Facebook’s further attempts to resist the jurisdiction of the Federal Court of Australia futile

Earlier in the year, Associate Professor Jeanne Huang reported on the Australian Information Commission’s action against Facebook Inc in the Federal Court of Australia. In particular, Huang covered Australian Information Commission v Facebook Inc [2020] FCA 531, which concerned an ex parte application for service outside of the jurisdiction and an application for substituted service.

In April, Thawley J granted the Commission leave to serve the first respondent (Facebook Inc) in the United States, and the second respondent (Facebook Ireland Ltd) in the Republic of Ireland. Through orders for substituted service, the Commission was also granted leave to serve the relevant documents by email (with respect to Facebook Inc) and by mail (with respect to Facebook Ireland Ltd).

Facebook Inc applied to set aside the orders for its service in the United States, among other things. Facebook Ireland appeared at the hearing of Facebook Inc’s application seeking equivalent orders, although it did not make submissions.

On 14 September, Thawley J refused that application: Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307. The foreign manifestations of Facebook are subject to the Federal Court’s long-arm jurisdiction.

The decision involves an orthodox application of Australian procedure and private international law. The policy represented by the decision is best understood by brief consideration of the context for this litigation.

Background

The Australian Information Commission is Australia’s ‘independent national regulator for privacy and freedom of information’, which promotes and upholds Australians’ rights to access government-held information and to have their personal information protected.

Those legal rights are not as extensive as equivalent rights enjoyed in other places, like the European Union. Australian law offers minimal constitutional or statutory human rights protection at a federal level. Unlike other common law jurisdictions, Australian courts have been reluctant to recognise a right to privacy. Australians’ ‘privacy rights’, in a positivist sense, exist within a rough patchwork of various domestic sources of law.

One of the few clear protections is the Privacy Act 1988 (Cth), (‘Privacy Act’), which (among other things) requires large-ish companies to deal with personal information in certain careful ways, consistent with the ‘Australian Privacy Principles’.

In recent years, attitudes towards privacy and data protection seem to have changed within Australian society. To oversimplify: in some quarters at least, sympathies are becoming less American (ie, less concerned with ‘free speech’ above all else), and more European (ie, more concerned about privacy et al). If that description has any merit, then it would be due to events like the notorious Cambridge Analytica scandal, which is the focus of this litigation.

Various manifestations of Australian governments have responded to changing societal attitudes by initiating law reform inquiries. Notably, in 2019, the Australian Competition and Consumer Commission (‘ACCC’) delivered its final report on its Digital Platforms Inquiry, recommending that Australian law be reformed to better address ‘the implications and consequences of the business models of digital platforms for competition, consumers, and society’. The broad-ranging inquiry considered overlapping issues in data protection, competition and consumer protection—including reform of the Privacy Act. The Australian Government agreed with the ACCC that Australian privacy laws ought to be strengthened ‘to ensure they are fit for purpose in the digital age’. A theme of this report is that the foreign companies behind platforms like Facebook should be better regulated to serve the interests of Australian society.

Another important part of the context for this Facebook case is Australia’s media environment. Australia’s ‘traditional’ media companies—those that produce newspapers and television—are having a hard time. Their business models have been undercut by ‘digital platforms’ like Facebook and Google. Many such traditional media companies are owned by News Corp, the conglomerate driven by sometime-Australian Rupert Murdoch (who is responsible for Fox News. On behalf of Australia: sorry everyone). These companies enjoy tremendous power in the Australian political system. They have successfully lobbied the Australian government to force the foreign companies behind digital platforms like Google to pay Australian companies for news.

All of this is to say: now more than ever, there is regulatory appetite and political will in Australia to hold Facebook et al accountable.

Procedural history

Against that backdrop, in March 2020, the Commission commenced proceedings against each of the respondents in the Federal Court, alleging ‘that the personal information of Australian Facebook users was disclosed to the This is Your Digital Life app for a purpose other than the purpose for which the information was collected, in breach of the Privacy Act’.

The Commissioner alleges that:

  1. Facebook disclosed the users’ personal information for a purpose other than that for which it was collected, in breach Australian Privacy Principle (‘APP’) 6;
  2. Facebook failed to take reasonable steps to protect the users’ personal information from unauthorised disclosure in breach of APP 11.1(b); and
  3. these breaches amounted to serious and/or repeated interferences with the privacy of the users, in contravention of s 13G of the Privacy Act.

In April, the service orders reported by Huang were made. Facebook Inc and Facebook Ireland were then served outside of the jurisdiction.

Facebook’s challenge to the orders for service outside of the jurisdiction: ‘no prima facie case’

Facebook Inc contended that service should be set aside because the Court should not be satisfied that there was a prima facie case for the relief claimed by the Commissioner as required by r 10.43(4)(c) of the Federal Court Rules 2011 (Cth).

The Court summarised the principles applicable to setting aside an order as to service as follows (at [23]):

  • An application for an order discharging an earlier order granting leave to serve out of the jurisdiction, or for an order setting aside such service, is in the nature of a review by way of rehearing of the original decision to grant leave to serve out of the jurisdiction.
  • It is open to the party who sought and obtained an order for service out of the jurisdiction to adduce additional evidence, and make additional submissions.
  • The onus remains on the applicant in the proceedings to satisfy the Court in light of the material relied upon, including any additional material relied upon, that leave ought to have been granted.

Facebook Inc accepted that although demonstrating a prima facie case is ‘not particularly onerous’, the Commissioner had failed to establish an arguable case; she had merely posited ‘inferences’ which did not reasonably arise from the material tendered: [28]-[29].

As noted above, the underlying ‘case’ that was the subject of that argument is in relation to the Cambridge Analytica scandal and alleged breaches of the Privacy Act.

The case thus turns on application of an Australian statute to seemingly cross-border circumstances. Rather than having regard to forum choice-of-law rules, the parties seemingly accepted that the case turns on statutory interpretation. The extra-territorial application of the Privacy Act depends on an organisation having an ‘Australian Link’. Section 5B(3) relevantly provides:

(3) An organisation or small business operator also has an Australian link if all of the following apply: …

(b) the organisation or operator carries on business in Australia or an external Territory;

(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.

Facebook Inc argued that the Commissioner failed to establish a prima facie case that, at the relevant time, Facebook Inc:

  • carried on business in Australia within the meaning of s 5B(3)(b) of the Privacy Act; or
  • collected or held personal information in Australia within the meaning of s 5B(3)(c) of the Privacy Act.

Facebook Inc carries on business in Australia

In Tiger Yacht Management Ltd v Morris (2019) 268 FCR 548 (noted here), the Full Court of the Federal Court of Australia ‘observed that the expression “carrying on business” may have a different meaning in different contexts and that, where used to ensure jurisdictional nexus, the meaning will be informed by the requirement for there to be sufficient connection with the country asserting jurisdiction’: [40].

The Court considered the statutory context of the Commissioner’s case, being the application of Australian privacy laws to foreign entities. The Court had regard to the objects of the Privacy Act, which include promotion of the protection of privacy of individuals and responsible and transparent handling of personal information by entities: Privacy Act s 2A(b), (d). Whether Facebook Inc ‘carries on business in Australia’ for the purposes of the Privacy Act is a factual inquiry that should be determined with reference to those broader statutory purposes.

The Commissioner advanced several arguments in support of the proposition that Facebook Inc carries on business in Australia.

One argument advanced by the Commissioner was that Facebook Inc had financial control of foreign subsidiaries carrying on business in Australia, suggesting that the parent company was carrying on business in Australia. (Cf Tiger Yacht, above.) That argument was rejected: [155].

Another argument turned on agency more explicitly. Essentially, the Commissioner sought to pierce the corporate veil by arguing Facebook is ‘a single worldwide business operated by multiple entities’: [75]. Those entities contract with one another so that different aspects of the worldwide business are attributed to different entities, but the court ought to pierce the jurisdictional veil. The Commissioner submitted that ‘the performance pursuant to the contractual arrangements by Facebook Inc of functions necessary for Facebook Ireland to provide the Facebook service…, including in Australia, indicated that Facebook Ireland was a convenient entity through which Facebook Inc carried on business in Australia during the relevant period’: [115].

Facebook Inc appealed to cases like Adams v Cape Industries [1990] 1 Ch 433, where the English Court of Appeal explained that, typically, a company would not be considered to be carrying on business within the forum unless: ‘(a) it has a fixed place of business of its own in this country from which it has carried on business through servants or agents, or (b) it has had a representative here who has had the power to bind it by contract and who has carried on business at or from a fixed place of business in this country’ (at 529). (See also Lucasfilm Ltd v Ainsworth [2008] EWHC 1878 (Ch).)

Ultimately, the Court was not satisfied that Facebook Inc carried on business within Australia on the basis that Facebook Ireland conducted Facebook Inc’s business in Australia: [117]. More accurately, the Commissioner had not established a prima facie case to that effect.

But the Commissioner had established a prima facie case that Facebook Inc directly carried on business within Australia.

Facebook Inc is responsible for various ‘processing operations’ in relation to the Facebook platform, which includes responsibility for installing, operating and removing cookies on the devices of Australian users. Facebook Inc appealed to case authority to argue that this activity did not amount to carrying on business in Australia. The Court thus considered cases like Dow Jones v Gutnick (2002) 210 CLR 575 and Valve Corporation v Australian Competition and Consumer Commission (2017) 258 FCR 190, which each addressed the territorial aspects of businesses that depend on communication on the internet.

The Court rejected Facebook Inc’s argument that ‘installing’ cookies is to be regarding as equivalent to uploading and downloading a document (cf Gutnick). At the interlocutory stage of the proceeding, there was not enough evidence to accept Facebook Inc’s claim; but there was enough to draw the inference that the installation and operation of cookies within Australia involves activity in Australia.

The Court concluded: ‘the Commissioner has discharged her onus of establishing that it is arguable, and the inference is open to be drawn, that some of the data processing activities carried on by Facebook Inc can be regarded as having occurred in Australia, notwithstanding that the evidence did not establish that any employee of Facebook Inc was physically located in Australia’: [137]. It was thus concluded that the Commissioner had established a prima facie case that Facebook Inc carried on business within Australia: [156]. (Cf the reasoning of Canadian courts that led to Google Inc v Equustek Solutions Inc [2017] 1 SCR 824, noted here.)

Facebook Inc collected or held personal information in Australia

The Court was assisted by responses provided by Facebook Inc to questions of the Commissioner  made pursuant to her statutory powers of investigation. One question concerned the location and ownership of servers used to provide the Facebook service. Although Facebook Inc’s answer was somewhat equivocal, it suggested that the platform depends on servers located in Australia (including network equipment and caching servers) to improve connection and delivery time. This was enough for the Court to make the relevant inference as to collection and holding of personal information within Australia: [170].

The Court had regard to the purposes manifested by the Explanatory Memorandum to the Privacy Act in concluding that ‘the fact that the personal information is uploaded in Australia and stored on Australian users’ devices and browser caches and on caching servers arguably owned or operated by Facebook Inc in Australia, it is arguable that Facebook Inc collected the personal information in Australia’: [185].

Combined with the findings as to carrying on business, this was enough to establish a prima facie case that the extra-territorial application of the Privacy Act was engaged. The Court’s orders as to service were not disturbed.

Concluding remarks

The interlocutory character of this decision should be emphasised. The Court’s findings on the territorial aspects of ‘carrying on business’ and data collection were each subject to the ‘prima facie case’ qualification. These are issues of fact; the Court may find differently after a thorough ventilation of evidence yet to be adduced.

This decision is not anomalous. The assertion of long-arm jurisdiction over Facebook Inc indicates Australian courts’ increasing willingness to pierce the jurisdictional veil for pragmatic ends. In my experience, most Australian lawyers do not really care about the multilateralist ideals of many private international law enthusiasts. The text of the Australian statutes that engage the case before them is paramount. Lawyers are directed to consider the text of the statute in light of its context and purpose: Australian Securities and Investments Commission v King (2020) 94 ALJR 293, [23]; Acts Interpretation Act 1901 (Cth) s 15AA. Essentially, in the case of a forum statute with putative extraterritorial operation, a form of interest analysis is mandated.

I am OK with this. If the policy of the Privacy Act is to have any chance of success, it depends on its application to internet intermediaries comprised of corporate groups with operations outside of Australia. As an island continent in a technologically interconnected world, the policy of Australian substantive law will increasingly determine the policy of Australian private international law.

Michael Douglas is Senior Lecturer at UWA Law School and Consultant at Bennett + Co, Perth.