Two subsidiaries of social media giant Meta, Facebook Israel and Onavo Inc, have been fined $10 million each for misleading conduct, in breach of the Australian Consumer Law, over a virtual private network (VPN) service that was used to gather data on users and share it with Facebook’s marketing team.
Consumer watchdog the ACCC launched court action against Facebook (now Meta) and the two subsidiaries in late 2020, alleging false, misleading or deceptive conduct involving promotions for the Onavo Protect mobile app.
While the fine seems high, the Meta companies saved themselves more than $144 billion in striking a deal with the ACCC in a joint proposal to the Federal Court.
The case against Meta was dismissed by the Federal Court after settlement negotiations between the ACCC and the remaining parties based on information about Meta’s role in the conduct.
Onavo and Facebook Israel are indirect wholly-owned subsidiaries of Meta. Both were the developers and suppliers of Onavo Protect and responsible for the listings in the Google and Apple App Stores.
Onavo Protect was a free VPN app installed more than 270,000 times by Australian users between February 2016 and October 2017. The service shut down in May 2019.
A VPN uses encryption and other security mechanisms designed to keep the transmission of a user’s app and web traffic private.
Under Australian Consumer Law, the penalties could have exceeded $145 billion. Federal Court Justice Wendy Abraham spent considerable time in her judgment this week assessing whether the agreed $10 million for each business was appropriate
“The ACCC emphasised that the proposed cumulative penalty reflects its pragmatic assessment that the public interest is best served by bringing this proceeding to a conclusion on the agreed terms,” she wrote.
The penalty for each individual breach of Australian Consumer Law was $1.1 million at the time, but Justice Abraham accepted submissions that it was a single breach.
“Although the precise number of occasions on which an Australian consumer viewed the Listings for Onavo Protect is unknown, during the Available Period, it was installed by Australian users on 271,220 separate occasions,” she wrote.
“Even if only half of the total downloads were made by separate Australian consumers, it still implies a maximum penalty of more than $145 billion.”
In Google and Apple App Store listings, Onavo Protect with marketed with phrases such as “Use a free, fast and secure VPN to protect personal information” and “Helps Keep You and Your Data Safe”.
The Court ruled that the two companies engaged in conduct liable to mislead the public in promotions by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes.
Onavo and Facebook Israel shared the personal activity data from users collected by the app in anonymised and aggregated form with parent company Meta (then Facebook Inc) for commercial benefit.
The data shared with Meta included details on a user’s internet and app activity, such as records of every app they accessed and time spent using those apps, which was used in Meta’s market research.
ACCC chair Gina Cass-Gottlieb said the regulator took took on the case because consumers are concerned about how their data is captured, stored and used by digital platforms.
“We believe Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading,” she said.
“In the case of the Onavo Protect app, we were concerned that consumers seeking to protect their privacy through a virtual private network were not clearly told that in downloading and using this app they were actually facilitating the use of their data for Meta’s commercial benefit.”
In joint submissions to the Court, Facebook Israel and Onavo agreed the App Store listings did not mention that data collected by the VPN was also used for other purposes, including as a ‘business intelligence tool’.
Facebook Israel and Onavo were also ordered to pay $400,000 towards the ACCC’s costs and consented to the declarations and costs order, and made joint submissions with the ACCC in relation to penalties.