25 Feb The Privacy Act and its operation to entities outside of Australia
Federal Court of Australia: Facebook Inc v Australian Information Commissioner [2022] FCAFC 9[1]
This is an application to set aside orders granting service out of the jurisdiction of Australia, not a trial.
In an appeal from Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307, Facebook lost its case against the Australian regulator over the Cambridge Analytica This Is Your Digital Life scandal after the court dismissed Facebook’s claim that it neither conducts business nor collects personal information in Australia.
The Office of the Australian Information Commissioner (OAIC) sought to sue the parent company Facebook Inc, based in the US, and its Irish subsidiary, Facebook Ireland Limited.
Facebook Inc had attempted to avoid liability over the Cambridge Analytica scandal by arguing that it does not carry-on business, or collect or hold personal information in Australia, with the result that it cannot be sued under the Australian Privacy Act 1988 (Cth) (Privacy Act).
Under s 15 of that Privacy Act, an organisation (which by s 6C includes a body corporate) must not do any act or engage in a practice that breaches an Australian Privacy Principle (APP) in Schedule 1 to the Privacy Act. Specifically, APP 6 prevents an organisation which has collected information for a particular purpose from using it for another purpose (except in limited circumstances). APP 11.1(b) requires an organisation which holds personal information to take reasonable steps to protect that information from unauthorised disclosure.
While it is presumed that a Commonwealth statute does not apply to persons outside of Australia, the Privacy Act is explicit in applying to persons outside of Australia in some circumstances, and s 5B, is entitled ‘Extra-territorial operation of Act’. Section 5B(1A) applies the Privacy Act to acts done or practices engaged in ‘outside Australia’ if they are done or engaged in by an organisation that ‘has an Australian link’.
Where a body corporate such as Facebook Inc or Facebook Ireland is concerned, an Australian link will be present if two requirements are satisfied: (1) the body corporate must carry on business in Australia (s 5B(3)(b)); and (2) it must have collected or held personal information in Australia (s 5B(3)(c)). Importantly, it follows from the text and structure of s 5B that the ‘personal information’ so collected or held must be the information which forms the subject matter of the acts or practices said to breach an APP. In other words, an Australian link will only be present where an organisation has collected or held personal information in Australia and it is that information which is alleged to have been misused or mishandled in contravention of the Privacy Act.
According to the court, “The disposition of the present application therefore turns upon two questions: first, whether Facebook Inc prima facie ‘carries on business’ in Australia within the meaning of s 5B(3) of the Privacy Act; and secondly, whether Facebook Inc prima facie collected or held certain personal information (which must be the same as the information which is the subject of the Commissioner’s claim in respect of APPs 6 and 11) in Australia.”
Was Facebook Inc carrying-on Business in Australia? What activities was Facebook Inc carrying-on?
In the opinion of the court, the “evidence presents a prima facie case that Facebook Inc was engaged in the business of providing data processing services to Facebook Ireland. The evidence consists of an agreement between Facebook Ireland and Facebook Inc entitled ‘Data Transfer and Processing Agreement’ (‘the Data Processing Agreement’). The agreement did a number of things but for present purposes it contained two core sets of obligations. First, it identified the data which Facebook Ireland was to transfer to Facebook Inc for processing. Secondly, it identified the nature of the processing which Facebook Inc was to carry out on that data.”
Facebook Inc promised to process the ‘personal data’ provided to it by Facebook Ireland. The data which was to be provided was also set out. It was the personal data “generated, shared and uploaded by the registered users of the Facebook platform’ including photographs, videos, events attended or invited to, group memberships, friends, gender, date of birth, relationship status, email address, URL, hometown, family, political views, religious views, sexual life, biography, employment history, location, education, interests, entertainment preferences, material shared by the user (i.e. wall posts, messages, pokes), credit card information and actions taken on Facebook and other services. Further, it included ‘special categories’ of data. These were: racial or ethnic origin, political opinions, philosophical beliefs, trade union membership, health and sex life.”
What was the purpose of the processing to which Facebook Inc was to subject this data?
It was, inter alia, to ‘facilitate communications across the Facebook platform’ and it should be noted that the Facebook platform comprised all users of Facebook, not just those users to whom Facebook Ireland provided the service. The data was also to be processed for the purposes of ‘personalising content’, ‘targeting advertisements and to assess their effectiveness’ and ‘identifying connections between Facebook users’. None of this was limited to the users of the service provided by Facebook Ireland.
The court rejected Facebook Inc’s liminal objection that the only business being conducted in relation to Australian users was business conducted by Facebook Ireland, and held “at the prima facie level, the Data Processing Agreement provides abundant evidence to the contrary.”
Was this business being carried on in Australia?
The business being conducted by Facebook Inc appears to have included as two of its elements the installation of cookies upon the devices of users, and the provision to Australian application developers of an interface known as the ‘Graph API’ which includes as part of its functionality a facility which allows third party applications to utilise the Facebook login.
Cookies
One of the obligations that Facebook Inc had under the Data Processing Agreement was the installation of cookies. This obligation was as follows:
“Installing, operating and removing, as appropriate, cookies on terminal equipment for purposes including the provision [of] an information society service explicitly requested by Facebook users, security, facilitating user log in, enhancing the efficiency of Facebook services and localisation of content.”
The court found that what Facebook Inc had agreed to do was to install cookies on the devices of users, and further, that cookies are central to the Facebook platform.
The court also found that there was a readily available inference that Facebook Inc installs cookies on devices in Australia on behalf of Facebook Ireland as part of its business of providing data processing services to it, “ … it is clear that Facebook Ireland’s use of cookies (installed and removed by Facebook Inc) forms an important part of the operation of the Facebook platform. It is not an outlier activity. It is one of the things ‘which makes Facebook work’.’’ Concluding, that in the conduct of its business of providing data processing services to Facebook Ireland, Facebook Inc “installs cookies on devices in Australia and this is an activity which occurs in Australia.”
The Graph API
Facebook Inc had provided an answer to a question asked by the Australian Privacy Commissioner about the Graph API, stating:
“ … the process of allowing third party App developers to access the API was managed by Facebook Inc for all Apps on the Facebook platform, including on behalf of Facebook Ireland as the provider of the Facebook service to Australian users.”
Do these activities constitute the carrying-on of business within the meaning of s 5B(3) of the Privacy Act?
The expression ‘carries on business in Australia’ is not a defined term in the Privacy Act. According to the court however, its meaning is informed by the statute in which it appears. Two matters are relevant. “First, the objects of the Act include by s 2A(f) the facilitation of ‘the free flow of information across national borders while ensuring that the privacy of individuals is respected’. The statute therefore has in its contemplation the regulation of the flow of information insofar as it concerns privacy. Secondly, the terms of s 5B(3)(c) suggest that the focus of the Act is on the enforcement of the APPs in relation to the collection or holding of personal information. It is true that s 5B(3)(b) imposes the additional requirement that the organisation carry on business in Australia but that does not change the fact that this statute has as its focus a non-material concept: information.”
The commercial quality of Facebook Inc’s activities
The court held that it was “open to infer that Facebook Inc has two local attributes in Australia. It is installing and removing cookies on the devices of Facebook users and it is managing the Graph API; in particular, it is managing the provision by Australian developers to Australian users (and other users too) of the Facebook login.”
Facebook Inc’s submission that its activities in Australia ‘lack a commercial quality because Facebook Inc is not engaged in any commerce in Australia’ was rejected.
The court held that while the business of providing data processing services are located in the data centres in the United States and Sweden, Facebook Inc nevertheless performed some of those data processing services in Australia, and that it did so on a very large scale but without the generation of any revenue as part of its business of providing data processing services to Facebook Ireland.
In conclusion, the court found that Facebook In carried on business within Australia within the meaning of s 5B(3) of the Privacy Act.
That conclusion, however, is not the end of the question of whether an ‘Australian link’ is present; there must also be collecting or holding of personal information by Facebook Inc.
Did Facebook Inc collect or hold personal information in Australia? What personal information is Facebook Inc said to have collected or held?
The requirements of s 5B(3) of the Privacy Act are cumulative. Facebook Inc must not only carry-on business in Australia, it must collect or hold personal information in Australia and this personal information must be the information which forms the subject matter of the acts or practices which the Commissioner complains of. What then is the ‘personal information’ which Facebook Inc is said to have collected or held, which can be used to ascertain whether an Australian link is present?
The consequence of this is that the personal information which is to be considered for the purposes of assessing whether Facebook collected or held personal information in Australia (and thus whether an Australian link is present) includes all of the personal information collected or held by Facebook Inc and Facebook Ireland for those individual users, some of which was provided to This Is Your Digital Life.
The Commissioner’s case on these matters was twofold. First, she submitted that Facebook Inc directly collected the personal information in Australia for inclusion in a record; secondly, she submitted that it did so constructively through Facebook Ireland.
Did Facebook Inc directly collect the personal information in Australia for inclusion in a record?
The court noted that it may readily be inferred that Facebook Inc (on behalf of Facebook Ireland) targeted advertisements at the users whose personal information was provided to This Is Your Digital Life, and that it may be inferred that Facebook Inc used cookies in that endeavour and collected personal information from those users. In the court’s opinion “It is that personal information which is the subject of the Commissioner’s case under APP 11. There is no question, therefore, that the information collected included the personal information the subject of the Commissioner’s allegations.”
Furthermore, the court held that it could be inferred that Facebook Inc collected the personal information in Australia by means of cookies which it installed on the devices of Australian users’ devices and that in doing so, it collected the personal information in Australia. The court accepted Facebook Inc’s submission that it also received the personal information of Australian users from Facebook Ireland at its data centres.
Did Facebook Inc ‘hold’ this personal information in Australia?
The definition of ‘collects’ means that it is possible for an entity to collect information without holding it. By contrast the definition of ‘holds’ in s 6 is in these terms:
“Holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.”
In conclusion, the court held that “it may be inferred that Facebook Inc did collect the personal information in Australia for inclusion in a record” thereby fulfilling all of the requirements of the Privacy Act and enabling the action to proceed.
The OAIC said in a statement that it welcomed the court’s decision and now looked forward to the hearing of the case itself.
Note
[1] https://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/full/2022/2022fcafc0009