In a recent landmark privacy case, the Full Federal Court dismissed Facebook’s claim that it is not subject to Australian privacy laws because it does not “carry on a business in Australia”.

Facebook Inc v Australian Information Commissioner [2022] FCAFC 9

The Office of the Australian Information Commissioner (OAIC) commenced proceedings in 2020 against Facebook (now Meta) over the Cambridge Analytica scandal. The OAIC argued that Facebook Inc and Facebook Ireland Limited breached the privacy of over 300,000 Australian Facebook users, contravening the Australian Privacy Act 1988 (Cth) (Privacy Act). OAIC alleged that Facebook contravened section 13G of the Privacy Act by committing acts that were a serious or repeated interference with privacy. It did this by handing over the personal information of users of the ‘This is Your Digital Life’ app, to Cambridge Analytica for voter analysis purposes. Only 53 Australian Facebook users installed the app, however Facebook accessed the personal information of over 310,000 Australians who did not consent to information-sharing.

Facebook argued that it was not subject to Australian privacy law, because it did not do business in Australia. It argued this because the data was not processed by an Australia-registered company, it was processed by Facebook Ireland in datacenters located in the USA and Sweden. However, on 7 February 2022 the Full Federal Court of Australia dismissed this argument as ‘divorced from reality’. Their Honours held that Facebook installed and removed cookies on the devices of Australian users, and this was enough to establish that Facebook was ‘carrying on business’ in Australia. The use of cookies was an important part of Facebook’s operation, rather than being ‘an outlier activity’.

Therefore, Facebook is bound by Australian privacy laws, and the OAIC is entitled to proceed with their case and serve initiating court documents on Facebook. Australian Information Commissioner Angelene Falk welcomed this decision, stating that the OAIC would ‘continue to move forward with the case and looked forward to the hearing of substantive matters.’

What impact will this case have?

This decision provides helpful guidance on the Privacy Act’s extraterritorial application. It will have a big impact on other large international corporations who currently do not think that they fall under Australia’s jurisdiction.

Facebook had tried to argue to the Full Federal Court that a finding that it was conducting business in Australia would open the floodgates for any international business with a website accessible from Australia. Perram J noted this argument was ‘very much overstated’, however it is true that international organisations may now be caught by Australian privacy laws.

It is not difficult to demonstrate that an organisation that uses digital activities is ‘carrying on’ business in Australia, especially as the installation of cookies on Australian devices meets the threshold of doing business in Australia. Therefore, international businesses should consider whether they are complying with Australian privacy laws, even when they do not have a physical presence in Australia or do not directly engage with or sell goods or services to individuals located in Australia.

Sainty Law has expertise in Australian Privacy and data laws. If your organisation needs advice on whether you are compliant with the Privacy Act or what to do to be compliant, please contact us here.