Federal Court clears path for the OAIC to pursue its privacy proceedings against Facebook

Federal Court confirms earlier ruling 8 min read

As the debate continues over the Federal Government's draft legislation to introduce a binding online privacy code for social media and other online platforms, a full bench of the Federal Court has confirmed an earlier ruling¹ that there was a prima facie case Facebook Inc (now Meta Platforms Inc) 'carries on a business' and collects personal information in Australia.² Our discussion of that earlier decision is available here.

With this decision, the Australian Information Commissioner (Commissioner) can now proceed with the landmark case against Facebook Inc and Facebook Ireland Ltd (together, Facebook), concerning the Commissioner's allegations that Facebook committed a number of breaches of the Australian Privacy Principles (APPs).

This decision, including a colourful judgment from Perram J, provides helpful guidance on the Privacy Act's extraterritorial application. However, the case itself is still undecided. The Commissioner's primary submissions relating to Facebook's alleged breaches of the APPs, the Privacy Act's extraterritorial application, and the calculation of civil penalties, are still to be heard, and may still be contested by Facebook.

Key takeaways

• The Federal Court's decision clarifies the extraterritorial application of the Privacy Act, specifically addressing the application of section 5B(3). This sets out the requirements for an 'Australian link', making foreign corporations who carry on a business and collect or hold personal information in Australia subject to the Privacy Act.
• The Federal Court upheld the primary judge's view that installing cookies on devices in Australia – and using them to collect personal information – could be inferred as Facebook Inc. collecting personal information, which is the subject of the Commissioner's allegations.
• However, the Federal Court rejected the Commissioner's argument (upheld by the primary judge) that Facebook Inc should be inferred to have collected the personal information directly from individuals in Australia at the same time as Facebook Ireland Ltd. The Court found that it should be accepted that Facebook Inc. first received the personal information from Facebook Ireland Ltd at its data centres, in the manner set out in the Data Processing Agreement between the two entities.
• The decision comes during a period of reform for the Privacy Act. Relevantly, the government's current exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 proposes to remove the requirement (in section 5B(3)(c)) for personal information to be 'collected or held' by the organisation or operator in Australia to meet the definition of 'Australian link'. In Privacy Act reforms: a new Online Privacy Code, we discuss these reforms and the proposed introduction of a new Online Privacy Code.
• In light of this ruling, overseas-based online businesses that currently carry on businesses involving the collection and/or holding of personal information in Australia should consider whether these practices are subject to the Privacy Act. Businesses that rely on common technologies such as cookies, caching servers and APIs should also review their compliance when operating online-based businesses in Australia.

Details of the proceedings

• These proceedings are a continuation of the Commissioner's response to Facebook's 'Cambridge Analytica' scandal and fallout from the This Is Your Digital Life (TYDL) app. In 2020, the Federal Court granted leave for the Commissioner to serve its originating process documents on Facebook Inc in the United States, accepting that the Commissioner had a prima facie case against Facebook Inc in Australia.
• Facebook Inc then conditionally applied to the Federal Court to have the Commissioner's service set aside. The Court refused the application, upholding its earlier decision that there was a prima facie case that Facebook Inc was a foreign entity that carried on a business, and collected or held personal information in Australia.
• Facebook Inc sought leave to appeal against this interlocutory decision. The question before the Court was whether Facebook Inc should be granted this leave, on the basis the primary judge erred in finding the Commissioner had a prima facie case against Facebook Inc.
• Facebook Inc's appeal turned on whether an 'Australian link' was present. This meant the court had to consider two questions:
  1. Does Facebook Inc appear to 'carry on business' in Australia?
  2. Does Facebook Inc appear to 'collect' or 'hold' the relevant personal information in Australia (each within the meaning of section 5B(3) of the Privacy Act)?

Carrying on a business in Australia

The Court first considered whether there was a prima facie case that Facebook Inc 'carried on a business' in Australia. It relied on various findings to support this, including:

• Use of cookies – by installing cookies on Australian users' devices, the Court considered that there was a prima facie case that this amounted to carrying on a business in Australia.
• Providing a login API – by providing its Graph API to Australian developers to use in their applications and web services, the Court was satisfied that there was a prima face case that Facebook Inc was offering this function to Australian clients in Australia. Significantly, the Court rejected Facebook Inc's argument that its Graph API simply enabled digital processing, which happened overseas and did not amount to conducting a business. Instead, the Court adopted a broader view, emphasising Facebook Inc's provision of the Graph API was the relevant business activity. Therefore, it could be inferred that it was happening in Australia.

Each of these findings may be contested in any final proceedings. For instance, arguments might be put forward that installing cookies on Australian devices should only constitute ‘carrying on a business’ in relation to certain types of cookies, and the purpose of the cookies (and who benefits from their use) should be relevant to the assessment.

No physical assets? No problem

Significantly, the Court rejected Facebook Inc's submissions that it could not be carrying on business in Australia because it had no physical assets, customers or revenues in Australia.

The Court held that section 5B(3)(c) of the Privacy Act did not require physical assets; instead, merely collecting or holding personal information in Australia would be sufficient to satisfy the requirements of the subsection.

Facebook Inc described its operations in Australia as being a mere 'transmission of signals' from data centres to users' devices, which brought about a 'change in the digital state' of those devices. The Court rejected this proposition as being 'divorced from reality' and noted 'by parity of reasoning, one learns little about art history by observing that Rembrandt's The Night Watch consists of some pigments on canvas in a wooden frame.'

In light of this, overseas-based businesses providing online services in Australia should review their business practices for compliance with the Privacy Act, even if they do not currently operate any physical assets in the country.

What about overseas-based online service providers?

Facebook Inc also submitted that its Australian activities lacked a 'commercial quality' because Facebook Inc was not engaged in any commerce in Australia. They submitted that the relevant commercial activities carried out by Facebook Ireland and Facebook Inc only provided data processing services through separate contractual arrangements, which did not amount to commercial dealings in Australia.

The Court rejected this argument and held that even though Facebook’s business was in fact divided between the two entities, the relevant consideration was whether Facebook Inc's regular commercial, overseas business activities included certain acts within Australia as part of that commercial enterprise.

The Court also rejected Facebook Inc's concern that such a finding would 'open the floodgates', noting 'the menace of floodgates from which Facebook Inc was commendably keen to protect the Australian legal system, is in [the court's] view very much overstated.'

As it was clear that Facebook Inc's overseas-based commercial data processing activities included (at least in part) the use of cookies and the provision of the Graph API to Australian developers, it was open to the Court to infer these were commercial acts, and that they happened in Australia.

Collecting or holding personal information in Australia

In order to establish an Australian link, in addition to the requirement that an organisation 'carry on business' in Australia, section 5B(3)(c) of the Privacy Act requires that the personal information be 'collected or held' in Australia. This additional requirement is the subject of the proposed law reform changes, and is proposed to be repealed.

The Court ultimately found that there was a prima facie case that installing cookies on users’ devices involved the collection of personal information. It is interesting to note that the Court rejected the Commissioner's other arguments concerning Facebook Inc 'collecting or holding' personal information in Australia, including:

• Use of caching servers – The Court did not accept that Facebook collected or held personal information in caching servers in Australia. While it was likely that Facebook used caching servers, the Court was not convinced there was evidence that Facebook Inc was the relevant entity that owned and operated those servers in Australia; and
• Collection via instantaneous transfer – The Court did not accept the primary judge's finding that it was inferable (at least in the digital context) Facebook Inc collected data from Australian users through online 'instantaneous transfers'. While the Court acknowledged 'it might be said that trying to locate who is actually running the Facebook platform from the answers given by Facebook Inc and Facebook Ireland has much in common with Where's Wally', it still considered there was no evidence to support this, and it was contrary to the contractual scheme by which Facebook Ireland collected, and Facebook Inc then processed, Australians' personal information under the terms of the intra-group Data Processing Agreement.

The fact the Commissioner only succeeded on one of these three grounds heightens the prospect that the current Privacy Act review may result in the removal of section 5B(3)(c).