The Australian Federal Court has imposed a penalty of AUD 20M (USD 13,500,000) to Onavo Protect, a VPN service provided by Facebook Israel (Meta), for collecting user data for commercial purposes.
The court examined the case after a relevant “false advertising” complaint submitted by the ACCC (Australian Competition & Consumer Commission) in 2020 and determined that the company violated the Australian Consumer Law by not disclosing that it collected user data for marketing and targeted advertising purposes.
The violations occurred between February 2016 and October 2017, when the Onavo Protect VPN app was installed by over 270,000 Australians, users of iOS and Android devices.
The free VPN app was promoted as a tool to help users keep their data safe, protect their personal information, and enjoy a fast and secure internet browsing experience. Nowhere in the app listings was it mentioned that user data would be collected for commercial or any other purposes, so users were not adequately informed about how the service vendor handled their data.
“In the case of the Onavo Protect app, we were concerned that consumers seeking to protect their privacy through a virtual private network were not clearly told that in downloading and using this app they were actually facilitating the use of their data for Meta’s commercial benefit.” ACCC Chair, Cass-GottliebACCC Chair, Cass-Gottlieb
As the investigation determined, Onavo and Facebook Israel collected user data from the app, not applying any anonymization whatsoever, aggregated it, and shared it with an extensive network of advertising partners.
The data collected includes the entire internet activity performed while the app was active and also records of app activity, access, and usage times for any other apps the user had on the same device, which is a highly intrusive and privacy-breaching practice.
Onavo is no longer active and does not offer any VPN services, but the Australian court decision highlights the dangers of trusting free VPN apps, especially those published by companies whose core business model is to collect user data.
Additionally, this ruling serves as a vindication for the ACCC and Australian consumers. Facebook had previously refuted the allegations of unlawful user data collection and deliberately misleading users about the safety of their data while utilizing the app. Instead of opting for a settlement and reforming its data collection methods, the company opted to defend its practices in court.