'Doing Business in Australia': Lessons Learned from Facebook Inc v Australian Information Commissioner

The Facebook-Cambridge Analytica data scandal may be fading in the memory of the Australian public. However, Facebook continues to face regulatory scrutiny from the Australian Information Commissioner, which has successfully sought leave to serve legal proceedings on the social media giant.

At the heart of the proceedings, the Facebook Inc v Australian Information Commissioner case considered whether Facebook Inc 'carries on a business' in Australia and is therefore subject to the Privacy Act 1988 (Cth).

The determination has implications in particular for foreign-based companies doing online business with customers in Australia.

Recap: Why is Facebook in court?

On 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook Inc and Facebook Ireland (together, Facebook), alleging Facebook had committed serious and/or repeated interferences with privacy in contravention of the Privacy Act 1988 (Cth) (Privacy Act). Over the past two years, US-based Facebook Inc has been appealing the Federal Court's decision to grant the Australian Information Commissioner leave to serve court documents on the entity. Facebook Inc's latest appeal attempt came to an end last week.

What is the latest development?

On 7 February 2022, the Full Bench of the Federal Court dismissed Facebook Inc's appeal from the primary judge's decision to grant the Australian Information Commissioner leave to serve legal proceedings on Facebook Inc in respect of the Facebook-Cambridge data breach. The Australian Information Commissioner may now serve court documents on both Facebook Inc and Facebook Ireland to continue its privacy case against the social media giant.

Why is the Full Bench's decision important?

The Full Bench's decision concerned procedural matters and is not a final determination of the substantive issues of the Australian Information Commissioner's case. However, the decision provides useful commentary on when an overseas based business, with no physical presence in Australia, may be caught by the extra-territorial application of the Privacy Act.

The Full Bench was careful to confine its decision to Facebook's particular circumstances and business operations. It specifically focused on:

• the relationship between Facebook Inc and Facebook Ireland;
• the data processing services undertaken by Facebook Inc on behalf of Facebook Ireland; and
• the business activities undertaken by Facebook Inc in Australia.

It was not at issue that Facebook Ireland, which is the entity that provides the Facebook service to users outside North America, carries on business in Australia.

There are a number of takeaways from the decision worth highlighting to assist in assessing whether the offshore conduct of a foreign-based entity is caught by the Privacy Act.

Key takeaways

• Conduct engaged in by a foreign-based entity outside Australia may be subject to the Privacy Act if the corporation has an "Australian link". An "Australian link" will be established if the entity:
  • carries on a business in Australia; and
  • collects or holds personal information in Australia and this information forms the subject matter of the privacy acts and practices in question.

Carries on a business

• There is no one size fits all answer to the question of whether or not a foreign-based entity "carries on a business in Australia".
• Whether a foreign-based entity provides goods or services in Australia and carries on a business here will depend on the nature of the business being conducted and the activity that takes place in Australia.
• The nature of the business transactions said to constitute the business must be identified with precision.
• The meaning of the words "carries on a business in Australia" in the context of the Privacy Act must be informed by the statute. The focus of the Privacy Act is on information.
• It is possible to conduct business in Australia without having any physical presence within the jurisdiction.
  • Here the Full Bench focused on Facebook Inc's business of providing data processing services to Facebook Ireland including the installation and removal of cookies on users' devices in Australia and the provision of the Facebook login to Australian developers for use in Australia via the Graph API.
  • The Court accepted that the territorial concept of carrying on business involves acts within the relevant territory. In this case there were relevant acts within Australia, albeit effected remotely.

Collection and holding of personal information

• There must be a collection or holding of personal information. It is not enough to establish that the foreign-based entity carries on a business in Australia.
• In this case, it could be inferred that Facebook Inc collected personal information in Australia by means of cookies, which it installed on the devices of Australian users.

The extra-territorial application of the Privacy Act can have significant implications for foreign-based companies doing business in Australia. This decision demonstrates that Australian courts will take a flexible approach to what is considered 'doing business' and, for largely online businesses, a relatively low degree of activity within Australia will suffice.

For advice and support regarding privacy and data requirements and best practice within your organisation, contact our experienced team of legal privacy experts.