The Cambridge Analytica scandal of 2018 is still not quite out of the news yet, as investigations around the world continue to wrap up. Australia’s Information Commissioner has agreed to a $50 million AUD privacy settlement over the violations created by the “My Digital Life” app, which made international news a little over six years ago but had a breach window of 2013 to 2015.
The proceeds of the privacy settlement will mostly be distributed to impacted Australian Facebook users who were on the platform between late 2013 and late 2015. The Information Commissioner first brought the case in March 2020, and the settlement is the result of a court-ordered mediation initiated in June 2023.
Meta continues to pay tolls for costly Cambridge Analytica mistake
The third-party administrator has been instructed to take reasonable steps to publicise the privacy settlement, which will be available to Facebook users present in the country for at least 30 days between 2 November 2013 and 17 December 2015 and who were impacted by the installation of the “This is Your Digital Life” app. The Cambridge Analytica scandal was so wide-ranging in part because users did not need to install the app themselves, but simply be Facebook friends with someone who did. Meta has also been instructed to make reasonable efforts to contact known impacted parties.
Full details of accessing the privacy settlement funds will not be made public by the administrator until the second quarter of 2025 (nor will applications be made available until at least then), but it is known that payments will be divided into two tiers that impacted parties can apply for. The smaller payments of the two, referred to as the “base payments,” are available to individuals that experienced “generalised concern or embarrassment” due to the Cambridge Analytica breach. The second tier of likely larger payments is accessible to those that can demonstrate that the incident caused some specific loss or damage.
The privacy settlement is thought to impact about 311,127 Australian Facebook users in total (though only a little over 50 took the initial survey that caused all the trouble). Meta is not admitting to any wrongdoing in its handling of the Cambridge Analytica situation, though the company has already been penalized in several other countries. The firm, which used the Facebook data it accessed without user permission to create profiles for targeted political ads during the 2016 US presidential election, shut down in 2018 amidst the controversy.
Privacy settlement follows years-old penalties in other countries
One of the major factors in the length of time the privacy settlement took to reach was Meta’s attempt to argue in court that it could not be legally regarded as “conducting business” in Australia. Though it has kept a swanky office in Sydney since 2019, the company attempted to claim that it should not be under the Information Commissioner’s purview as it did not “collect and store information” on Australians. The courts ultimately rejected that claim in finding that not only did it keep caching servers in the country, but that the act of placing cookies on the devices of Australians was sufficient to meet the regulatory standard.
With the first reports of the Cambridge Analytica breaches hitting the news in early 2018, much of the regulation against Facebook and Meta concluded some time ago. Despite the lack of a national data privacy law, Facebook was hit by a huge penalty of $5 billion from the Federal Trade Commission (FTC) in July 2019. The UK Information Commissioner’s Office assessed a £500,000 fine in October 2019. Cambridge Analytica was not alone in abusing Facebook’s “Open Graph” feature to scrape the personal information of people that had not installed an app or agreed to data sharing, but it was uniquely problematic due to the scale of data taken (about 87 million Facebook profiles in total) and the fact that it influenced both the US presidential and Senate races.
Meta also settled a $725 million class action lawsuit in December 2022 that provided some financial restitution to those impacted by Cambridge Analytica. Final approval for that privacy settlement was granted in October 2023. Much of the regulatory storm for the issue appears to be over for Meta at this point, but there are still isolated issues that are not entirely resolved. For example, a case accusing the company of violating US securities law (Facebook vs Amalgamated Bank) was heard by the Supreme Court in November 2024 and returned to the U.S. Court of Appeals for the 9th Circuit to go forward. But though Meta may have finally put most of the Cambridge Analytica damage behind it, it moves on to face new legal and regulatory challenges in the emerging field of AI.