The cookie crumbles for Facebook Inc: Australia’s Full Federal Court clarifies ‘carrying on business’ under the extra-territorial provisions of the Privacy Act

On 7 February 2022, the Full Federal Court of Australia delivered its judgment in Facebook Inc v Australian Information Commissioner, where the Court upheld the primary judge's findings that the Commissioner is entitled to serve Facebook Inc with an originating application in the United States as the Commissioner has a prima facie case against Facebook Inc as Facebook Inc was ‘carrying on business’ and collecting personal information in Australia and holding Australian related personal information at the relevant time making it subject to the Privacy Act 1988 (Cth) by means of its extra-territorial provisions.

Introduction

In early March 2020 the Australian Information Commissioner (in her joint role as Privacy Commissioner) (Commissioner) launched proceedings against Facebook Inc (now Meta Platforms Inc) and Facebook Ireland Limited (Facebook Ireland) in relation to the use and disclosure of personal information obtained through its ‘This is Your Digital Life’ app (most well known in relation to its use by Cambridge Analytica). On 22 April 2020 the Commissioner was granted the right to serve Facebook Inc and Facebook Ireland overseas, with the primary judge dismissing Facebook Inc’s interlocutory application seeking to set aside service of the initiating court documents by the Commissioner on Facebook Inc in the United States. Facebook Inc appealed this decision and on 7 February 2022 the Full Federal Court delivered its ruling on the appeal.

Background

The Commissioner alleged in the proceedings that Facebook Inc and Facebook Ireland (collectively, Facebook) committed serious and/or repeated interferences with the privacy of individuals in contravention of Australian privacy law by disclosing personal information it collected through the ‘This is Your Digital Life’ app without the consent of users (APP 6). In particular, the personal information was shared with Cambridge Analytica which, infamously, used the data for political profiling purposes. This conduct by Facebook was alleged to demonstrate a failure by it to take reasonable steps to prevent unauthorised disclosure of personal information (APP 11.1).

On an ex parte basis, the Commissioner applied for and successfully obtained leave to serve the initiating court documents on Facebook Inc and Facebook Ireland overseas as neither had a physical presence in Australia. In response, Facebook Inc submitted an interlocutory application seeking to set aside such overseas service on it, claiming that it does not carry on business in Australia or hold personal information in Australia. Facebook Ireland did not apply to set aside service.

In September 2020 Justice Thawley in the Federal Court of Australia dismissed the interlocutory application made by Facebook Inc and was satisfied there was a prima facie case that Facebook Inc was:

• ‘carrying on business’ in Australia; and
• collecting personal information in Australia and holding Australian-related personal information at the relevant time.

Facebook Inc appealed Justice Thawley’s ruling to the Full Federal Court.

Overview of the Full Federal Court decision

The Full Bench of the Federal Court rejected Facebook Inc’s appeal to set aside Justice Thawley’s decision, confirming the Commissioner’s right to serve Facebook Inc with initiating court documents in the United States.

The Court determined that Facebook Inc’s installation and/or management of cookies on the physical devices of Australian users was enough for Facebook Inc to be ‘carrying on business’ in Australia.

The Court commented that, when determining whether an entity is ‘carrying on’ business in Australia, the acts or activity in Australia do not need to be intrinsically commercial in themselves if they involve acts within the territory that amount to, or are ancillary to, transactions that make up and support the relevant business. On that basis Facebook Inc’s installation and/or management of cookies on the devices of Australian users was deemed to be an important part of the operation of the Facebook platform generally and the commercial pursuits of the Facebook group, despite Facebook Inc’s actions themselves not being intrinsically commercial in nature.

What this means for offshore organisations?

Off the back of these proceedings more offshore organisations, such as offshore service enterprises, could be caught by Australian privacy laws. It is important to understand that there is very little required to demonstrate ‘carrying on’ business in Australia in respect of digital activities, such as the installation of cookies on Australian devices, to meet the requisite threshold of ‘carrying on business’ in Australia for the Privacy Act to apply.

Offshore organisations should therefore be mindful of whether they are caught by Australian privacy laws, even when they do not have a physical presence in Australia and do not directly engage with (i.e. sell things to) individuals located in Australia.

Implications for data misuse incidents

These proceedings continue to shape the class action, tech liability and media landscape. 

Against the backdrop of the ACCC v Google decision delivered in April 2021, we are seeing the Office of the Australian Information Commissioner and other regulators shift focus to Big Tech practices in line with growing consumer awareness about privacy and data protection and pushing to extend their reach under relevant legislation (new and old).

How can we help?

Clyde & Co’s Cyber & Digital Law team has unparalleled and specialised expertise across the privacy, cyber and broader technology and media practice areas and houses the largest dedicated and market-leading privacy and cyber incident response practice across Australia and New Zealand. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors and international borders including advising on some of the most high-profile disputes and class actions commenced in Australia.

The firm's privacy, cyber, tech and media practice provides an end-to-end risk solution for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, litigated proceedings (plaintiff and defendant), recoveries and third party claims (including class action litigation), the team assists clients across the full spectrum of legal services within this core practice area.

For more information, please contact John Moran, Alec Christie, Reece Corbett-Wilkins or Richard Berkahn.