After it was revealed over 311,127 Australians were caught up in the improper use of Facebook data by Cambridge Analytica, the Office of the Australian Information Commissioner (OAIC) has opened an official investigation into the social media giant.
The investigation will consider whether Facebook has breached the Privacy Act 1988.
In a statement on Thursday, acting Information and Privacy Commissioner Angelene Falk said given the global nature of the matter, the OAIC will confer with regulatory authorities internationally.
"All organisations that are covered by the Privacy Act have obligations in relation to the personal information that they hold," she said. "This includes taking reasonable steps to ensure that personal information is held securely, and ensuring that customers are adequately notified about the collection and handling of their personal information."
While over 300,000 users who had their information misused hailed from Australia, the country was the 10th hardest hit by the scandal globally. Overall, information on up to 87 million users, mostly from the US, was admitted by Facebook as being "improperly shared" with Cambridge Analytica.
Facebook chief Mark Zuckerberg said during a press conference that the 87 million figure was a "conservative estimate" of users who could be affected. Taking nearly an hour's worth of questions from reporters, Zuckerberg said Facebook up to this point hasn't taken a broad enough view of its responsibility to protect user data and prevent abuse of the platform.
"That was a huge mistake, that was my mistake," he said.
An investigation was last week opened by New Zealand Privacy Commissioner John Edwards who said Facebook denied it had it breached the NZ Privacy Act 1993 and refused to cooperate with the commissioner's requests.
"The social media company said the Privacy Act did not apply to it and it did not have to comply with the commissioner's request to review the information requested by the complainant," Edwards wrote.
The commissioner found Facebook was subject to the Privacy Act and had fundamentally failed to engage with the Act. He said Facebook's position that the Privacy Act did not apply to it was surprising and contrary to its own Data Policy in regards to responding to legal requests for any personal information it held.
Sections 91 and 92 of the Act, however, require agencies to comply with requests from the commissioner for information withheld by those agencies from individuals.
"Due to Facebook ignoring a statutory demand the commissioner was unable to review the material requested by the complainant and unable to arrive at a view that Facebook was justified in properly withholding information from the complainant," the commissioner's office said. "This prevented the commissioner from being able to address the complaint under the statutory process."
Zuckerberg will testify to US Congress on Wednesday to answer questions about privacy and how the company handles user data.