Carrying on business in Australia in a digital age: Privacy Commissioner v Facebook Inc

The Australian Information Commissioner’s (Privacy Commissioner) civil penalty proceedings^[1] against Facebook Inc and Facebook Ireland Limited (Facebook Ireland) in respect of alleged breaches of the Privacy Act 1988 (Cth) (Privacy Act) has the potential to provide some clarity into whether or under what circumstances services provided from overseas via the internet might result in a business being carried on in Australia. The Court’s reasons[2] in Facebook Inc’s failed interlocutory application to set aside the orders for service of the originating process on it provide some insights into how the concept of ‘carrying on business in the jurisdiction’ might be adapted to an increasingly digital and multinational commercial environment.

Why does the case matter?

Whether an entity carries on business in Australia is the basis of application of a large number of Australian statutes, not only the Privacy Act. Also, at common law, a corporation is present in the jurisdiction (and therefore capable of being personally served with an originating process) if it carries on business within the territory of the jurisdiction, either through its own office or through an agent who has authority to bind the corporation. Further, the Australian corporations legislation provides that a body corporate formed under the laws of a foreign jurisdiction must not carry on business in Australia unless it is registered with the Australian Securities and Investments Commission and has appointed a local agent for service.

Although this decision concerns the meaning of ‘carrying on business in Australia’ as used in section 5B of the Privacy Act, it has been judicially accepted that when used as a jurisdictional nexus in various contexts, the expression ‘carrying on business’ will derive its meaning from the ordinary understanding of that expression. The decision therefore has wider potential application to any legislation that uses the concept of carrying on business in Australia as its basis of application to a person.

The decision is also instructive as to how the business of a corporation might be characterised. In this case, it was held to be arguable that Facebook Inc carried out sufficient activity in Australia in its business of providing services to Facebook Ireland to leave it open to find that Facebook Inc carried on business in Australia. The relevant business was not the provision of the Facebook platform to users, as the public might expect Facebook Inc’s business to be, but rather the provision of ‘behind the scenes’ software and data processing services to Facebook Ireland.

Carrying on business in Australia

For the Privacy Act to apply to a person, that person must have an ‘Australian link’. Under section 5B(3) of the Privacy Act, a foreign corporation has an Australian link at the time of an act or practice if:

• it carries on business in Australia; and
• it collected or held personal information in Australia or an external Territory, either before or at the time of the act or practice.

A person can carry on business in Australia in two ways:

• by engaging in acts within the territory of the jurisdiction that are, or are ancillary to, the transactions that constitute the business; or
• through an agent in Australia carrying on business on behalf of the person (including where a subsidiary carries on business not on its own account, but on behalf of its holding company).

Each of these bases was argued by the Privacy Commissioner in both broad and narrow senses:

• Facebook Inc carried on business in Australia through the agency of its subsidiary Facebook Ireland
• narrow: Facebook Ireland could and did enter into contracts with Australian Facebook users on behalf of Facebook Inc;
• broad: having regard to all the circumstances, the business carried on in Australia by Facebook Ireland was not its own business but that of Facebook Inc; and
• Facebook Inc carried out business activities directly in Australia
• narrow: by entering into contracts with Australian Facebook users through Facebook Ireland as its agent; and
• broad: Facebook Inc carried on a business of providing software and data processing services to Facebook Ireland, with activities that make up that business occurring within Australia.

The Federal Court held that the Privacy Commissioner failed to establish a prima facie case that Facebook Inc carried on business in Australia through the agency of Facebook Ireland, or that Facebook Ireland entered into contracts with Australian users on behalf of Facebook Inc. It was satisfied that, on the evidence before the court, Facebook Ireland entered into contracts with Australian Facebook users as principal on its own account, and not on behalf of Facebook Inc, in the course of carrying on its own business in Australia. Both agency bases and the narrow direct activity basis for carrying on business in Australia therefore failed.

However, the Privacy Commissioner succeeded on the argument that Facebook Inc carried on a business of providing software and data processing services to Facebook Ireland, and that a sufficient proportion of the activities that made up that business were conducted in Australia. In particular, it was held to be arguable that the following activities, being services provided by Facebook Inc to Facebook Ireland, were carried out in Australia:

• installing, operating and removing cookies on Australian Facebook users’ devices – it was open to infer that the installation of a cookie, by it being downloaded by an Australian user onto their device, and the subsequent post-installation operation of that cookie by Facebook Inc involved activity in Australia, even if instituted or controlled remotely;
• managing the Graph API by which app developers (whether Australian or foreign) may access information uploaded by Australian Facebook users – it was open to infer that making the Graph API available to Australian apps involved activity, such as the installing and operation of data, in Australia by Facebook Inc, albeit initiated, controlled or operated remotely; and
• collecting and holding personal information about Australian Facebook users.

Notably, it was immaterial that Facebook Inc provided these services to Facebook Ireland and not to Australian Facebook users. Whilst Facebook Ireland may have been carrying on the public-facing business of providing the Facebook platform in Australia, Facebook Inc was carrying on a business in Australia of providing services to Facebook Ireland, and this was sufficient to satisfy section 5B(3)(b) of the Privacy Act.

The Federal Court also found that the Privacy Commissioner had established a prima facie case that Facebook Inc collected and held personal information in Australia so as to satisfy section 5B(3)(c) of the Privacy Act.

What does this mean in practice?

Caution should be taken against overstating the significance of this decision. It is an interlocutory decision on an application in which the Privacy Commissioner needed only to establish a prima facie case that Facebook Inc had an Australian link and therefore was subject to the Privacy Act. Consequently, the Federal Court’s findings are expressed only at that standard of proof – that those findings are arguable, based on inferences that are open to be drawn from the evidence before the court. Whether or not Facebook Inc does carry on business in Australia will need to be established on the balance of probabilities at trial in order for Facebook Inc to be liable for the alleged breaches of the Privacy Act.

However, the decision nevertheless evidences a willingness to consider these findings and so signals the way in which the concept of ‘carrying on business in Australia’ may develop.

Although in this interlocutory proceeding both the respondent and the corporation actually contracting with customers in Australia were both foreign corporations, the decision carries equal significance for multinational corporate groups that provide products into Australia via an Australian subsidiary who contracts with customers and ostensibly carries on the whole of the business in Australia. This decision highlights that the intercompany arrangements by which the Australian subsidiary draws on the resources of the corporate group are capable of causing foreign entities within the corporate group to also be carrying on business in Australia.

For businesses that deliver products digitally, this decision also reinforces the need to consider the legal consequences of different resource location decisions. The use of caching servers and the installation of cookies on user devices is not unique to Facebook and could result in an overseas person being held to carry on business in Australia. This issue applies to the local subsidiary / foreign parent model discussed above as well as to corporations providing services to persons in Australia via the internet without the involvement of any Australian subsidiary.

The Federal Court’s decision on Facebook Inc’s application to set aside service and the orders for service in the Privacy Commissioner’s civil penalty proceedings provides some signals as to the way that the concept of ‘carrying on business in the jurisdiction’ may evolve to adapt to an increasingly digital commercial environment. However, it is only an interlocutory decision finding that certain propositions about carrying on business in Australia are arguable.

Key takeaways

• Providing services to a related body corporate can itself be carrying on a business. If those activities are sufficiently performed within Australia, it may amount to carrying on business in Australia.
• The installation, operation and removal of cookies on users’ devices located in Australia, and the processing of data held on servers located in Australia, can be activities carried out in Australia, even if initiated and performed remotely.

[1] Federal Court of Australia, file number NSD 246/2020.

[2] Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307 (‘Facebook (No 2)’).