ACCC vs Facebook. Fined $20.4 million dollars for false advertising the "privacy" of its VPN.

[Dirtyshado]

Summary

Australian Competition and Consumer Commission (ACCC) launched action against Meta (Facebook), with the court ordering its subsidiaries pay $20.4 million dollars AUD* (included court costs) for misleading advertising of its VPN security application Onavo Protect, which was advertised to "keep your data safe" but was in fact scraping user data to form aggregated data that was sent to Meta for commercial use.

 

* $14 Million dollars USD.

 

Quotes

Quote

"While Onavo Protect was advertised and promoted as protecting users' personal information and keeping their data safe, in fact, Facebook Israel and Onavo used the app to collect an extensive variety of data about users' mobile device usage," 

Disclosures on how data would be used were included in the terms of service and privacy policy for Onavo Protect, the court heard. However, it was accepted this information was "not sufficiently prominent or proximate" to the listed advertisements for the product on app stores.

 

Quote

Onavo Protect was downloaded more than 271,000 times in Australia between February 2016 and October 2017.

Justice Abraham wrote that under the Act, the maximum penalty that could imply was "more than $145 billion", or $1.1 million for each breach.

 

Quote

"I am satisfied the agreed penalty of $20 million, in the circumstances, satisfies the significant element of deterrence required in this proceeding," Justice Abraham said.

"It carries with it a sufficient sting to ensure that the penalty amount is not such as to be regarded by the parties or others as simply an acceptable cost of doing business."

 

My thoughts

Yay! Facebook admitted it did something wrong... while their spokesman claims all their problems are in the past while ignoring they still have a Cambridge Analytica case still pending in Australia.

 

The most disappointing thing is the last quote from the Judge that she thinks $20.4 million dollars (AUD) is enough of a "sufficient sting"... the same day Meta reported a $32 billion dollar in revenue this year, a 11% rise in revenue, and earned them a 7% surge in its share price in trading.

 

Like $145 billion dollar maximum would of stung and woke up most of silicon valley to immediately review every advert, EULA,TOS, privacy policy and then promptly make them to just delete all the data they scraped from Australia in the last 20 years out of fear.  It was a missed opportunity to sting them harder to get a positive change out of the industry.

 

Sources

Australian Broadcasting Corporation News https://www.abc.net.au/news/2023-07-26/meta-subsidiaries-ordered-to-pay-aus-govt-20-million/102649008

Reuters https://www.reuters.com/technology/australia-court-fines-facebook-owner-meta-14-mln-undisclosed-data-collection-2023-07-26/

[Spotty]

$20m AUD is a joke to a company like Meta, but it does work out to be $73 per download of the app in Australia. I think that's somewhat reasonable as it's likely more than the value they got from the data they collected through those 271,000 app installs. This was also just for violations in Australia. It doesn't rule out further legal issues they may face in other countries.

[LAwLz]

Good

Hope they go after other VPN providers as well. The amount of misinformation being spread by sponsor spots on Youtube is pretty big, especially in regard to VPN providers. 

[Mark Kaine]

should have done x (20% minimum)  of global revenue for it to make any impact  ~

 

@Spotty obviously i agree with the first part of your post, it's a joke to zuck, hence 20% global minimum,  you'll see how quickly these companies suddenly can follow rules if their sheer existence is on the table. 

 

 

[Dirtyshado]

2 hours ago, Spotty said:

$20m AUD is a joke to a company like Meta, but it does work out to be $73 per download of the app in Australia. I think that's somewhat reasonable as it's likely more than the value they got from the data they collected through those 271,000 app installs. This was also just for violations in Australia. It doesn't rule out further legal issues they may face in other countries.

As Linus mentioned on the podcast (in relation to another company fine/penalty), if its such a small penalty (like per download/user/product sold) then its just a minor risk of doing business for large entities... like another zero or two should of been added to that fine to be punishing in my opinion.

[Dirtyshado]

1 hour ago, LAwLz said:

Good

Hope they go after other VPN providers as well. The amount of misinformation being spread by sponsor spots on Youtube is pretty big, especially in regard to VPN providers. 

ACCC does have a practice of informing "industry" of recent rulings and advising them review themselves and to update their business compliance practices.

They did it with Valve and Uber over refund policies. A lot of multinational online stores and gig apps suddenly started to argue less about refunds.

 

The biggest resistance is still the attitude "We are an American company, why does an Australian law apply to us"

[RejZoR]

Facebook products not private? WHAT? Shut the front door!

 

Also huge issue is how Onavo products weren't even marked as "by Facebook" for a very long time despite Facebook owning them for many years already and probably funneling all the data from them into their own data hoarding data centers.

[Mark Kaine]

4 hours ago, Dirtyshado said:

We are an American company, why does an Australian law apply to us"

no, no one thinks that. if you operate in country x then country x laws apply to you.

 

don't like it you can leave at anytime (after paying your peanuts fine)

[wanderingfool2]

4 hours ago, Mark Kaine said:

@Spotty obviously i agree with the first part of your post, it's a joke to zuck, hence 20% global minimum,  you'll see how quickly these companies suddenly can follow rules if their sheer existence is on the table. 

6 hours ago, Dirtyshado said:

The most disappointing thing is the last quote from the Judge that she thinks $20.4 million dollars (AUD) is enough of a "sufficient sting"... the same day Meta reported a $32 billion dollar in revenue this year, a 11% rise in revenue, and earned them a 7% surge in its share price in trading.

We really need to stop using revenue as a measuring stick; revenue without context means nothing.  Net Income/loss on the other had is at least a better metric (for public company...private companies that metric gets tossed out the window though).

 

Don't get me wrong, a $20.4m fine is small but it's not exactly as small when in consideration to the product itself (and the people affected by said product) and the profits generated.

 

As a note, profits were $7.8billion, the spike likely had to do with them having less revenue the previous quarter than what was achieved previous quarters (which leads to a bump when they exceed the revenue).

 

As a whole as well, I don't think it's a wise idea to have fixed % for fines as well...as it doesn't properly address the situation as well.

 

For example, Google Earth with their cars driving around captured passwords when they grabbed non-password protected wifi communications (unintentionally and the data itself wasn't used).  The act wasn't intentional, but they were fined...even though it wasn't used in malicious ways, if there were fixed % that mistake could have cost Google big despite there not really being harm (and despite the fact you shouldn't be using non password protected wifi).

 

Or the example of White Castle, which faces a $17 billion fine for not having in specific writing on their contract that they use fingerprint scanners to clock in an out (9,500 employees fell into this category).  The fingerprint was used just to ID the employee at the punch machine...yet they stand to be charged potentially $178 million per employee...why?  Because it simply used a fingerprint scanner to do so (had they issued a ID card that had to be tapped they wouldn't be in violation)

 

Really what needs to be assessed is what funds were generated through the means of offering the service with the illegal activity portion and assessing value on that portion (with punitive damages) but importantly actually assessing what form of damage was caused to the individual as well by the illegal activity.

[Brooksie359]

5 hours ago, Dirtyshado said:

ACCC does have a practice of informing "industry" of recent rulings and advising them review themselves and to update their business compliance practices.

They did it with Valve and Uber over refund policies. A lot of multinational online stores and gig apps suddenly started to argue less about refunds.

 

The biggest resistance is still the attitude "We are an American company, why does an Australian law apply to us"

Australian law only applies in Australia. Most of the time when people complain about Australian laws is when they are trying to overstep their jurisdiction and basically police the entire internet like they were with the one bill about misinformation. Obviously this one makes sense and I would even say that the fine is probably not enough but you do start getting into a sticky situation when you try and fine based on global revenue when your country doesn't actually for a significant part of that global income. It would make sense to fine based on how much they are making in Australia tbh. 

[Dirtyshado]

57 minutes ago, Mark Kaine said:

no, no one thinks that. if you operate in country x then country x laws apply to you.

No, they actually make that arguement in court, lose, and then appeal it, lose again.  Its hilarious how dismissive the judges get.

 

ACCC vs Valve "Valve unsuccessfully defended the claim arguing that it was not carrying on a business in Australia and that Washington State law should apply."... and even tried to make that same claim in the appeal.

 

OIAC vs Facebook - Facebook unsuccessfully argued that Facebook Ireland was conducting business and only those laws should apply... that was rejected, then they  submitted that it had no physical assets, customers or revenues in Australia. This was also rejected. The law clearly stated "’who have an online presence (but no physical presence in Australia), and collect personal information from people who are physically in Australia’."  still denied actually having any business in Australia despite having offices, staff, selling advertising, managing login server, and having over 68% user coverage in Australia... appealed it, still lost.

[wanderingfool2]

16 minutes ago, Brooksie359 said:

Australian law only applies in Australia. Most of the time when people complain about Australian laws is when they are trying to overstep their jurisdiction and basically police the entire internet like they were with the one bill about misinformation. Obviously this one makes sense and I would even say that the fine is probably not enough but you do start getting into a sticky situation when you try and fine based on global revenue when your country doesn't actually for a significant part of that global income. It would make sense to fine based on how much they are making in Australia tbh. 

Sort of agree, but sort of not.

 

The issue with some companies is that you can essentially realize profits/revenues in different countries (despite it being generated elsewhere)...especially when it comes to internet facing companies.

 

For example, the concept of where a transaction occurred...if you purchase an in-game item, but all the processing was done in US servers, you connect to Canadian servers, but the actual things dealing with the transaction are all in the US...but the key is the purchaser is from Canada; where does the revenue for that purchase reside?  From my current understanding the company makes gets reported as US revenue (for tax purposes).

 

When it comes down to breaking down how much a company makes in each country, it gets a bit dicey that way.  Although I think the solution is basing it off of the product itself and the number of users affected (but then you do get situations like this where people look at the fine and think it's too small because they look at the size of the company as a whole)

[Dirtyshado]

4 minutes ago, Brooksie359 said:

Australian law only applies in Australia. Most of the time when people complain about Australian laws is when they are trying to overstep their jurisdiction and basically police the entire internet like they were with the one bill about misinformation.

Australian law applies to land, its peoples and its visitors.

 

The internet crosses borders, bound by international agreements, they pretend to forget that, the internet has customers all over the world, they are fully aware of this.  That is why they like to hide shell companies in Israel or Ireland or the Caymans, pretending it gives them immunity and impunity to do whatever they want and deny responsibility for their platforms or their duty of care to Australian people (or the American people, or the EU etc).  Plant your corporate flag in the least regulated places on the planet and tell every regulator "base" like they are six year old child trying to cheat at tag.

[Brooksie359]

6 minutes ago, wanderingfool2 said:

Sort of agree, but sort of not.

 

The issue with some companies is that you can essentially realize profits/revenues in different countries (despite it being generated elsewhere)...especially when it comes to internet facing companies.

 

For example, the concept of where a transaction occurred...if you purchase an in-game item, but all the processing was done in US servers, you connect to Canadian servers, but the actual things dealing with the transaction are all in the US...but the key is the purchaser is from Canada; where does the revenue for that purchase reside?  From my current understanding the company makes gets reported as US revenue (for tax purposes).

 

When it comes down to breaking down how much a company makes in each country, it gets a bit dicey that way.  Although I think the solution is basing it off of the product itself and the number of users affected (but then you do get situations like this where people look at the fine and think it's too small because they look at the size of the company as a whole)

Yeah it's not that complicated tbh. Obviously if Australia accounted for a significant amount of metas profits then you can maybe ask for fines based on global profits or revenue but Australia simply isn't that big. 

[Brooksie359]

6 minutes ago, Dirtyshado said:

Australian law applies to land, its peoples and its visitors.

 

The internet crosses borders, bound by international agreements, they pretend to forget that, the internet has customers all over the world, they are fully aware of this.  That is why they like to hide shell companies in Israel or Ireland or the Caymans, pretending it gives them immunity and impunity to do whatever they want and deny responsibility for their platforms or their duty of care to Australian people (or the American people, or the EU etc).  Plant your corporate flag in the least regulated places on the planet and tell every regulator "base" like they are six year old child trying to cheat at tag.

I just don't appreciate one small country try to dictate what can be hosted on social media websites and other big platforms. You want to make some special requirements for their citizens information security or other specific requirements that's fine but once you start trying to police the internet and potentially fining companies because you don't like how they handle "misinformation" you have stepped outside the bounds of what is reasonable. 

[Mark Kaine]

34 minutes ago, Dirtyshado said:

No, they actually make that arguement in court, lose, and then appeal it, lose again.  Its hilarious how dismissive the judges get.

 

ACCC vs Valve "Valve unsuccessfully defended the claim arguing that it was not carrying on a business in Australia and that Washington State law should apply."... and even tried to make that same claim in the appeal.

 

OIAC vs Facebook - Facebook unsuccessfully argued that Facebook Ireland was conducting business and only those laws should apply... that was rejected, then they  submitted that it had no physical assets, customers or revenues in Australia. This was also rejected. The law clearly stated "’who have an online presence (but no physical presence in Australia), and collect personal information from people who are physically in Australia’."  still denied actually having any business in Australia despite having offices, staff, selling advertising, managing login server, and having over 68% user coverage in Australia... appealed it, still lost.

oh ok i almost figured they would do that, I'm still not entirely wrong,  no one actually thinks that. 

 

[wanderingfool2]

11 minutes ago, Brooksie359 said:

Yeah it's not that complicated tbh. Obviously if Australia accounted for a significant amount of metas profits then you can maybe ask for fines based on global profits or revenue but Australia simply isn't that big. 

But the issue becomes how you "calculate" the revenues generated in Australia.  When it comes to global companies and the revenue made it rarely is cut and dry simple.

 

For example, creating many subsidiaries.  For things such as this, they could break out each product as a subsidiary and have the subsidiary owned by the parent company in the US.  At that stage the revenue would only be the amount made by the product itself.  To take it to the extreme, if Facebook created a subsidiary for each product to avoid liability of the parent company of the more profitable sectors.  They would be separate entities that could each be fined, but then the fines would be small because each is making a tiny fraction of what the parent company is making as a whole

 

It gets more complicated if they base most of what they are doing out of country; but allow Australians to purchase it.  They could claim that the transaction occurred outside of Australia (which was part of my example, as I believe as it pertains to the US/Canadian tax for the purposes of revenue it's where the transaction occurred on the server...so items like lootboxes purchased if the servers processing the transaction are only in the US, even if it's charged in CAD, the IP is from Canada, and the residence is from Canada, for tax purposes the revenue is in the US...could be wrong on this one...but my memory is that this is how the current US/CA agreement is).