Acting Information and Privacy Commissioner Rachel Falk has told Senate Estimates that her office’s investigation into Facebook regarding the Cambridge Analytica data misuse scandal will take at least six to eight months to reach an outcome.
Facing the Legal and Constitutional Affairs Legislation Committee on Thursday night, the acting head of the Office of the Australian Information Commissioner (OAIC) said a standard investigation into a potential breach or alleged misuse of data takes around that long; however, given the “complexities” the Facebook investigation contains, it is expected to take longer.
Before his departure, former Commissioner Timothy Pilgrim opened preliminary enquiries to determine whether the personal information of Australians was affected. Once it was confirmed that the personal information was in fact impacted, Falk then opened a commissioner-initiated inquiry, given the size of the alleged breach and the “issues at hand”.
“Having now opened a commissioner-instigated investigation, there’s a number of outcomes that could occur: If I or the commissioner were to make a finding that there was no breach of privacy in the circumstances, then the matter would close; if the commissioner were to find that there had been a breach of privacy, then there needs to be a decision taken as to what the appropriate regulatory outcome might be,” she explained.
While over 300,000 users who had their information misused hailed from Australia, the country was the 10th hardest hit by the scandal globally. Overall, information on up to 87 million users, mostly from the US, was admitted by Facebook as being “improperly shared” with Cambridge Analytica.
Speaking more broadly on the OAIC’s enforcement options, Falk said one possible outcome is to accept an enforceable undertaking in the Australian Federal Court; the other is to make a determination, which again is a binding decision enforceable in the Federal Court; and the third is to seek civil penalties from the Federal Court. She said that’s the case for existing breaches within existing law.
“We seek to finalise commissioner-instigated investigations within around six to eight months. I anticipate that this one might take a little longer, depending on the complexity of the issues that arise, but that’s the indicative time frame,” she continued.
As part of her investigation, Falk said she is liaising with international counterparts, including in the United States and the Philippines.
“In terms of where it’s at, we’re compiling the investigation strategy and working through those matters and also working through the legal issues as they arise,” she said.
“It’s early days in terms of the investigation, and whilst I have publicly said I am investigating, usual practice is to then conduct the investigation in private so as to not prejudice those proceedings.
“Under the Australian Privacy Act, global corporate entities need to comply with the privacy obligations where they’re carrying out business in Australia and collecting information from Australians.”
She couldn’t answer whether Facebook is compliant with the Australian Privacy Act, however.
“Our experience has been that Facebook has worked cooperatively and sought to resolve those issues in a consolatory manner,” she said of her interaction with the Australian chapter of the social media giant.
In response to a question on whether Facebook assists the OAIC in a timely enough manner, Falk said she hasn’t had any issues brought to her attention.
OAIC resourcing concerns amid remit increase
Expecting 500 data breach notifications to come through the office in the first year of the Notifiable Data Breaches (NDB) Scheme, in addition to the Facebook investigation and other responsibilities the OAIC’s staff members already have on their plate, the senators were concerned that the office is understaffed and overworked.
Falk told the committee that the OAIC currently boasts 75 full-time equivalent staff, but will be receiving a further 17 once the new Consumer Data Right comes into play in the next financial year.
“There is an increase in a number of matters that we’re closing,” she said. “The challenge is to manage responsibilities with the resources available.
“I acknowledge that we are receiving an increasing number coming through the door, and despite the fact that we are able to resolve more and more efficiently, there is a gap between the two, so we are doing some work internally in the next couple of months to re-look at our process to see if there’s anything else that we might realign, we are also looking at our workload that’s likely to occur over the next 12 months and do some analysis.”
Falk said there are five staffers working on the NDB scheme.
“In terms of resourcing, each of the matters is assessed and then we need to prioritise the resources that we do have, that’s why we’re giving focus over the next couple of months to our ongoing workload. We need to allow the scheme to continue for a little bit longer for us to really get a sense of what that might look like,” she said in response to a question asking whether there was a work backlog as a result of the NDB scheme.
The OAIC has three primary functions: Privacy, conferred by the Privacy Act and other laws; freedom of information, in particular oversight of the operation of the Freedom of Information Act 1982 and review of decisions made by agencies and ministers under that Act; and government information policy, conferred on the Australian Information Commissioner under the Australian Information Commissioner Act 2010.
PREVIOUS AND RELATED COVERAGE
Investigation officially opened after Facebook revealed the data of over 300,000 Australians may have been improperly used by Cambridge Analytica.
Amid the ongoing trust crisis, Facebook users get an easier way to download their data and new mobile privacy settings.
The controversial data company’s product lead spoke to TechRepublic to clarify the firm’s role on the Trump campaign and outline a vision for the future of enterprise analytics.
The Office of the Australian Information Commissioner has received 63 data breach notifications in first six weeks of the scheme’s operation.