You can run, but you can’t hide: the service of international parties and the Privacy Act 1998 (Cth)

Previously, Lavan discussed the Facebook–Cambridge Analytica scandal.  In the next step of this scandal’s saga, the Federal Court delivered the case of Facebook Inc v Australian Information Commissioner [2022] FCAFC 9.  This case is about Facebook Inc failing in their appeal of an interlocutory decision that allows the Australian Information Commissioner to serve documents on Facebook Inc, an international party with a limited “Australian Link” pursuant to the Privacy Act. 

Background 

There are two Facebook companies involved in this matter:

1. Facebook Inc, which provides the Facebook platform to users located in North America.^[1]  Facebook Inc also processes Facebook Ireland Limited’s user data.
2. Facebook Ireland Limited (‘Facebook Ireland’), a subsidiary of Facebook Inc, which provides the Facebook platform to users located everywhere else in the world (including Australia).^[2]

The Commissioner applied to serve documents on both of these Facebook entities.  Facebook Ireland accepted service; however, Facebook Inc appealed service on the ground that it did not have a sufficient “Australian link” pursuant to s 5B(3)(b) of the Privacy Act.  Facebook Inc raised this argument because they submitted that they did not “carry on a business” within Australia.  It made this submission for two reasons:

1. Facebook Inc had no physical presence, entered into no contracts, employed no personnel, had no customers and derived no revenues in Australia.^[3]
2. While there was a business being conducted in Australia, that business was that of Facebook Ireland.^[4]

The decision

In the end, the Court found that Facebook Inc was, in fact, carrying on a business within Australia.  In coming to this conclusion, the Court looked at the Data Processing Agreement (‘Agreement’) between Facebook Ireland and Facebook Inc. 

This Agreement stipulates that Facebook Inc would install cookies on the devices of users located within Australia.^[5] Therefore, Facebook Inc was in the business of providing data processing services to Facebook Ireland by installing cookies on devices in Australia.  Additionally, through the use of cookies, Facebook Inc would store personal information on the devices of Australian users. Therefore, the Court found that Facebook Inc was in possession, control, or “held” personal information within Australia.^[6]

Moreover, Facebook Inc, on behalf of Facebook Ireland, provides a service to Australian developers by making the Facebook login available to these developers as part of Facebook’s Graph API.^[7]

The Court found that it does not matter that Facebook Inc does not have a physical presence within Australia due to the fact that the Privacy Act has as its focus a non-material concept (i.e. information).^[8]

Interestingly, while on appeal, the Commissioner argued the fact that although the business of Facebook is divided between Facebook Ireland and Facebook Inc, this is not the experience of its users who perceive a single worldwide network.^[9]  However, the Court did not consider this argument as a basis to consider that both entities were conducting business within Australia as the argument was not advanced to the primary judge in the first instance.

Lavan Comment

This case is a reminder that the Privacy Act has a further reach on international organisations than many may anticipate.

While one entity may try to remove themselves from the Australian jurisdiction, that does not necessarily remove them from the sight of the Australian Information Commissioner.  Neither does being located outside of Australia remove any obligations for one to not misuse private data.

Ensuring your organisation and/or individual privacy practises are compliant under the Privacy Act 1988 (Cth) may not be on the forefront of your business or personal agenda.  However, it is not an obligation that one should easily ignore.        

If you have any questions in relation to this article, please contact Iain Freeman.