Can’t be Evil NFT Licences from a VC

VC firm Andreessen Horowitz released a series of NFT open source licenses that sit on chain and are incorporated into the NFT. They are based on the Creative Commons model and borrowing from Google are called the “Can’t be Evil” licenses. It uses copyright legal concepts – and I wonder if there is scope to develop new IP concepts bespoke for web3?

Friday Digital, Media & Technology – Google, Mr Beast & Digital Regulation

Here are a few things that you may have missed in digital, media & technology this week.

These were prepared listening to Oasis – (What’s the Story) Morning Glory? on vinyl, the better way to hear the guitars.

Some news from me: one of my long term clients has asked me (repeatedly) to join their business and following some discussions before Easter, I have accepted a role as Senior Legal Counsel & Privacy Officer. It’s a global role with a listed financial services company and I’ll share more on that soon.

That means the Westbright Law ride will end. Aside from wrapping up some existing client work, I’m not taking on any new client work from today.

It leaves me to say this: thank you for your support, the work you gave me, the notes of encouragement, opening doors for me and generally being amazing. Thank you.

This newsletter is best enjoyed with a coffee… or whatever your choice. For me, today, a quiet glass of champagne and a nod to the next season.


PS: If you found this newsletter helpful, find me on Linked In. I’ll continue to share articles on that platform when I see something that you may have missed in digital, media and technology.
The urgent necessity of enacting a national privacy law, says Google!
The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at Beyond the Basics: The Many Pillars of U.S. Privacy Law. TL;DR Google thinks privacy laws can help
Is MrBeast for Real? Inside the Outrageous World of YouTube’s Cash-Happy Stunt King
If you’ve not heard of Mr Beast, then this is an amazing insight to YouTube’s biggest talent. Ask any 11 year
Digital Services Act: Council and European Parliament provisional agreement for making the internet a safer space for European citizens – Consilium
Council and European Parliament reach a provisional agreement on the Digital Services

Friday Digital, Media & Technology – AI Law, Music 3 & Ed Sheeran

Here are a few things that you may have missed in digital, media & technology this week.

The UK Parliamentary Report about Technology and Justice in this week’s edition raises a bigger question for: is it time to consider a new branch of law that deals with AI holistically? I think so, because this may be one where even though existing laws can cover AI, it’s so transformative that it may be time for a new branch of law. This could be as transformative as the emergence of equity.

These were prepared listening to Spring baby spring by Thomas Stenström and In These Silent Days by Brandi Carlile.

This newsletter is best enjoyed with a coffee… or whatever your choice.
UK Parliament Report about Technology and the Justice System
The UK Parliament’s report about the advent of new technologies in the justice system explores the use of AI in activities as applied to administering – and dispensing –
musicOS – The Liminal Space
Dan Fowler and colleagues have launched musicOS, a way to enter, interact with and make sense of Music 3 – blockchain powered music
How has publishers’ share of the music pie grown since 2001?
There’s a new contribution to the debate from former Spotify director of economics Will Page, who has been crunching historical
Sheeran & Ors v Chokri & Ors [2022] EWHC 827 (Ch)
Ed Sheeran wins English court case against copyright infringement. He wasn’t sued, he sued, to knock music infringement claims on the head. This isn’t the end of music copyright infringement claims, but changes the game on how they’re
Infographic: From Privacy Shield to the Trans-Atlantic Data Privacy Framework
The EU and U.S. announced an agreement in principle on a new Trans-Atlantic Data Privacy Framework framework. Here’s an infographic showing how it all needs to play

Three board members walk into a bar

Why privacy and cyber security concerns are no joke in 2022

3 board members walk into a bar – the bartender asks – what is your top governance priority for 2022? They each furrow their boardly-brows in contemplation.

One leans forward conspiratorially and – in almost a whisper – says “privacy”. The second board member sidles up to the bar more confidently, with a loud clear voice says “growth”. The third, chewing nervously at a breadstick and appearing to be sweating says “risk. We need to mitigate risk!”

The bartender responds with “it sounds like you three have a lot in common” – he is then called away to serve his other customers. But the board members are left wondering – what do those three answers have in common?

The answer is data.

Spoiler alert – there isn’t a punchline hidden in here somewhere – this is not a joke and neither is the digital health, security and privacy compliance of your organisation. 2022 commenced with privacy, growth and risk all top of mind for boards and management. We’re now a quarter of the way through the year and it’s a good time to reflect to see if concerns are being addressed.

Organisations all want data-driven digitisation (even if they don’t realise it or call it that) and must ensure that privacy is part of the very foundations of their systems and processes. Managing growth and risks means having a robust approach with a “when” not an “if” approach to privacy related incidents or regulatory actions.

Perhaps you identify with one of our three friends from the bar, and want to understand what you could be doing to build for data related growth. Here are some ideas:

  1. Implement privacy by design – privacy shouldn’t be an after-thought. Ensure that good privacy practices are built into your organisation’s decision-making, as well as the design and structure of your information systems, business processes, products and services. A good first step is to introduce privacy impact assessments into your organisation and use them.
  1. Maintain good infotech hygiene – As we have learned from cases like Marriot and British Airways, simple ‘good practice’ measures like effective security and threat-detection software  and multifactor authentication can be critical in preventing catastrophic security breaches.
  1. Be aware of current regulatory actions – the Office of the Australian Information Commissioner is the regulator for privacy law in Australia and is actively enforcing privacy law compliance. Understanding the Regulator’s focus and concerns can help shape and prioritise your efforts.
  1. Review your supply chain contracts to ensure that you have data and privacy protections in them – and if you do – consider refreshing the language to meet the challenges of data and privacy now.
  1. Continuously improve and update your controls and processes – There is no one thing that can be implemented or purchased that will ensure the cybersecurity or privacy compliance of your organisation. Internal compliance needs to be regularly updated and systems need to be re-evaluated periodically for their effectiveness as well as for how well members understand and are able to contribute to them. Your systems are only as good as the way in which they are used day-to-day.

Friday Digital, Media & Technology – Privacy Shield, TikTok & Netflix

Here are a few things that you may have missed in digital, media & technology this week.

I assure you that none of this is an April Fool’s Day Joke.

These were prepared listening to the unending budget commentary in Australia this week.

This newsletter is best enjoyed with a coffee… or whatever your choice.

EU, US agree in principle on data transfer deal to replace defunct Privacy Shield
The European Union has just announced reaching an agreement in principle with the US on a revived trans-Atlantic data flows deal. Good, but it’s not a replacement privacy shield between the US and EU yet (that’s months away), and it is unclear if it will remove enhanced due diligence on data transfers from Europe. Hopefully some draft language released
Facebook paid Republican strategy firm to malign TikTok
Targeted Victory pushed local operatives across the country to boost messages calling TikTok a threat to American children. “Dream would be to get stories with headlines like ‘From dances to danger,‘“ one campaign director said. I no not if to sigh or shrug these
Looking Back on the Origin of Skip Intro Five Years Later
I love the Netflix Skip Intro button, it’s worth the price of the subscription alone. Here’s a light retrospective on the Skip Intro button and how it came to be – like most things, out of personal

Friday Digital, Media & Technology – TrueCaller, Tik Tok & a Court Case

Here are a few things that you may have missed in digital, media & technology this week.These were prepared listening to Neal Francis – In Plain Sight.

This newsletter is best enjoyed with a coffee… or whatever your choice.

Let me know if you want to talk about any of it, but please share with a few people and ask them to subscribe.
Just when you think that Privacy is working… meet TrueCaller
A weeks-long investigation by The Caravan shows the Swedish company has used India’s lack of a comprehensive legal framework surrounding data protection to advance its business.
430 songs surpassed 1bn video views on TikTok in 2021 – Tik Tok is the music business
Tik Tok is the music industry right now, with reach and discovery that all others can now only admire from behind. Here is the state of the music business in 2021 from the gospel of Tik Tok.
Facebook Inc v Australian Information Commissioner – How a single kangaroo skin sealed Facebook’s fate
Facebook is a business that extracts information and value about people. A piece that breaks down a recent Australian Federal Court decision that determine Facebook, Inc is doing business in Australia. By me.

Friday Digital, Media & Technology – Defamation, App Tracking & Raspberry PI

Here are a few things that you may have missed in digital, media & technology this week.

These were prepared listening to the tick, tick… BOOM! soundtrack. This newsletter is best enjoyed with a coffee… or whatever your choice.

Let me know if you want to talk about any of it, but please share with a few people and ask them to subscribe.
High Court of Australia – Google LLC v Defteros
Here are details to the transcript and submissions in Google’s application to appeal to the High Court of Australia (not the final outcome). An issue is whether Google is considered a “publisher” of defamatory statements by virtue of publishing links with snippets to alleged defamatory material in search results. This case, when heard, will examine the scope and application of the recent High Court defamation decision in Voller. One to watch and the submissions are brilliant reading to dissect the “publisher” issue and a precursor to the main arguments to come.
In-app gaming purchase revenue declined 35% globally in 2021
Apple’s do not track settings in iOS are finally starting to bite – decreasing tracking, decreasing in App purchases (derived from in App tracking) and ultimately, decreasing commission to Apple itself. Yet the article suggests that this is the future to prepare for – not that Apple will return to chasing revenue at the expense of tracking us.
Happy Birthday to the Raspberry Pi
Almost exactly ten years ago today, thousands of people woke on a leap-day morning to discover that Raspberry Pi computers were on sale. Do you own one? What do you use it for?

Friday Digital, Media & Technology – Tech, Twitter & Ukraine

Here is one thing that you may have missed in digital, media & technology this week.

Thank you to Whitney Merrill for pulling this together.

Whitney Merrill on Twitter: “A full account of the way the internet has responded to the last week… Remarkable and history making.”

It’s a Twitter thread of how the world used technology to report, record, assist, debunk, obfuscate and interrupt Putin’s invasion into the Ukraine.

Friday Digital, Media & Technology – Privacy Reform Meets AdTech & Web3

Here are a few things that you may have missed in digital, media & technology this week.

The Privacy reform responses to the Discussion Paper has closed and all the responses are available to read.

This week are a few articles that review industry positions on the broad proposals in the Discussion Paper. There are varied opinions but mostly divided along reform vs it’s already fit for purpose lines.

Neither AdTech platforms nor privacy regulation are going anywhere, so let’s see how this turns out. It’s a global issue and perhaps privacy regulation and reform could disrupt (or curtail at least) business models built on data extraction and exploitation.

In doing so, we may need to lift the debate out of the Discussion Paper issues, and away from enhancing consent the scope of definitions. To borrow from Dr Genevieve Bell’s Garran Oration in 2021, we may need to look at what we all want as a society, not simply as consumer/business trade off, in all of this:

“We should not adhere to the notion that technology is neutral and should instead encourage debate about the values in technology and the systems that would encompass them…. We will need to actively create spaces for such conversations and equip ourselves to have them.”

These were prepared listening to Classic FM (UK) as it’s late. This newsletter is best enjoyed with a coffee… or whatever your choice.

Let me know if you want to talk about any of it, but please share with a few people and ask them to subscribe.

Media publishers more aggressively fighting privacy law overhaul than big tech, call for media exemptions
In quite a twist to the Attorney-General’s overhaul of privacy laws, in which the deadline to submissions have closed, documents filed by Australia’s biggest media groups, or their peak industry bodies, reveal major resistance on key proposals designed to give consumers more control and transparency over their data. It seems the government’s proposals threaten the business
Australia’s biggest advertisers at odds with Google, Facebook on future of data, consent
A twist in the responses! Australia’s peak advertiser body, which represents the biggest brands and billions of dollars of media investment, has sided with the ACCC over key privacy and consent changes being thrashed out by Australian lawmakers – and against the calls made by big tech platforms and even some of Australia’s big local publishers. The Australian Association of National Advertisers (AANA) says a standardised pop up would help smaller businesses that don’t have the money to spend on teams of compliance
Go-to-Market in Web3: New Mindsets, Tactics, Metrics | Future
I have been working with some music projects built on Web 3 models. It’s a lot to take in and these frameworks for thinking about Web3 go-to-market strategy, community building, organisational structure, and token economics are helpful to get deeper into it. Because Web3 today is like the internet in 1996, waiting to see what can

Facebook Inc v Australian Information Commissioner [2022] FCAFC 9 – How a single kangaroo skin sealed Facebook’s fate

Facebook is a business that extracts information and value about people. The Australian Information Commissioner regulates those activities.

This is an article looking at the Full Federal Court of Australia’s (Court) judgment in Facebook Inc v Australian Information Commissioner [2022] FCAFC 9 (Appeal) and what privacy practitioners can take from it. It is an interlocutory judgment that deals with a procedural matter and not substantive issues of the Commissioner’s regulatory action. However, it provides insight into the law around doing business in Australia and collecting and holding personal information as set out in the Privacy Act, 1988 (Privacy Act).

If you’re not sure what an interlocutory action is all about: interlocutory proceedings usually deal with procedural issues that arise before the main action commences. In this case, to commence the action the defendant must be within the jurisdiction of the claim. Facebook Inc argued that it had no presence, nor business in Australia and therefore could not be served in Australia. If that is right it would keep Facebook Inc out of the Commissioner’s claim.

Bear in mind that in this interlocutory proceeding the Court needs only to be satisfied that “enough evidence has been put before the Court to make it appropriate to require a respondent to answer the claims made in the originating application and statement of claim” [38]

The case itself discusses the interplay between Facebook Inc and Facebook Ireland (who together provide the services) but this article focuses on the Facebook Inc aspects. In it, we also see what a kangaroo skin dealer in the 1970s means for Facebook’s high-tech mutli-national operation today.

In the Appeal, the Court found that the claim can be served on Facebook Inc outside of New South Wales because Facebook Inc does business in Australia and collects, but not holds, personal information. Let’s explore how.

  • Doing Business in Australia

The Court was asked to determine if Facebook Inc carried on business in Australia. The Court looked at Facebook Inc’s activities, the way in which it uses and deploys cookies and its feature called Graph API. Against all this, the Court analysed if Facebook Inc had a physical presence in Australia. But read on to see why, we start with Facebook Inc’s activities.


The opening words of Allsop CJ set the scene and put the Facebook business in context. It’s a business not manifested in physical material matter or structures of goods but described as “the collection, storage, analysis, organisation, distribution, deployment and monetisation of information about people and their lives.“ (Paragraph 3 of the Appeal, quoting Perram J at [29]-[33] in the primary judgment).

First, the Court assessed if Facebook Inc’s activities took place in Australia.


Facebook Inc‘s use of cookies, installing them on user devices, was enough for the Court to find that Facebook Inc was carrying on business in Australia. Because cookies are central to operating Facebook, and, Facebook’s own Data Use Policy explained in detail how Facebook used cookies, the Court said:

“[T]here is a readily available inference that Facebook Inc installs cookies on devices in Australia on behalf of Facebook Ireland as part of its business of providing data processing services to it.  Further, it is clear that Facebook Ireland’s use of cookies (installed and removed by Facebook Inc) forms an important part of the operation of the Facebook platform.  It is not an outlier activity.  It is one of the things ‘which makes Facebook work’.” [43]

The Court was careful to be clear that simply installing cookies on a user’s device on its own may not be enough to establish if an organisation is carrying on business in Australia because it was:

“[L]ikely to turn on the nature of the business it carries on and the nature of the cookie. For example, a cookie which remembers a user login details so that they do not have to re-enter them each time a site is visited may stand in someone different position to a cookie which tracks a uses interest in chocolate biscuits so that the uses newsfeed is peppered with advertisements for Tim Tams.” [45]

Graph API

Facebook Inc’s Graph API allows third party app developers to obtain Facebook users’ information contained in Facebook Inc’s social graph. Most of us see it manifest as a “log in with Facebook” feature on some websites.

Facebook Inc maintained that because the Graph API feature operated in either the United States or Sweden it followed that Facebook Inc was not doing business in Australia. Facebook Inc said it was a feature that merely responded to requests made by Australian users. The Court rejected this argument, instead focusing on the overall nature of the business activity rather than the break down of “digital events” that constitute it. [59]

Having established that Facebook Inc installs cookies on a user’s device and operated the Graph API service in Australia, the Court turned to the question of whether that constituted carrying on a business in Australia.

Physical Presence in Australia

A physical presence is one of the many usual tests to determine if an organisation is doing business in Australia. Facebook Inc looked at all of the factors.

First, Facebook Inc argued additionally that it did not enter into any contracts, did not employ people, had no customers and had no revenues. Secondly, Facebook Inc argued that the business that may have been carried on (if any) would have been that of Facebook Ireland and not Facebook Inc. Facebook Inc‘s legal team argued that there is no authority in Australian law to suggest otherwise. All those arguments were rejected by the Court.

To answer the question, the Court interpreted “doing business in Australia” in light of the Privacy Act and its objectives. Even though the expression is not defined the objects of the Privacy Act supported an interpretation that was aligned to the free flow of information and that the Privacy Act itself was concerned with the “non-material concept: Information.” [70]

The Court said

Whilst the indicia to which Facebook Inc points no doubt have their place, I do think that some care has to be exercised about those statements to ensure that obvious propositions about the qualities of businesses at one time are not misapplied to radically different businesses at another.” [74]

Commercial quality

Even though Facebook Inc was installing cookies onto user devices in Australia and managing the Graph API for Australian developers and users, it did not follow that Facebook Inc conducted business in Australia.

And this is where the Court addressed and answered a long-standing question in Australian law: is it conducting business in Australia where an organisation outside the jurisdiction does something in the jurisdiction, but in doing so does not engage in commercial activity (Luckins (Receiver and manager of Australian Trailways Pty Ltd) v Highway Motel (Carnarvon) Pty Ltd (1975) 133 CLR 164 (‘Luckins’)).

To do that, the Court analysed Smith v Capewell (1979) 142 CLR 509 which involved selling kangaroo skins in New South Wales, from Queensland, without a licence to do so. The answer, and application to Facebook Inc in this case is answered beautifully by Perram J:

“This entails, of course, that Facebook Inc has been conducting that business not only in the data centres United States and Sweden but also in Australia.  I see no particular difficulty with that.  Mr Capewell’s business was in Queensland but that did not stop it from also being in New South Wales when he sold a single kangaroo skin in that State… [D]id the fact that the businesses in question were now being conducted additionally in a new jurisdiction give rise to any want of logic.  I do not think it gives rise to a want of logic now.” [105]

It took an unlicensed kangaroo skin dealer from the 1970s to seal Facebook Inc’s fate on this point – an act, without some commercial activity, is enough to be operating a business in Australia.

  • Did Facebook collect or hold personal information in Australia?

The Court applied the usual formulation for answering the question about ‘collection’ – that there was an act of collection and the personal information was collected for inclusion in a “record or generally available publication“ and that it took place in Australia. The personal information in question was that collected by individual users’ subject of the action. But was it collected for inclusion in a record, what was that ‘record’ and was there an Australian link?


To establish the collection question the Commissioner relied on 3 arguments. That Facebook Inc used caching servers in Australia; used cookies to collect the personal information and that in practice the information was instantaneously transferred from Australia to North American and Swedish data centres.

The Court only accepted one of the three arguments: that Facebook Inc collected personal information by way of cookies. The other arguments were denied. Nonetheless, collection took place in Australia because of the cookies installed on users’ devices. [see 152]


The Court found that Facebook Inc did not hold the information because Facebook Inc was not in possession or control of a user’s device which was the ‘record’. However, this did not matter to the Commissioner’s case overall because the Court found that Facebook Inc collected the personal information in Australia for inclusion in a record which was the material point.

Australian Link

Because Facebook Inc was found to carry on business in Australia and collected personal information in Australia, the Court was satisfied that there is an Australian link.

  • What can privacy practitioners learn from this interlocutory decision?
  1. The Court confirmed that cookies installed (collecting) onto a user’s device (the record) from outside of the jurisdiction is sufficient to establish doing business in Australia. If you’re an organisation that trades in information about people, then these principles could apply to you.
  2. The Court affirmed the way in which digital businesses should think about and interpret doing business in Australia and Australian links in the context of the Privacy Act. It puts information businesses on notice that they can be doing business in Australia by virtue of the free flow of information even though their structure may have been designed with other objectives in mind.
  3. Maybe it’s time to get legal advice and consider your control environment as things may now not be as you think.

Finally, stay tuned. Maybe Facebook will appeal this decision to the High Court in one final attempt to stave off being included in this case. Eventually, we may get to the substantive case, and all this could change again.