Facebook is a business that extracts information and value about people. The Australian Information Commissioner regulates those activities.
This is an article looking at the Full Federal Court of Australia’s (Court) judgment in Facebook Inc v Australian Information Commissioner  FCAFC 9 (Appeal) and what privacy practitioners can take from it. It is an interlocutory judgment that deals with a procedural matter and not substantive issues of the Commissioner’s regulatory action. However, it provides insight into the law around doing business in Australia and collecting and holding personal information as set out in the Privacy Act, 1988 (Privacy Act).
If you’re not sure what an interlocutory action is all about: interlocutory proceedings usually deal with procedural issues that arise before the main action commences. In this case, to commence the action the defendant must be within the jurisdiction of the claim. Facebook Inc argued that it had no presence, nor business in Australia and therefore could not be served in Australia. If that is right it would keep Facebook Inc out of the Commissioner’s claim.
Bear in mind that in this interlocutory proceeding the Court needs only to be satisfied that “enough evidence has been put before the Court to make it appropriate to require a respondent to answer the claims made in the originating application and statement of claim” 
The case itself discusses the interplay between Facebook Inc and Facebook Ireland (who together provide the services) but this article focuses on the Facebook Inc aspects. In it, we also see what a kangaroo skin dealer in the 1970s means for Facebook’s high-tech mutli-national operation today.
In the Appeal, the Court found that the claim can be served on Facebook Inc outside of New South Wales because Facebook Inc does business in Australia and collects, but not holds, personal information. Let’s explore how.
- Doing Business in Australia
The Court was asked to determine if Facebook Inc carried on business in Australia. The Court looked at Facebook Inc’s activities, the way in which it uses and deploys cookies and its feature called Graph API. Against all this, the Court analysed if Facebook Inc had a physical presence in Australia. But read on to see why, we start with Facebook Inc’s activities.
The opening words of Allsop CJ set the scene and put the Facebook business in context. It’s a business not manifested in physical material matter or structures of goods but described as “the collection, storage, analysis, organisation, distribution, deployment and monetisation of information about people and their lives.“ (Paragraph 3 of the Appeal, quoting Perram J at - in the primary judgment).
First, the Court assessed if Facebook Inc’s activities took place in Australia.
The Court was careful to be clear that simply installing cookies on a user’s device on its own may not be enough to establish if an organisation is carrying on business in Australia because it was:
“[L]ikely to turn on the nature of the business it carries on and the nature of the cookie. For example, a cookie which remembers a user login details so that they do not have to re-enter them each time a site is visited may stand in someone different position to a cookie which tracks a uses interest in chocolate biscuits so that the uses newsfeed is peppered with advertisements for Tim Tams.” 
Facebook Inc’s Graph API allows third party app developers to obtain Facebook users’ information contained in Facebook Inc’s social graph. Most of us see it manifest as a “log in with Facebook” feature on some websites.
Facebook Inc maintained that because the Graph API feature operated in either the United States or Sweden it followed that Facebook Inc was not doing business in Australia. Facebook Inc said it was a feature that merely responded to requests made by Australian users. The Court rejected this argument, instead focusing on the overall nature of the business activity rather than the break down of “digital events” that constitute it. 
Having established that Facebook Inc installs cookies on a user’s device and operated the Graph API service in Australia, the Court turned to the question of whether that constituted carrying on a business in Australia.
Physical Presence in Australia
A physical presence is one of the many usual tests to determine if an organisation is doing business in Australia. Facebook Inc looked at all of the factors.
First, Facebook Inc argued additionally that it did not enter into any contracts, did not employ people, had no customers and had no revenues. Secondly, Facebook Inc argued that the business that may have been carried on (if any) would have been that of Facebook Ireland and not Facebook Inc. Facebook Inc‘s legal team argued that there is no authority in Australian law to suggest otherwise. All those arguments were rejected by the Court.
To answer the question, the Court interpreted “doing business in Australia” in light of the Privacy Act and its objectives. Even though the expression is not defined the objects of the Privacy Act supported an interpretation that was aligned to the free flow of information and that the Privacy Act itself was concerned with the “non-material concept: Information.” 
The Court said
“Whilst the indicia to which Facebook Inc points no doubt have their place, I do think that some care has to be exercised about those statements to ensure that obvious propositions about the qualities of businesses at one time are not misapplied to radically different businesses at another.” 
Even though Facebook Inc was installing cookies onto user devices in Australia and managing the Graph API for Australian developers and users, it did not follow that Facebook Inc conducted business in Australia.
And this is where the Court addressed and answered a long-standing question in Australian law: is it conducting business in Australia where an organisation outside the jurisdiction does something in the jurisdiction, but in doing so does not engage in commercial activity (Luckins (Receiver and manager of Australian Trailways Pty Ltd) v Highway Motel (Carnarvon) Pty Ltd (1975) 133 CLR 164 (‘Luckins’)).
To do that, the Court analysed Smith v Capewell (1979) 142 CLR 509 which involved selling kangaroo skins in New South Wales, from Queensland, without a licence to do so. The answer, and application to Facebook Inc in this case is answered beautifully by Perram J:
“This entails, of course, that Facebook Inc has been conducting that business not only in the data centres United States and Sweden but also in Australia. I see no particular difficulty with that. Mr Capewell’s business was in Queensland but that did not stop it from also being in New South Wales when he sold a single kangaroo skin in that State… [D]id the fact that the businesses in question were now being conducted additionally in a new jurisdiction give rise to any want of logic. I do not think it gives rise to a want of logic now.” 
It took an unlicensed kangaroo skin dealer from the 1970s to seal Facebook Inc’s fate on this point – an act, without some commercial activity, is enough to be operating a business in Australia.
- Did Facebook collect or hold personal information in Australia?
The Court applied the usual formulation for answering the question about ‘collection’ – that there was an act of collection and the personal information was collected for inclusion in a “record or generally available publication“ and that it took place in Australia. The personal information in question was that collected by individual users’ subject of the action. But was it collected for inclusion in a record, what was that ‘record’ and was there an Australian link?
To establish the collection question the Commissioner relied on 3 arguments. That Facebook Inc used caching servers in Australia; used cookies to collect the personal information and that in practice the information was instantaneously transferred from Australia to North American and Swedish data centres.
The Court only accepted one of the three arguments: that Facebook Inc collected personal information by way of cookies. The other arguments were denied. Nonetheless, collection took place in Australia because of the cookies installed on users’ devices. [see 152]
The Court found that Facebook Inc did not hold the information because Facebook Inc was not in possession or control of a user’s device which was the ‘record’. However, this did not matter to the Commissioner’s case overall because the Court found that Facebook Inc collected the personal information in Australia for inclusion in a record which was the material point.
Because Facebook Inc was found to carry on business in Australia and collected personal information in Australia, the Court was satisfied that there is an Australian link.
- What can privacy practitioners learn from this interlocutory decision?
- The Court confirmed that cookies installed (collecting) onto a user’s device (the record) from outside of the jurisdiction is sufficient to establish doing business in Australia. If you’re an organisation that trades in information about people, then these principles could apply to you.
- The Court affirmed the way in which digital businesses should think about and interpret doing business in Australia and Australian links in the context of the Privacy Act. It puts information businesses on notice that they can be doing business in Australia by virtue of the free flow of information even though their structure may have been designed with other objectives in mind.
- Maybe it’s time to get legal advice and consider your control environment as things may now not be as you think.
Finally, stay tuned. Maybe Facebook will appeal this decision to the High Court in one final attempt to stave off being included in this case. Eventually, we may get to the substantive case, and all this could change again.