Ever-expanding jurisdiction: Clearview AI's appeal and extra-territorial application of the Privacy Act

AAT confirms expanded reach for 'carrying on business' in Australia 10 min read

A landmark ruling in Australia confirms that Clearview AI breached the Privacy Act despite lacking a physical presence or supplying products or services in the country, emphasising the extraterritorial reach of privacy laws and the consequences for companies collecting personal information that is in the public domain.

On 8 May, the Administrative Appeals Tribunal (AAT) handed down its decision in Clearview AI Inc's (Clearview AI) appeal¹ of the Office of the Australian Information Commissioner's (the OAIC) 2021 determination.² The AAT's process had been keenly awaited given it was tasked with considering the vexed and important issue of extra-territorial application of the Privacy Act 1988 (Cth) (the Privacy Act).

The AAT held that the repeated collection of personal information from Australian servers was, alone, sufficient to establish that a foreign corporation was carrying on a business in Australia for the purposes of the current extra-territorial application test in the Privacy Act. The AAT found that this was the case, even where the foreign corporation had no physical presence in Australia and derived no revenue from any commercial operations in Australia.

Following the commencement of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (the 2022 Amendments), the 'carrying on a business in Australia test' is the only requirement that must be established for a foreign corporation to have an Australian link and for its global data handling practices to be bound by the Privacy Act.

Key takeaways

• The test applied by the AAT to determine whether a corporation is carrying on a business in Australia for the purposes of the Privacy Act is whether that corporation engaged in repetitive acts in Australia that amount to, or are ancillary to, transactions that make up and support its business. Such acts do not need to be commercial in and of themselves and no human agency is required.
• As such, repeated collection of information from Australian servers may, alone, be sufficient to establish that a foreign corporation is carrying on a business in Australia—even if that organisation has no physical presence in Australia and derives no revenue from commercial operations in Australia.
• The decision confirmed that the effect of the 2022 Amendments was to substantially increase the scope of the extra-territorial application of the Privacy Act. Once an Australian link had been established, acts and practices in relation to all of the personal information a foreign corporation handles anywhere in the world are regulated by the Privacy Act. This includes personal information which relates entirely to commercial activities in other jurisdictions with no connection to Australia.
• Overseas-based organisations caught by the Privacy Act will need to wait for the outcome of the Attorney-General's ongoing review into the Privacy Act for this position to change.
• Overseas-based organisations, including:
  • organisations that interact with Australian-based organisations or individuals;
  • organisations that do not restrict their services from being offered to Australians; and
  • related companies of Australian organisations that provide services or have some technological interaction with their Australian groups entities,

should re-consider whether their activities may place them within the jurisdiction of the Privacy Act and, consequently, consider what steps may be required to comply with the Privacy Act, or alternatively, measures that could be put in place (eg geolocation restrictions) to prevent access to Australian servers.

Background

In 2021, the OAIC determined that Clearview AI had breached the Privacy Act in relation to its collection of images from Australian servers for use in its facial recognition technology.³ In determining Clearview AI breached the Privacy Act, the OAIC considered that Clearview AI was, at all times as a result of its activities and practices, carrying on a business in Australia and was therefore required to comply with the Privacy Act (and the activities it had been undertaking had not been in compliance with the Privacy Act).⁴ Further details about the original 2021 OAIC determination can be found in our 2021 Insight.

Clearview AI submitted this decision for review by the AAT, which the AAT handed down on 8 May 2023.

Whilst the AAT found in favour of the OAIC, the AAT made some interesting broader observations about the scope of the extra-territorial application of the Privacy Act, which we summarise below.

AAT decision

The relevant question for the AAT to consider was, given Clearview AI has no business facilities in Australia, whether its activities sufficiently satisfy the Australian link test under section 5B of the Privacy Act.⁵

This question was further complicated by the fact that, following the original OAIC determination, s5B was amended by the 2022 Amendments.⁶ The AAT considered the application of s5B to Clearview AI's business activities both pre and post the 2022 Amendments.

The 'Australian link' test

Previously, for a foreign corporation to be considered to have an 'Australian link' it must have:

1. carried on a business in Australia; and
2. collected or held personal information in Australia.⁷

The 2022 Amendments removed the second limb of that test.⁸

'Carrying on a business in Australia'

Where a foreign corporation has no business facilities in Australia, the test applied by the AAT to determine whether that corporation is carrying on a business in Australia is whether that corporation engages in repetitive acts in Australia that amount to, or are ancillary to, transactions that make up and support its business.⁹ Such acts do not need to be commercial in and of themselves and no human agency is required.¹⁰

The AAT agreed with the OAIC that acquiring images from servers located in Australia meant that Clearview AI was carrying (and continues to) 'carry on a business in Australia' for the following reasons:

• The harvesting of images by Clearview AI's webcrawler for inclusion in its image library is an essential part of Clearview AI's business.¹¹
• As such, each instance of harvesting an image globally, including from servers in Australia, constitutes a transaction that makes up or supports Clearview AI's business.¹²
• Whilst data collection 'in and of itself is not sufficient to amount to carrying on a business in Australia'¹³, it was irrelevant whether the harvesting of images from Australian servers specifically was 'essential' to Clearview AI's business.¹⁴
• Rather, so long as Clearview AI continues to acquire information from servers in Australia, it engages in repetitive acts in Australia that amount to, or are ancillary to, transactions that make up and support its business and therefore satisfies the 'carrying on a business in Australia' test.¹⁵

However, the AAT did not consider the following transactions put forward by the OAIC amounted to 'carrying on a business in Australia':

• Acquiring images posted by Australians to a global social network which are held on servers outside Australia from that global social network.¹⁶
  • This is because, at the point in time an offshore server acquires the image from another offshore server, it is impossible to know if there is any geographical connection with Australia given the underlying individual is no longer involved in the transaction taking place between the two offshore servers. This means the 'carrying on a business in Australia' test has a temporal component tied to the specific transaction in question. What transactions previously took place (ie an Australian uploading an image to an offshore server) in order for that offshore server to acquire the image is irrelevant.
• Collection of information from websites with Australian domain names, but which are hosted on servers located outside Australia.¹⁷
  • Similarly, this type of transaction involves a transfer of information from one offshore server to another and is therefore not a transaction with a physical connection to Australia.

This analysis would change if the transfer of information involved a human located in Australia transferring data to a foreign business.¹⁸

These two clarifications emphasise the significance of physical location to the 'carrying on a business in Australia' test. Importantly, for the purposes of that test those transactions must either take place physically in Australia or involve a participant that is physically located in Australia.¹⁹

'Collection of personal information in Australia'

Prior to the 2022 Amendments, it was also necessary to establish that Clearview AI either collected or held personal information in Australia in order for it to have an 'Australian link'. The AAT decision makes it clear that the sending of information by Australian servers to an offshore server is a collection of personal information in Australia. Clearview AI's webcrawler engaged in such activities.

Will the extraterritorial test be revisited?

The AAT indicated that the effect of the 2022 Amendments was to substantially increase the scope of the extra-territorial application of the Privacy Act so that, once an Australian link had been established, acts and practices in relation to all of the personal information a foreign corporation handles is regulated by the Privacy Act.²⁰

This is generally acknowledged as an unintended effect of the 2022 Amendments. The intention of the change was to ensure that organisations that carry on business in Australia, but do not themselves directly collect or hold personal information in Australia, are nonetheless caught by the Privacy Act. An example of this might be where a particular offshore entity which has business operations in Australia only handles personal information by virtue of it receiving that personal information from another group entity also located outside of Australia.

However, the test is now much broader than that—capturing all acts and practices of an organisation regulated by the Privacy Act. In other words, a global organisation is required to comply with the Privacy Act in respect of its entire global operations, including in relation to individuals located in other jurisdictions. This creates a far broader scope of extra-territorial application than under legislation in other jurisdictions, including the GDPR, CCPA and PIPL in China.

Possible amendment may provide necessary clarity

There is, however, hope on the horizon. Earlier this year the Attorney-General's Department released its Privacy Act Review Report which included over 100 recommendations for amendments to the current Privacy Act. One of these recommendations was to amend (again) the extra-territorial application of the Privacy Act.²¹

One proposal put forward by the Government is to include additional language requiring that acts or practices of organisations carrying on a business must 'relate to personal information connected to Australia'.²² This would bring the Privacy Act more into line with equivalent extraterritorial tests set out in other legislation, including in Article 3 of the GDPR.

This is, in our view, a critically important amendment to the current drafting and will provide much-needed certainty for organisations with global business operations.