Facebook Inc v Australian Information Commissioner [2022] FCAFC 9
The Australian Information Commissioner (the AIC) commenced proceedings in the Federal Court, alleging that Facebook Ireland Ltd and its US-incorporated parent company, Facebook Inc, had breached Australian Privacy Principles in contravention of the Privacy Act 1988 (Cth).
Because neither company operates from a place of business in Australia, the AIC needed to obtain leave to serve the proceedings outside Australia under r 10.43 of the Federal Court Rules. To do so, the AIC needed to show that it had a prima facie case for the relief sought against each respondent. Once leave to serve was granted, and the respondents were served overseas, Facebook Inc appeared conditionally in the Federal Court to apply to set aside service of the proceedings on it. But Facebook Ireland did not seek to challenge the validity of service on it. So Facebook Inc alone sought to challenge the Federal Court’s jurisdiction. It did so on by contending that the AIC had not shown a prima facie case for relief against Facebook Inc, because the contravening acts alleged against Facebook Inc were done outside Australia, and there is no prima facie case that Facebook Inc had an “Australian link” which could make those overseas acts actionable under the Australian Privacy Act.
Under the Privacy Act, a body corporate has an “Australian link” if it both (i) carries on business in Australia, and (ii) collects or holds personal information in Australia. So, in order to establish a prima facie case that Facebook Inc had an Australian link, the AIC first needed to show a prima facie case that Facebook Inc carries on business in Australia.
To trace through how that question was answered, it is first necessary to summarise the contraventions alleged by the AIC, and then to summarise how Facebook Ireland and Facebook Inc interact with each other in operating the Facebook platform for users and app developers in Australia.
The AIC’s civil penalty proceeding arose out of the Cambridge Analytica scandal. This is Your Digital Life was an app that sought to draw connections between users’ Facebook behaviour data and their psychological traits and behaviour. Users were required to log in with their Facebook logins. They were then asked to grant permission for the app to access personal information that Facebook held about the user and about the user’s Facebook friends. In turn, Facebook permitted the app’s developer to access that personal information, but on condition that the developer used that information only for the purposes of the app. The app developer breached that requirement by allowing the collected information also to be used for the purpose of political campaigns. In Australia, 53 users installed the This is Your Digital Life app, but this resulted in the developers accessing Facebook information of more than 300,000 of their Facebook friends. As a consequence, the AIC alleged that Facebook Ireland and Facebook Inc were involved in the web developers’ breaches of the Australian Privacy Principles and contraventions of the Privacy Act.
At the most general level, the Facebook platform is provided by Facebook Inc, which provides the Facebook platform to users in North America, and by Facebook Ireland, which provides the platform to users located outside North America. Secondly, Facebook Inc provides data processing services to Facebook Ireland, which includes Facebook Inc processing broad swathes of personal data uploaded by Facebook Ireland’s users, and which Facebook Ireland provides to Facebook Inc. There was clearly a prima face case that Facebook Inc “carried on” the business of providing data processing services to Facebook Ireland. But did Facebook Inc carry on that business in Australia? The Full Federal Court held that Facebook Inc did carry on business in Australia in two key respects.
First, under its Data Processing Agreement with Facebook Ireland, Facebook Inc was responsible for installing and operating cookies on users’ computers, phones and other devices. So when a new Facebook user downloads the Facebook app onto a device in Australia, it is Facebook Inc that is responsible for installing a cookie on the user’s device in Australia. The installation of the cookie is an important part of what makes Facebook work as a seamless user platform. So the installation of cookies on devices in Australia was one respect in which Facebook Inc carried on business in Australia.
Secondly, one of the services that Facebook offers to app developers is an interface known as the Graph API. In essence, the Graph API is the interface through which apps can interact with Facebook’s “social graph” and so access personal information from users’ Facebook accounts. The Graph API is operated by Facebook Inc, in data centres in the United States and Sweden; however, Facebook Inc conceded that Facebook Inc manages the Graph API on behalf of Facebook Ireland, as regards app developers outside North America. Facebook Inc contended that because the Graph API was made available to app developers in Australia under their contracts with Facebook Ireland, and because Facebook Inc operates the Graph API wholly outside Australia, Facebook Inc cannot be said to carry on business in Australia by its management of the Graph API. The court held that it was wrong to focus too minutely on the digital events involved; rather, the correct focus should be on the relevant commercial activity: namely, providing the Graph API functionality to app developers in Australia. The court was therefore satisfied that there was also a prima face case that Facebook Inc carried on business in Australia by managing the Graph API on behalf of Facebook Ireland, for Facebook Ireland to make available to Australian app developers.
In this case, ultimately, the question whether Facebook Inc carries on business in Australia fell to be answered for the purposes and in the context of the Privacy Act. Information is the very focus of the Privacy Act, and the Act’s objectives include facilitating the free flow of information across national borders while ensuring that the privacy of individuals is respected. Accordingly, the test of whether Facebook Inc carries on business in Australia for the purposes of the Privacy Act need not cleave to the more conventional indicators of whether a foreign enterprise carries on business in Australia for business registration, tax and other purposes – such as, does the company have a fixed place of business, employees, assets and/or agents in Australia?.
An interesting question therefore follows whether the nuanced and context-sensitive approach to the “carrying on business in Australia” enquiry in Facebook Inc v AIC may flow through to the Australian courts’ approach to other conflict of laws questions that relate to e-commerce, social media and fintech disputes against defendants incorporated overseas. For example, s 5(1)(g) of the Competition and Consumer Act extends parts of that Act (and the Australian Consumer Law) to conduct outside Australia by bodies corporate that are incorporated outside Australia, but only if they carry on business in Australia; and s 12AC(1)(a) of the ASIC Act likewise in relation to carrying on financial services business in Australia. Will the reasoning in Facebook Inc v AIC be applied in its full breadth in those different statutory contexts? If one were to look for guidance to the liberal approach recently applied by the Federal Court to applications for leave to serve preliminary discovery applications against search engine and social media publishers (see recently Lin v Google LLC [2021] FCA 1113), the answer would seem to be yes.
As a general observation, the courts seem to be moulding and modifying existing conflicts of laws principles to ensure that the resolution of cross-border disputes in e-commerce are not unnecessarily constrained by jurisdictional bricks and mortar. Allsop P confirmed as much in his short concurring judgment in Facebook Inc v AIC, observing that it is crucial to keep in mind that “The business is not about the simple sale of goods whether tangible or intangible. It is about extracting value from information about people.”