation. It must now appoint a mediator by the end of September and engage in talks in October. Meta has already been fined $5 billion in the US for its Cambridge Analytica failures, $1 million in Italy and £500,000 in the UK.
Privacy reforms that are before the Australian government also might grant the country’s residents the right to opt out of all targeted advertising while online, and Meta has responded by suggesting that it might push the company toward a paid subscription model for its services. Meta has threatened to take its ball and go home before in response to regulatory prospects, announcing in early 2022 that it might pull out of the European Union entirely if international data transfer issues could not be cleared up. That matter is now pending as a new data transfer agreement is being put into place, but is expected to immediately be challenged in court.