Federal Court of Australia
Facebook Inc v Australian Information Commissioner  FCAFC 9
FACEBOOK IRELAND LIMITED
DATE OF ORDER:
THE COURT ORDERS THAT:
1. The applicant be granted leave to appeal on the terms of the draft notice of appeal.
2. The notice of appeal be filed within 7 days hereof.
3. The first respondent file her Notice of Contention within 7 days of the filing of the notice of appeal.
4. The appeal be dismissed.
5. The appellant pay the first respondent’s cost of the appeal (including the costs of the application for leave to appeal).
2 The nature of Facebook Inc’s business is fundamental to all enquiries that concern it, especially where it was being carried on. Legal (like other) reasoning can be assisted by metaphor. In particular there is assistance sometimes in the description or characterisation of circumstances or activity by reference to metaphor. But the metaphor may have its dangers. As the Full Court said in D’Arcy v Myriad Genetics Inc  FCAFC 115; 224 FCR 479 at  in the context of scientific analysis:
… Metaphor can assist thought, in particular, by the evocation of structure and form by imagination; but it can also blind the eye of the mind by oversimplification. It may risk blinding real illumination that is achieved through analysis of the facts, including the scientific principles involved, by the utilisation of a striking evocation of a simplified structure of analysis that is derived from the metaphor chosen, rather than from the facts as existing.
3 We are not dealing with scientific analysis here. But we are dealing with a business that is not manifested in physical or material matter or structures or goods, but as described by Perram J at – of his reasons, which can be described as the collection, storage, analysis, organisation, distribution, deployment and monetisation of information about people and their lives. How that monetisation takes place in relation to the activities carried on by Facebook Inc is neither clear nor the subject of this proceeding. One can be sure, however, that the acts done to collect, store, analyse, organise, distribute and deploy the information about people and their lives are integral to the methods of monetisation or extracting commercial value from the information. The business is not about the simple sale of goods whether tangible or intangible. It is about extracting value from information about people.
4 The above is crucial in addressing the argument of Facebook Inc that there is a clear distinction useful for analysis here between physical acts and their consequences or effects. Facebook Inc’s business is not the sending of letters or telegrams, or the receipt of communications in California of messages sent by acts of users in other countries. To conceptualise what is occurring in such broken or particularised parts, especially by reference to more easily visualised in the mind physical activity, is to mischaracterise by oversimplification through the application of a false taxonomy of activity.
5 This is particularly the case in relation to the placement of cookies on users’ devices in Australia. The act of a person need not be discrete and conceptually separated in reality from its consequences. An act may occur in more than one place, may be continuous, complex and multilateral, and not just physically instantaneous in one place. Micro-surgery is not undertaken by the physical, manual manipulation of a scalpel by the hand of a surgeon upon the body of a patient. The surgeon may be at an instrument, physically separated from the patient, controlling the minute device that effects the surgery. The act is taking place at both places: where the surgeon is and where the patient is. It can be characterised or conceived of as one act. There is no reason of logic or conceptual appreciation as to why the conclusion must be different depending upon the distance of separation between the two locations. The consideration of the matter and the proper characterisation of the act or activity is to be approached by reference to the nature of the business and the place of the act or activity within the business, and the context as to why the question is being asked, being here the operation of a statute concerned with the privacy of information concerning people.
6 The law is familiar in many contexts with the notion of a continuing act, where characterisation of act and consequence or act and effect may be available, but less appropriate for the context at hand: The Queen v Rogers (No 2) (1877) 3 QBD 28 at 34 (the sending of a letter being regarded as a continuous act and the offence being committed where the letter is read); Ward v The Queen  HCA 11; 142 CLR 308 (the shooting in Victoria and the impact on the victim in New South Wales – the impact not being an effect of the act in Victoria; but rather the fatal act of shooting in New South Wales); R v Baxter  1 QB 1 (the complex and continuing actus rei of a criminal enterprise); Dow Jones v Gutnick  HCA 56; 210 CLR 575 at 600  (distinguishing between unilateral and bilateral acts); Distillers Co (Biochemicals) Ltd v Thompson  AC 458 at 468–469 (the ascertainment of the place of the tort). There is no necessary distinction in law between an instantaneous act and an effect. Digital activity is not to be reduced to pressing a button, sending a signal, and recognising a discrete effect. This miscomprehends and mischaracterises, in the context of the business, what is going on. In the context of a digital business such as Facebook Inc’s described earlier, the relevant act done in Australia is the installation and operation of cookies on Australian users’ devices and the making of the Facebook login available to an Australian developer in Australia. This is so whether one abstracts or conceptualises these as bilateral or continuing acts or activities, or as acts or activities not attaining significance or not crystallising until installation and operation on the device or the making of the login available to the user. The installation and operation and the making of the login available are not effects or consequences, but essential elements of the acts or activities themselves.
7 The division for all purposes of instant act from consequence or effect suppresses both philosophical and practical enquiry. We are not concerned with the former; but we are the latter. In law, act and effect and indeed cause and consequence and like enquiries depend upon context. Their resolution is not dictated by systematic exposition of theory (which would be, as Pound said in relation to causation, “unscrewing the inscrutable”: Pound, NR “Causation” (1st Harry Schulman Lecture of Torts, Yale Law School (1957) 67 Yale Law Journal 1, 1); but by appreciating why one is asking the question and the nature of the problem and the context at hand.
8 The place of these activities and these acts that are carried on and done by Facebook Inc in Australia in the overall commercial enterprise of Facebook Inc need not be precisely identified at this stage. Nor need the commercial significance of these activities and acts be drawn out beyond a recognition that they are part of the data collection and processing of the business described earlier. They may lack an intrinsic commercial quality in themselves looked at in isolation, but they take their place as a material part of the working of the business, which is held out as providing to its users a single global network for the instantaneous transmission and exchange of information. Much of the activity carried on by Facebook Inc does not generate revenue directly. An understanding that the revenue of the business is derived from monetisation of information collected, stored and analysed over a data sharing platform gives a ready intuitive explanation of that lack of direct revenue generation from such individual acts or activities in the overall commercialisation of the information. That does not, however, lessen the importance to the business, and to its being carried on, of the acts or activities occurring, where they occur.
9 The acts occurring in Australia, on Australian users’ devices, being the installation and deployment of cookies to collect information and help deliver targeted advertising, and the management of the Graph API to facilitate the collection of even more data may lack an intrinsic commercial character in and of themselves, but they are integral to the commercial pursuits of Facebook Inc.
10 This makes it unnecessary, and perhaps, with respect, distracting, to elevate a hypothetical question built on another business (Luckins (Receiver and Manager of Australian Trailways Pty Ltd) v Highway Motel (Carnarvon) Pty Ltd  HCA 50; 133 CLR 164) to a status revelatory of the correct answer to the question whether Facebook Inc is carrying on business in Australia. The question has in any event been answered: the acts or activity in Australia need not be intrinsically commercial in themselves if they involve acts within the territory that amount to, or are ancillary to, transactions that make up and support the business: Valve Corporation v Australian Competition and Consumer Commission  FCAFC 224; 258 FCR 190 at 235 .
11 Finally, Facebook Inc submitted that upholding the primary judge’s decision would involve an unprecedented expansion of the concept of “carrying on business” such that it would result in the “world…carrying on business in the world”. With respect, one should be wary of exaggeration. This is so, for at least two reasons. First, plainly, these reasons and those of Perram J do not support such a conclusion. Secondly, the consequences for other online businesses in other areas of law which utilise the concept of “carrying on business” are far from clear and are certainly not a foregone conclusion to be described as Facebook Inc’s submissions did. Any impact will depend upon the statutory context of the phrase and of the nature of the business being conducted.
Dated: 7 February 2022
REASONS FOR JUDGMENT
12 This application for leave to appeal arises out of the Facebook–Cambridge Analytica scandal and a Facebook application known as This Is Your Digital Life. It involves the apparently short question of whether the Australian Information Commissioner should have leave to serve her proceedings on Facebook Inc. Facebook Inc is incorporated in Delaware and is based in California. It is therefore ‘a person in a foreign country’ such that, irrelevant exceptions aside, leave is necessary before it can be served overseas with an originating process: rr 10.42 and 10.43(1)(a) of the Federal Court Rules 2011 (Cth). Generally, a grant of leave to serve out of the jurisdiction requires the demonstration of a prima facie entitlement to all or any of the relief claimed: r 10.43(4)(c). The Commissioner was successful in establishing a prima facie case on an application which, for obvious reasons, was argued in the absence of Facebook Inc. Leave to serve Facebook Inc out of the jurisdiction was granted. It then conditionally appeared, as it was entitled to do, to set aside service but that application was refused by the primary judge: Australian Information Commissioner v Facebook Inc (No 2)  FCA 1307 (‘J’). That determination was interlocutory in nature and therefore is subject to appeal only if leave to appeal is first obtained. Facebook Inc has applied for that leave and it is that application which is presently before the Full Court. The matter was fully argued on the basis that if leave were granted nothing further would need to be submitted on the appeal.
13 At the heart of the issues which fall for decision is the fact that whilst the social network known as ‘Facebook’ appears to its users to be a single object unaffected by international borders, it is in fact principally provided by two different entities. One of these is Facebook Inc itself which provides the Facebook platform to users located in North America. The other is an Irish subsidiary of Facebook Inc, Facebook Ireland Limited (‘Facebook Ireland’), which provides the Facebook platform to users located anywhere in the rest of the world. The issues before the Court concern, to an extent, the relationship between these two entities. The Commissioner has sued both entities and leave was also obtained to serve Facebook Ireland out of the jurisdiction. Unlike its parent, however, Facebook Ireland does not seek to set aside the service upon it. It took no active role in the present application.
14 Before turning to the issues which arise it is convenient to describe the events which have given rise to the litigation and to do so without distinguishing between Facebook Inc and Facebook Ireland. I will use the expression ‘Facebook’ as a placeholder to indicate that either or both of them did the act or thing described.
15 The Commissioner’s suit concerns an application known as This Is Your Digital Life. The application was created by Dr Aleksandr Kogan, a researcher employed by, or affiliated with, Cambridge University and from May 2014 was operated by a company of which he was a shareholder and director, Global Science Research Ltd (‘GSR’). I will refer to Dr Kogan and GSR as ‘the Developers’.
16 Dr Kogan described This Is Your Digital Life in a document he provided to Facebook. In that document, he described This is Your Digital Life as:
a research app used by psychologists. The requested permissions provide the research team with a rich set of social behaviour that Users engage in. This app is used in studies where we link psychological traits and behaviour (typically measured using questionnaires) with digital behaviour data in the form of Facebook information. We aim to use this data to better understand how big data can be used to gain new insights into people’s well-being, personality traits, and other psychological constructs.
17 As is common with many applications, This Is Your Digital Life invited persons wishing to use it to log in using their Facebook account. Perhaps unlike many applications, however, it did not offer any alternate means of doing so (for example, by creating a username and password). Users who used their Facebook logins to access This Is Your Digital Life were asked for permission by the application to access the personal information held by Facebook about them and also for access to the personal information of their Facebook friends. These permissions were subject to each user’s own privacy settings.
18 Having obtained the user’s permission, the Developers then requested that Facebook provide them with access to that user’s personal information and that of the user’s friends. Facebook provided this information, however, under the terms which governed the Developers’ use of the Facebook login. Under these terms, the Developers were not permitted to use the information other than for the purposes of the application. The Developers breached this requirement by permitting the personal information to be used for the purpose of political campaigns.
19 In Australia, approximately 53 Facebook users installed This Is Your Digital Life but the Developers obtained not only their personal information but that of approximately 311,074 of their Facebook friends. The Commissioner’s suit alleges, in a nutshell, that these events involved Facebook in contraventions of the Privacy Act 1998 (Cth) (‘the Privacy Act’). Specifically, the Commissioner says that Facebook Ireland and Facebook Inc have each breached Australian Privacy Principles (‘APPs’) 6 and 11.1(b). What are these?
20 APPs 6 and 11.1(b) are located in Sch 1 to the Privacy Act. By s 15 of that Act, an organisation (which by s 6C includes a body corporate) must not do any act, or engage in a practice that breaches an APP. APP 6 prevents an organisation which has collected information for a particular purpose to use it for another, except in limited circumstances. APP 11.1(b) requires an organisation which holds personal information to take reasonable steps to protect that information from unauthorised disclosure.
21 It is presumed that a Commonwealth statute does not apply to persons outside of Australia: Jumbunna Coal Mine NL v Victorian Coal Miners’ Association (1908) 6 CLR 309 at 363 per O’Connor J. That presumption will be displaced, however, where the statute exhibits an intention to displace it. The Privacy Act is explicit in applying to persons outside of Australia although only in some circumstances. So much flows from s 5B, which is entitled ‘Extra-territorial operation of Act’. Section 5B(1A) applies the Privacy Act to acts done or practices engaged in ‘outside Australia’ if they are done or engaged in by an organisation that ‘has an Australian link’.
22 Where a body corporate such as Facebook Inc or Facebook Ireland is concerned, an Australian link will be present if two requirements are satisfied: first, the body corporate must carry on business in Australia (s 5B(3)(b)); and secondly, it must have collected or held personal information in Australia (s 5B(3)(c)). Importantly, it follows from the text and structure of s 5B that the ‘personal information’ so collected or held must be the information which forms the subject matter of the acts or practices said to breach an APP (I explain why this is so in more detail below). In other words, an Australian link will only be present where an organisation has collected or held personal information in Australia and it is that information which is alleged to have been misused or mishandled in contravention of the Act. If, for example, Facebook Inc collected personal information from users in Australia and then separately collected and misused personal information from users in the United States, such conduct would be beyond the scope of the Privacy Act.
23 As a matter of drafting, this has been achieved in a way which is obscure. Section 5B(3) provides:
(3) An organisation or small business operator also has an Australian link if all of the following apply:
(a) the organisation or operator is not described in subsection (2);
(b) the organisation or operator carries on business in Australia or an external Territory;
(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.
24 The reference to ‘the personal information’ in s 5B(3)(c) appears to make no sense since there is no other reference to personal information in s 5B. The only way to make sense of it is to connect ‘the personal information’ to the acts and practices referred to in s 5B(1A). Put another way, s 5B(1A) applies the APPs to conduct outside of Australia. Most of those principles are expressed to operate by reference to either the collection of information or its holding. What the reference to ‘the personal information’ in s 5B(3)(c) does is to require that the personal information regulated by the APPs is the same personal information which provides the Australian link.
25 The disposition of the present application therefore turns upon two questions: first, whether Facebook Inc prima facie ‘carries on business’ in Australia within the meaning of s 5B(3) of the Privacy Act; and secondly, whether Facebook Inc prima facie collected or held certain personal information (which must be the same as the information which is the subject of the Commissioner’s claim in respect of APPs 6 and 11) in Australia.
26 The Commissioner’s case before the primary judge was pitched at two levels. First, she submitted that there was a prima facie case that Facebook Inc carried on business in Australia in its own right and collected or held the relevant personal information in Australia. This case the primary judge accepted. Facebook Inc says that the primary judge was wrong to draw either the conclusion that it was carrying on business in Australia or the conclusion that it had collected or held the personal information in Australia. These arguments form the basis of Facebook Inc’s proposed notice of appeal in the event that leave to appeal is granted.
27 Secondly, the Commissioner submitted that there was a prima facie case that everything done by Facebook Ireland was done on behalf of Facebook Inc. Facebook Inc’s own submission was that Facebook Ireland was conducting the Facebook business in Australia and collecting and holding the relevant personal information in respect of Australian users. If a prima facie case were found that Facebook Ireland had done these things on behalf of Facebook Inc it would readily follow that there existed a prima facie case against Facebook Inc. This case was, however, rejected by the primary judge who concluded that there was no such prima facie case. The Commissioner says that the primary judge was wrong to draw that conclusion and this argument forms the basis of ground 1 of the Commissioner’s proposed Notice of Contention in the event that Facebook Inc is granted leave to appeal.
28 It is convenient to deal first with the question of whether Facebook Inc was carrying on business in Australia. In doing so, it is useful to consider separately the business that Facebook Inc is alleged to be engaged in and then to ask whether that business was being conducted in Australia.
29 In my opinion, the evidence certainly presents a prima facie case that Facebook Inc was engaged in the business of providing data processing services to Facebook Ireland. The evidence consists of an agreement between Facebook Ireland and Facebook Inc entitled ‘Data Transfer and Processing Agreement’ (‘the Data Processing Agreement’). The agreement did a number of things but for present purposes it contained two core sets of obligations. First, it identified the data which Facebook Ireland was to transfer to Facebook Inc for processing. Secondly, it identified the nature of the processing which Facebook Inc was to carry out on that data.
30 Pursuant to cl 5(a) of the agreement, Facebook Inc promised to process the ‘personal data’ provided to it by Facebook Ireland. Appendix 1 to the agreement makes clear that the personal data to be provided by Facebook Ireland to Facebook Inc for ‘processing’ was the personal data of ‘registered users of the Facebook platform’. The data which was to be provided was also set out. It was the personal data ‘generated, shared and uploaded by the registered users of the Facebook platform’. This sounds broad and the agreement confirmed its breadth. It was to include: photographs, videos, events attended or invited to, group memberships, friends, gender, date of birth, relationship status, email address, URL, hometown, family, political views, religious views, sexual life, biography, employment history, location, education, interests, entertainment preferences, material shared by the user (i.e. wall posts, messages, pokes), credit card information and actions taken on Facebook and other services. Further it included ‘special categories’ of data. These were: racial or ethnic origin, political opinions, philosophical beliefs, trade union membership, health and sex life.
31 What was the purpose of the processing to which Facebook Inc was to subject this data? It was, inter alia, to ‘facilitate communications across the Facebook platform’. Pausing there, it is to be noted that the Facebook platform comprised all users of Facebook, not just those users to whom Facebook Ireland provided the service. The data was also to be processed for the purposes of ‘personalising content’, ‘targeting advertisements and to assess their effectiveness’ and ‘identifying connections between Facebook users’. Again, none of this was limited to the users of the service provided by Facebook Ireland.
32 The nature of the Facebook platform might suggest that it is impossible to disaggregate the Facebook business in North America from that in the rest of the world. For example, such a balkanisation is difficult to reconcile with the fact that a post by an Australian user may appear in the newsfeed of a user in New York. Such a train of thought might pursue the implications of the obligation Facebook Inc had to Facebook Ireland to ‘facilitate communications across the Facebook platform’ and inquire further into whether the network effects which make Facebook so successful can be put to one side when analysing the nature of its business structure.
33 It is not necessary to pursue those bread crumbs, however. On its face it would appear that Facebook Inc carries on the business of providing data processing services to Facebook Ireland under the Data Processing Agreement. Facebook Inc denied that this was so but I did not find its submission persuasive. Here the argument was that its actions under that agreement were those of Facebook Ireland. But where A does an act for B it has never been the law that just because A’s act has been done on behalf of B (or even in the performance of B’s business) that A has not done the act as well. For example, a person who engages in misleading or deceptive conduct contrary to s 18 of the Australian Consumer Law cannot say in their defence that they did not engage in the conduct because they were doing it on behalf of someone else. Consequently, and contrary to Facebook Inc’s submission, there is no plausible reason why Facebook Inc cannot be seen as carrying on the business of providing data processing services to Facebook Ireland. The contracting out by one firm of part of its business operations to another firm is common. The proposition that the second firm in such a situation is not conducting its own business appears heterodox.
34 I therefore reject Facebook Inc’s liminal objection that the only business being conducted in relation to Australian users was business conducted by Facebook Ireland. At the prima facie level, the Data Processing Agreement provides abundant evidence to the contrary.
35 That leaves, of course, Facebook Inc’s submission that assuming it was conducting a business, it was not conducting one in Australia. The primary judge was disinclined to accept this because the business being conducted by Facebook Inc appears to have included as two of its elements the installation of cookies upon the devices of users and the provision to Australian application developers of an interface known as the Graph API which includes as part of its functionality a facility which allows third party applications to utilise the Facebook login. The primary judge thought that there was a prima facie case that both of these activities occurred in Australia.
36 One of the obligations that Facebook Inc had under the Data Processing Agreement was the installation of cookies. This obligation was as follows:
Installing, operating and removing, as appropriate, cookies on terminal equipment for purposes including the provision [of] an information society service explicitly requested by Facebook users, security, facilitating user log in, enhancing the efficiency of Facebook services and localisation of content.
37 At the prima facie level I would think that the installation of cookies ‘on terminal equipment’ is sufficient to answer this question adversely to Facebook Inc. There is no debate that ‘terminal equipment’ is a reference to a user’s device. What Facebook Inc has agreed to do is to install cookies on the devices of users. It is more than open to infer that the Data Processing Agreement is a carefully drawn document drafted by persons who know precisely what is involved in the installation of a cookie. Facebook Inc’s own assent to the expression that the cookie is installed ‘on’ the terminal equipment is eloquent that this is likely to be the case. It is certainly enough to make good a prima facie case.
38 Facebook Inc submitted that this question could not be answered without expert evidence as to the nature of cookies. I do not accept this submission. This is an application to set aside orders granting service out of the jurisdiction. It is not a trial. The only question is whether enough evidence has been put before the Court to make it appropriate to require a respondent to answer the claims made in the originating application and statement of claim: Australian Competition and Consumer Commission v Prysmian Cavi E Sistemi Energia S.R.L (No 4)  FCA 1323; 298 ALR 251 at  per Lander J. Because of that, it is not necessary to adduce the whole of the evidence that the applicant will present at trial. Here, the Commissioner has put documents before the Court in which Facebook Inc itself says that it installs cookies on terminal devices. To my mind, this evidence is a canonical example of precisely the kind of evidence with which applications of the present kind are concerned. If Facebook Inc ultimately wishes to submit that it did not mean what it said or perhaps, that it spoke in error, then that is a matter which can be taken up at trial. However, such contentions have no place in a debate as to whether service out of the jurisdiction should be permitted.
39 Facebook Inc then sought to draw an analogy with the making of information available for browsing on a website where there is some authority for the proposition that a web page is not located where the user who accesses the web page is located: Gebo Investments (Labuan) Ltd v Signatory Investments Pty Ltd  NSWSC 544; 190 FLR 209 (‘Gebo’). Indeed, Facebook Inc was explicit in submitting the installation of a cookie involved purely an act of uploading of some data by it and its corresponding download by the user. I do not accept this submission either. In its 2013 Data Use Policy, Facebook Inc described cookies in the following terms:
V. Cookies, pixels and other similar technologies
Cookies are small pieces of data that are stored on your computer, mobile phone or other device. Pixels are small blocks of code on webpages that do things like allow another server to measure viewing of a webpage and often are used in connection with cookies. We use technologies like cookies, pixels, and local storage (like on your browser or device, which is similar to a cookie but holds more information) to provide and understand a range of products and services. Learn more at: https://www.facebook.com/help/cookies.
This is prima facie evidence that cookies are ‘small pieces of data that are stored on your computer’, that they permit Facebook Inc to ‘understand the use of our products and services’ and that they make ‘Facebook easier or faster to use’. I do not accept that this is analogous to users of the World Wide Web using their browsers to examine documents located on servers situated outside of Australia. Thus I do not accept that cases such as Gebo have any bearing on the significance of the location where cookie installation occurs. Gebo is entirely silent on that issue.
40 Further, it is apparent that cookies are central to the Facebook platform. For example, in the 2013 Data Use Policy they are mentioned frequently. Under the heading ‘Other information we receive about you’, the policy tells users that whenever they visit a game, an application, or a website that uses the Facebook platform or visit a website with a Facebook feature then Facebook will receive data about this. Further, this data will be collected ‘sometimes through cookies’. What will the cookies collect? The policy continues: ‘the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID’.
41 Later, the data use policy expands upon the use to which, inter alia, cookies are put:
We use these technologies to do things like:
• make Facebook easier or faster to use;
• enable features and store information about you (including on your device or in your browser cache) and your use of Facebook;
• deliver, understand and improve advertising;
• monitor and understand the use of our products and services; and
• protect you, others and Facebook.
42 The policy continues on the same page, ‘Cookies and things like local storage help make Facebook work, like allowing pages to load faster because certain content is stored on your browser or helping us authenticate you to deliver personalized content’.
44 Finally, Facebook Inc invoked the spectre of the floodgates. Mr Hutley submitted that they would surely be opened were the Court to conclude that the installation of a cookie occurs where the cookie was installed. A number of points may be made about this. First, this Court is not called to say anything on that topic. It is merely asked to determine whether there is a prima facie case that the installation of a cookie on a device in Australia takes place in Australia. It may be that at trial, Facebook Inc establishes that a cookie is not installed where it was installed but rather from where it was sent. The determination that there is a prima facie case that a cookie is installed at the place where it is installed is not a momentous determination.
45 Secondly, the invocation of the floodgates raises more questions than it answers. I return shortly to the question of whether Facebook Inc was carrying on business in Australia, but the question of whether an overseas entity that installs cookies on a device in Australia is thereby carrying on business in Australia is likely to turn on the nature of the business it carries on and the nature of the cookie. For example, a cookie which remembers a user’s login details so that they do not have to re-enter them each time a site is visited may stand in a somewhat different position to a cookie which tracks a user’s interest in chocolate biscuits so that the user’s newsfeed is peppered with advertisements for Tim Tams.
46 In any event, contrary to Facebook Inc’s submission, the question of whether the installation of a cookie in Australia can be seen as the carrying on of a business in Australia is unlikely to have a single answer.
47 I therefore accept that there is a prima facie case that in the conduct of its business of providing data processing services to Facebook Ireland, Facebook Inc installs cookies on devices in Australia and this is an activity which occurs in Australia.
The Graph API
48 The primary judge drew the inference that the Graph API was managed by Facebook Inc although he was prepared to accept that it did so on behalf of Facebook Ireland. He drew this inference because of an answer that Facebook Inc had given to a question asked by the Commissioner about the Graph API. This answer was:
… the process of allowing third party App developers to access the API was managed by Facebook Inc for all Apps on the Facebook platform, including on behalf of Facebook Ireland as the provider of the Facebook service to Australian users.
49 His Honour then reasoned this way at J:
Accepting for the purpose of argument that Facebook Inc’s activities in managing the Graph API were performed as a service to Facebook Ireland and that app developers contracted with Facebook Ireland, that does not mean that Facebook Inc did not carry on business, as service provider to Facebook Ireland, in Australia. Whether or not the activity was performed by way of services provided to Facebook Ireland, the fact is that Facebook Inc managed the Graph API process as part of its business. If the inference is open that some of Facebook Inc’s activities in managing the Graph API process were carried out in Australia, it is reasonably arguable that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b). In my view, the inference is available that a part of Facebook Inc’s activities in making available the Graph API to Australian apps included activity in Australia. The Graph API allowed apps to create a link or interface between the Facebook website’s “social graph” and the app. It is arguable and the inference is open that this involved activity by Facebook Inc in Australia, albeit initiated, controlled or operated remotely, such as the installing and operation of data in various forms.
50 Facebook Inc made two broad submissions about this statement. First, it was said not to have been supported by the evidence. Secondly, even assuming that it was so supported, the activities described by the primary judge – the installation of data in devices and the performance of operations on that date – could not constitute carrying on business as that concept was understood in the authorities. It is convenient to deal with these points separately.
51 Turning to the first proposition, it was not in dispute that the contract which Australian developers entered into when seeking to utilise the Facebook platform was a contract between each developer and Facebook Ireland. Clause 19(1) of that agreement expressly provided that where a developer was outside North America it was an agreement with Facebook Ireland. The balance of the agreement has little relevance although the principal obligations imposed on a developer may be found in cl 9. Facebook Inc did not point to any particular obligation imposed by that provision which was said to aid its argument.
52 Next, Facebook Inc submitted that all of the activity involving the Graph API happened in the United States or Sweden. The point of this submission was to show that the finding by the primary judge that it was open to infer that the installation and operation of data occurred in Australia could not be correct. The evidence about this consisted of written answers given by Facebook Inc to the Commissioner. The Commissioner had asked Facebook Inc to identify the Facebook entities which processed the personal information of Australian users. It had responded that this happened under the exclusive control of Facebook Ireland and was done in data centres located in either the United States or Sweden. The Commissioner had then asked Facebook Inc to give a description of how that equipment handled the personal information. Facebook Inc had responded that the data centres in the United States and Sweden were used to ‘run software through which the information was processed’ and that this included software ‘to action requests made by Australian Users, including through the Graph API and other features of the Facebook service’ (emphasis added).
53 In Facebook Inc’s submission, there was therefore no evidence that Facebook Inc did anything in Australia even leaving aside the fact that its actions in Australia were being done on behalf of Facebook Ireland. Everything to do with the Graph API happened in Sweden or the United States and there was no evidence that in the conduct of the Graph API anything was installed or operated in Australia.
54 I do not accept this submission. The primary judge attributed to the Commissioner this summary of the Graph API:
(6) The Graph API and Facebook Login (Statement of Claim -)
23. During the Relevant Period, apps could request personal information from Users’ Facebook Accounts using a tool called the Graph Application Programming Interface (Graph API). The Graph API allowed apps to create a link or interface between the Facebook Website’s “social graph” (being the network of connections through which Users communicated information on the Facebook Website) and the app. Version 1 of the Graph API was in place during the Relevant Period (Graph API V1).
24. The link or interface between the Facebook Website and the app was facilitated by a further tool known as “Facebook Login”. This allowed an installer of an app (Installer) to utilise their Facebook account credentials (username and password) to login to an app. Where an Installer did so, a screen or page would appear on the app requesting the Installer’s permission for the app to request, through the Graph API, certain categories of the User’s personal information as that User had provided to the Facebook Website (Permission Request).
25. Through the Graph API V1, an app could request a wide range of information about not only those Installers who had responded to Permission Requests, but also their Facebook friends who had not installed the app (Friends). This included requests for sensitive information. In response to a request from an app, the Respondents disclosed information about Installers and their Friends to the app, subject to the User’s privacy settings on the Facebook Website … However, a User’s “privacy settings” did not alone control how a User’s personal information was shared with apps, including apps installed by Users’ Friends. Unless a User modified their “app settings”, various categories of the User’s personal information, including sensitive information, would be disclosed to apps installed by their Friends by default …
26. Although the Respondents had in place terms and conditions about what kinds of information an app could request (see the Platform Policy, the relevant terms of which are pleaded at  of the Statement of Claim), the Respondents relied upon app developers’ self-assessment that an app complied with these rules. In particular, as is alleged at  of the Statement of Claim, the Respondents did not have in place any procedures to approve an app’s ability to make requests of the Graph API V1; nor did it review the privacy policies of the apps themselves.
27. On 30 April 2014, a new version of the Graph API (Graph API V2) was launched by the Respondents. Under Graph API V2, app developers wishing to request more than basic information from Friends and Installers had to undergo a manual app review process (App Review). Such requests would only be approved where, among other things, the additional information clearly improved the User’s experience of the app. However, Facebook allowed apps using Graph API V1 a 12-month ‘grace period’ (Grace Period) to migrate to Graph API V2.
55 Facebook Inc did not submit that this description of the Graph API was incorrect. It will be seen that the description is agnostic as to which Facebook entity was involved. The key points in the description are these:
(1) the creation of a link or interface between the application and the network of connections through which users communicated information on Facebook; and
(2) the Facebook login which when offered by an application (i.e. an Australian application) and when utilised by an Australian user would ask the user for permission for the application to request personal information through the Graph API. If that permission was obtained then the application could then request and receive personal information through the Graph API.
56 The Commissioner relied upon evidence about what the Facebook login looked like from the perspective of an Australian developer. Part of this evidence concerned Telstra’s portal for logging on to a user’s account with it. That page looked like this:
57 From this a number of inferences may be drawn. First, where a Telstra customer seeks to log in to the Telstra website using their Facebook credentials, the commencement of that logging in process occurs when the user presses the ‘Log in with Facebook’ button. The pressing of that button generally occurs in Australia (at least when the user is located in Australia). Secondly, the Australian user then provides their Facebook credentials. Thirdly, the provision of the credentials then permits the creation of a link or interface between Telstra and the network of connections through which users communicate information on Facebook. Fourthly, Facebook Inc then provides personal information to Telstra.
58 Returning to Facebook Inc’s answer that the software running in the data centres in the United States and Sweden included software ‘to action requests made by Australian users, including through the Graph API and other features of the Facebook service’, I would accept that this is likely to mean that the information which was provided to Telstra in this example is likely to have come from the data centres in the United States and Sweden. Further, I would accept the operation of the Facebook login is something which is done by Facebook Inc (on behalf of Facebook Ireland) from those data centres.
59 But I do not accept that this means that Facebook Inc did nothing in Australia. The correct focus is not on each individual log in by a Facebook user. Rather, it should be upon the business of providing the Facebook login functionality to Australian developers. The inference is open that this is an activity which occurs in Australia. Over-focus on the digital events which constitute that commercial activity with Australian developers is apt to distract attention upon the nature of the business activity.
60 Mr Hutley sought to distance Facebook Inc from that commercial activity in Australia. He pointed out that the answer that Facebook Inc had given about its management of the Graph API was not a statement that it managed the Graph API but rather a statement that it managed access to the Graph API. I accept that the literal answer given by Facebook Inc supports that contention. However, two obstacles lie in the path of accepting the submission. The first is that Facebook Ireland gave other answers which are inconsistent with any such peripheral role. The relevant questions and answers are Questions 26 and 30 which were posed by the Commissioner to Facebook Ireland in her s 44 notice. They were in these terms:
Question 26: For the period between 12 March 2014 and 17 December 2015, the number of Apps that Facebook Ireland deliberately prevented from accessing data through Graph API V1 due to the App’s misuse of data.
Answer: All review and assessment in relation to Graph API V1 and V2 was managed by Facebook Inc for all Apps on the Facebook Platform, including on behalf of Facebook Ireland as the provider of the Facebook service to Australian Users. Please see the response to Question 28 in the Facebook Inc Response for further detail.
Question 30: In relation to Graph API V1, particulars of:
a. the systems built by Facebook Platform Integrity (the Facebook team that builds systems and automation to detect and take enforcement actions against Apps violating the Platform Policy, as described in Facebook’s letters to the OAIC dated 6 July 2018 and 16 November 2018) to detect violations of the Facebook Platform Policy;
b. DevOps’ processes and policies for monitoring and enforcing compliance with the Platform Policy.
Answer: Relevant detection, monitoring and enforcement systems, processes and policies were managed by Facebook Inc for all Apps on the Facebook Platform, including on behalf of Facebook Ireland as the provider of the Facebook service to Australian Users. Please see the response to Question 32 in the Facebook Inc Response for further detail.
61 In addition, in response to a general question about its role in the data breach by Dr Kogan, Facebook Inc gave an answer which included this statement:
In addition, Facebook Inc was the entity most directly involved in the development and maintenance of the Facebook service, including the Graph API, for Users worldwide (although Facebook Ireland remained responsible for all processing of personal information of Australian Users, with Facebook Inc conducting data processing activities on behalf of Facebook Ireland in relation to the provision of the Facebook service to Australian Users).
62 These answers are inconsistent with Facebook Inc merely managing access to the Graph API. I do not accept Mr Hutley’s submission that these documents have nothing to do with the issues in this case. They were raised by the Commissioner in response to the submission that Facebook Inc did not manage the Graph API but only managed access to it.
63 The second obstacle is that Facebook Inc conceded to the primary judge that it did manage the Graph API on behalf of Facebook Ireland. The concession was recorded at J[146(2)]. Dr Higgins relied upon this concession in her submissions and Facebook Inc did not contradict it. There is no reason, therefore, not to accept the concession recorded by the primary judge.
64 In that circumstance, I accept that an inference is open that: (a) Facebook Inc managed the Graph API on behalf of Facebook Ireland; and (b) this included providing the Facebook login to Australian developers for use in Australia as part of the business being conducted by Facebook Ireland. I also accept that the computers from which that business was being conducted in Australia were located in the United States and Sweden.
65 Before turning to the legal question of whether this activity constituted the carrying on of a business in Australia, a few points should be noted for completeness. Facebook Inc submitted that it was unclear what was involved in ‘managing’ the Graph API. The Commissioner submitted that this was Facebook Inc’s own word and it could hardly complain about what it meant when it came from its own answer. Facebook Inc responded to this by submitting that the burden lay on the Commissioner to prove the existence of a prima facie case. It was not clear what was involved in ‘managing’ the Graph API and the fact that it was its word did not mean that it was its problem. It is not necessary to resolve that debate. It is clear that Facebook Inc does acts in the United States and Sweden which result in the Facebook login being available for commercial use by developers in Australia. What the precise internal mechanics of this are do not matter. The real question is whether Facebook Inc on behalf of Facebook Ireland makes the Facebook login available to Australian developers in Australia. It is clear that an inference is open that it does.
66 Having accepted that it is open to infer that Facebook Inc installed and removed cookies on users’ devices in Australia and that it managed the Graph API here too, the question then arises whether it can be said that it was carrying on business in Australia by reason of that conduct. The primary judge accepted that Facebook Inc was engaged in this conduct as part of the services it delivered to Facebook Ireland under the Data Processing Agreement. Consequently, his Honour accepted that Facebook Inc had conducted part of that business in Australia.
67 On the application for leave to appeal, Facebook Inc took issue with this conclusion. There were, in essence, two contentions. First, it argued that Facebook Inc had no physical presence in Australia. It entered into no contracts, employed no personnel, had no customers and derived no revenues. There was, Facebook Inc submitted, no decided case in which a foreign entity had ever been held to be carrying on business in Australia where all of these indicia were absent. Even if the installation of cookies and the management of the Graph API were acts which took place in Australia, therefore, they lacked from the perspective of Facebook Inc the quality of being business activities.
68 Secondly, whilst there was a business being conducted in Australia, that business was that of Facebook Ireland. All that Facebook Inc did was provide services to Facebook Ireland in the conduct of that distinct business which, ex hypothesi, was not the business of Facebook Inc. Put another way, Facebook Inc undertook on its own account no trading or commercial activities in Australia. In that circumstance, even accepting for the sake of argument that the installation and removal of cookies together with the management of the Graph API might be activities occurring in Australia, they still could not be capable of sustaining a conclusion that Facebook Inc was itself carrying on business in Australia. It is useful to discuss these points in turn.
69 Facebook Inc submitted that it had no physical assets, customers or revenues in Australia. The data processing services were, on the evidence, provided from data centres which were located in the United States and Sweden. I take it to be implicit in that submission that the data centres consisted of physical premises containing servers and some employees. Facebook Inc submitted that before it could be held that a foreign corporation was carrying on business in Australia it had to be shown that at least some of the following were present: a fixed place of business, human instrumentalities (perhaps, humans), business assets, agents, contractual counter parties and customers. It submitted that there was not a single case which had held a foreign corporation to be carrying on business in a particular place where at least one of those elements was not present.
70 I do not accept this submission. Whilst it is common to speak of the general approach to the question of whether an entity is carrying on business in a jurisdiction, usually the question arises in a particular statutory context. In this case, the question is whether Facebook Inc ‘carries on business in Australia’ within the meaning of s 5B(3)(c) of the Privacy Act. The expression ‘carries on business in Australia’ is not a defined term in the Act. However, its meaning is informed by the statute in which it appears. Two matters are relevant. First, the objects of the Act include by s 2A(f) the facilitation of ‘the free flow of information across national borders while ensuring that the privacy of individuals is respected’. The statute therefore has in its contemplation the regulation of the flow of information insofar as it concerns privacy. Secondly, the terms of s 5B(3)(c) suggest that the focus of the Act is on the enforcement of the APPs in relation to the collection or holding of personal information. It is true that s 5B(3)(b) imposes the additional requirement that the organisation carry on business in Australia but that does not change the fact that this statute has as its focus a non-material concept: information.
71 I am unable in that circumstance to discern the presence of a negative implication in the Act which altogether denies the possibility that a business might be conducted in Australia without any of the indicia to which Facebook Inc points. The absence of such a negative implication is confirmed by the Explanatory Memorandum which accompanied the introduction of s 5B(3)(b):
Item 6 Subsection 5B(3)
Item 6 will amend subsection 5B(3) by rephrasing the opening of the subsection and inserting a reference to the new term ‘Australian link’. This will clarify that the subsection lists additional connections with Australia which would be a sufficient link for the Privacy Act to operate extra-territorially in relation to organisations and small business operators under subsection 5B(1A).
The collection of personal information ‘in Australia’ under paragraph 5B(3)(c) includes the collection of personal information from an individual who is physically within the borders of Australia or an external territory, by an overseas entity.
For example, a collection is taken to have occurred ‘in Australia’ where an individual is physically located in Australia or an external Territory, and information is collected from that individual via a website, and the website is hosted outside of Australia, and owned by a foreign company that is based outside of Australia and that is not incorporated in Australia. It is intended that, for the operation of paragraphs 5B(3)(b) and (c) of the Privacy Act, entities such as those described above who have an online presence (but no physical presence in Australia), and collect personal information from people who are physically in Australia, carry on a ‘business in Australia or an external Territory’.
72 The emphasised part of the quote goes somewhat further than the language of s 5B(3)(b) probably permits. In particular, it appears to assume that the collection or holding of personal information under s 5B(3)(b) is sufficient to constitute the carrying on of a business under s 5B(3)(b). I do not think that the language of s 5B(3) can bear such an interpretation. As Facebook Inc correctly submitted, the requirements of ss 5B(3)(b) and (c) are cumulative. Read in the precise way that the Explanatory Memorandum suggests, s 5B(3)(b) appears to have no work to do which is not normally regarded as a likely interpretation: Project Blue Sky Inc v Australian Broadcasting Authority  HCA 28; 194 CLR 355 at  (per McHugh, Gummow, Kirby and Hayne JJ). However, the statement is still useful because it is consistent with the conclusion which flows from the objects of the Act and the terms of s 5B(3) itself: that there can be no negative implication that an organisation cannot carry on business in Australia unless it has a physical presence of some kind in Australia.
73 Of course, to say that there is no such negative implication does not take the matter very far. In particular, it does not demonstrate that Facebook Inc is carrying on business in Australia merely because it does not have any of the suggested local attributes.
74 Is it possible to conduct business in Australia without having any physical presence within the jurisdiction? The primary judge concluded that ‘the means by which entities carry on business are constantly evolving’. He then observed that many of the cases in which the concept of carrying on business was discussed were ‘decided long before the technological advances which underpin many forms of commerce’. I agree with his Honour. The concept of carrying on business must, of necessity, take its shape from the business being conducted. Whilst the indicia to which Facebook Inc points no doubt have their place, I do think that some care has to be exercised about those statements to ensure that obvious propositions about the qualities of businesses at one time are not misapplied to radically different businesses at another. Facebook Inc submitted that the primary judge had, by making these observations, stated that the test needed to be changed. It is quite clear, with respect, that his Honour said no such thing.
75 Nor do I accept the submission that the primary judge’s approach would entail that any modern business conducted on the internet with a website accessible in Australia would be carrying on business in Australia. What this case decides is only that an inference may be drawn that a firm which installs and removes cookies in Australia (and which also manages for Australian developers a credential system which is widely used in Australia) is carrying on its worldwide business of data processing in this country. Whether a particular foreign-based business providing goods or services in this country carries on business here will depend on the nature of the business being conducted and the activity which takes place in this country. There is no one size fits all answer to this question. Correspondingly, the menace of opened floodgates from which Facebook Inc was commendably keen to protect the Australian legal system, is in my view very much overstated.
76 Nor do I accept the more radical form of this submission which Facebook Inc also pursued. It submitted that what had happened in this case was the transmission of digital signals from the data centres to user devices and that the transmission had brought about a change in the digital state of the devices. As such, all that happened was that action taken outside of the jurisdiction had resulted in an effect within the jurisdiction. Mr Hutley made the submission that once this was appreciated it could be seen that the current situation was no different to a person sending a letter from overseas to Australia, with the effect that upon its receipt, the reader did something which had an economic impact.
77 The problems with this submission are first that it proves far too much, and secondly that it is, with respect, divorced from reality. It proves too much because it has the consequence that no computer-based activity in one jurisdiction can ever amount to more than an effect in computers located in another. The submission has the result that no internet business based in one jurisdiction can ever carry on business in another. Any such business will, at best, be sending electronic signals to computers within Australia which will cause effects in those computers. But, according to the submission, mere effects cannot constitute the carrying on of a business. This extreme conclusion suggests the presence within the submission of error.
78 The error is the failure to account for the reality of what the signals and effects constitute. For example, there is an obvious distinction between an overseas website which provides data to an Australian computer when requested to do so, and an application that installs executable code on that computer and then causes it be executed. Facebook Inc’s submission lumps these two quite different situations together. Whilst Facebook Inc’s description of what is occurring is not wrong, it is pitched at such a high level of generality that it is, in my respectful opinion, useless as a tool of analysis. One might also say that Facebook Inc had done no more than turn on and off vast numbers of tiny switches – a true statement since all computers operate solely by switching on and off binary digits – but the statement, whilst true, is not helpful for grasping anything about the activities which Facebook Inc is actually engaged in. By parity of reasoning, one learns little about art history by observing that Rembrandt’s The Night Watch consists of some pigments on canvas in a wooden frame.
79 It is not necessary in that circumstance to assess Facebook Inc’s submission that mere effects within Australia cannot constitute carrying on a business. This is not a case of mere effects. For the same reason, the correctness of Mr Hutley’s analogy with the postal system does not fall for consideration.
80 Facebook Inc also placed particular reliance on Gebo and Valve Corporation v Australian Competition and Consumer Commission  FCAFC 224; 258 FCR 190 (‘Valve’). In Gebo Barrett J said at :
Advances in technology making it possible for material uploaded on to the internet in some place unknown to be accessed with ease by anyone in Australia with internet facilities who wishes (or chances) to access it cannot be seen as having carried with them any alteration of principles as to the place of carrying on business developed at times when such communication was unknown. It has never been suggested that someone who by, say, letters posted in another country and addressed to recipients in Australia, seeks to interest those persons in business transactions to be entered into in the other country and in fact succeeds in concluding such transactions with some of them thereby carries on business in Australia, even though, depending on precise circumstances, the solicitation may contravene some other Australian law. There is a need for some physical activity in Australia through human instrumentalities, being activity that itself forms part of the course of conducting business.
81 The Full Court in Valve was disinclined to accept the reference to human instrumentalities. As it said at :
Although Gebo Investments concerned different statutory provisions, we consider the discussion of principles regarding carrying on business generally to be of assistance for present purposes. We do not, however, see the reference to “human instrumentalities” in the last sentence of  as laying down an inflexible rule or condition as to the circumstances in which an overseas company may be taken to be carrying on business in Australia. We would instead place emphasis on the statement at  of Gebo Investments that the case law makes clear that the territorial concept of carrying on business involves acts within the relevant territory that amount to, or are ancillary to, transactions that make up or support the business.
82 What Barrett J had said at  was this:
It is my opinion that the circumstances outlined are, of themselves, insufficient to constitute the carrying on of business in Australia. Case law makes it clear that the territorial concept of carrying on business involves acts within the relevant territory that amount to or are ancillary to transactions that make up or support the business. Many of the cases concern persons acting as agents within the jurisdiction of enterprise bases and operating outside the jurisdiction. One view has traditionally been taken where the agent within the jurisdiction has authority to bind the principal to dealings there; while another view has been taken of cases in which the agent is empowered to do no more than receive proposals or orders within the jurisdiction (often, no doubt, in response to solicitation there) and retransmit them to the principal. The distinction is discussed in several cases, including Okura & Co Ltd v Forsbacka Jernverks Aktiebolag  1 KB 715. Buckley LJ, speaking of a situation of the latter kind, there said (at p 721):
These being the facts, 101, Leadenhall Street is really only an address from which business is from time to time offered to the foreign corporation; the question whether any particular business shall or shall not be done is determined by the foreign corporation in Sweden and not by any one in London. In my opinion the defendants are not “here” by an alter ego who does business for them here, or who is competent to bind them in any way. They are not doing business here by a person but through a person. That person has to communicate with them, and the ultimate determination, resulting in a contract, is made not by the agents in London, but by the defendants in Sweden. It follows from this that one of the essential elements which must be present before a writ can be served in this country on the agent of a foreign corporation is lacking in this case. This appeal must, therefore, be dismissed.
83 The application of the test enunciated at  of Valve requires a focus on the transactions making up the business. As I explain in the next section, the transactions which make up Facebook Inc’s business of providing data processing services to Facebook Ireland include the installation and removal of cookies in Australia and the management for Australian developers of the Facebook login as part of the Graph API. I therefore do not accept that the discussion in Gebo, as qualified by what this Court said in Valve, assists Facebook Inc although I do accept that Valve requires one to identify with precision the nature of the transactions said to constitute the business.
84 Facebook Inc also submitted that the result in Valve could be distinguished from this case inter alia because there was no doubt in that case that physical assets (servers) were located in Australia. I accept this submission. The precise holding in Valve says nothing about this case. However, I do not think that this provides a good reason for not applying what was said at . In terms of outcome, I do not think that Gebo throws much light on the current situation.
The Commercial Quality of Facebook Inc’s Activities
85 For the reasons I have already given, it is open to infer that Facebook Inc has two local attributes in Australia. It is installing and removing cookies on the devices of Facebook users and it is managing the Graph API; in particular, it is managing the provision by Australian developers to Australian users (and other users too) of the Facebook login. Facebook Inc’s submission that no case has held an entity to carry on business in a jurisdiction having none of the attributes to which it points may be correct. But it is not an overly useful observation in the present context because it does not engage with the consequences of the two attributes it does actually have in Australia.
86 Characteristically, Mr Hutley sought to meet this problem head on in his address. Accepting for the sake of argument that both the installation and removal of cookies on Australian devices by Facebook Inc and its management of the Facebook login (as part of the Graph API) were activities which took place in Australia, he pointed out that these were actions which were done on behalf of Facebook Ireland. It might well be that Facebook Ireland was carrying on business in Australia but it was that business which was being carried on and not the business of Facebook Inc. All it had done was to provide services to Facebook Ireland. The business transactions making up the relationship between Facebook Ireland and Facebook Inc did not occur in Australia.
87 This submission is, with respect, correct to emphasise the need to be precise in one’s identification of the business which is being carried on. In the present context it has been said more than once that the idea of a business denotes ‘activities undertaken as a commercial enterprise in the nature of a going concern, that is, activities engaged in for the purpose of profit on a continuous and repetitive basis’: Hope v Bathurst City Council (1980) 144 CLR 1 (‘Hope’) at 8-9 per Mason J (with whom Gibbs, Stephen and Aickin JJ agreed). Subsequent authority has held that the answer to this question involves: (a) identifying what the transactions that make up or support that business are; and (b) then asking whether those transactions or the transactions ancillary to them occur in Australia: Valve at  applying Gebo at .
88 It is necessary then to turn to the transactions which make up Facebook Inc’s business of providing data processing services to Facebook Ireland. Under the Data Processing Agreement what Facebook Ireland received from Facebook Inc was data processing services. The Data Processing Agreement is silent, however, on what it was that Facebook Inc was to receive from Facebook Ireland for providing those services. It may be assumed, I think, that it was obtaining some benefit but further than that it is not necessary to go. I did not understand Mr Hutley to deny that Facebook Inc was carrying on the business of providing data processing services to Facebook Ireland. His point was not that there was no such business but rather that it was a business which inhabited the data centres in the United States and Sweden. I take to be implicit in that position an acceptance that Facebook Inc was conducting a data processing business although how Facebook Inc pursued the making of profit from that business remains obscure.
89 The transactions making up this business would therefore appear to consist of the provision of the data processing services by Facebook Inc to Facebook Ireland in return for some kind of benefit whose nature is unclear but whose lack of clarity is not said by Facebook Inc to entail that no business was being conducted.
90 Where did these transactions take place? Facebook Inc did not submit that the nature of its data processing services was such that they were not situated anywhere. As I understood it, the contention was that the data processing services were located where the data centres which provided them were situated. This was in the United States and in Sweden. Consequently, Mr Hutley denied that these services took place in Australia. Indeed, Facebook Inc explicitly relied on the proposition that its business of providing the data processing services could not have been conducted in Australia precisely because it was being conducted in data centres overseas. I return to that proposition below.
91 At this point it is necessary to emphasise the distinction between, on the one hand, the location of activities constituting the installation and removal of the cookies on Australian devices and the management for Australian developers of the Facebook login (through the Graph API) and, on the other, the business of data processing of which those activities formed part. I have dealt with the first concept above and concluded that the primary judge was correct to conclude that an inference was available that those actions took place in Australia. The question now concerns the location of the second concept, that is to say, the location of the business of data processing.
92 Mr Hutley submitted that the fact that the installation of the cookies and the management of the Facebook login (through the Graph API) took place in Australia did not entail that the business which included them was located in Australia. Whilst it was true that these services were being provided by Facebook Inc to Facebook Ireland as part of its business of providing data processing services, this was not the business which was being conducted in Australia. The only business being conducted in Australia was that of Facebook Ireland. The users and developers in Australia had contractual relations with Facebook Ireland and the revenue which was derived from them was earned by Facebook Ireland. Facebook Inc’s role in this picture was merely to provide services to Facebook Ireland in the conduct of that quite different business.
93 The essence of this submission is that Facebook Inc’s activities in Australia themselves lack a commercial quality because Facebook Inc is not engaged in any commerce in Australia. Mr Hutley submitted that the facts of this case raised the interesting question which had been left unanswered by Gibbs J in Luckins (Receiver and manager of Australian Trailways Pty Ltd) v Highway Motel (Carnarvon) Pty Ltd (1975) 133 CLR 164 (‘Luckins’). I believe that Mr Hutley is correct and that the unanswered question in Luckins is now ripe for determination. To understand the unanswered question one needs to understand a little of the facts in Luckins. (The following summary is largely borrowed from the judgment of Barrett J in Gebo at ).
94 In Luckins, the relevant question was whether a company carried on business in Western Australia (the outcome of that question affected the validity of a charge over its property which was at issue in a dispute between creditors). The company operated overland tours in Western Australia in which passengers were transported by bus and provided with food and camping accommodation purchased by the company in the fulfilment of its contractual obligations to customers. The despatch of busloads of passengers through Western Australia and the undertaking of commercial transactions there in support of their transportation (the purchase of food, fuel and accommodation) entailed the carrying on of a business in Western Australia. And this was so even though none of the tours ever started or finished in Western Australia and even though it was rare for anyone to join a tour in Western Australia (and anyone who did so always left the tour outside Western Australia). So much was held by each of the judges including Gibbs J but with a dissent by Barwick CJ. However, at 178-179 Gibbs J left unresolved this conundrum:
It is unnecessary to consider whether the company would have carried on business within Western Australia if the only relevant fact had been that its tours had proceeded through the State without receiving or depositing passengers and if its employees or agents had no dealings with persons within the State. That, however, was not the case.
95 I accept Mr Hutley’s submission that this question is essentially the same as the question now posed for this Court. Facebook Inc’s business of providing data processing services to Facebook Ireland is conducted from its data centres which are not in Australia. But an aspect of that business – the installation and removal of cookies and the management of the Facebook login through the Graph API – are activities which do take place in Australia. As with the bus company in the unanswered question above, those activities do not themselves comprise the commercial dealings which are the business. If the answer to the question posed by Gibbs J in Luckins is that the company would have carried on business in Western Australia then this will entail that Facebook Inc does carry on business in Australia.
96 Luckins does not provide the answer to this question. In fact, the question posed by Gibbs J is a particular manifestation of a more general question. This question emerges from the description given by Mason J in Hope of the nature of the carrying on of a business as a collection of ‘activities undertaken as a commercial enterprise in the nature of a going concern, that is, activities engaged in for the purpose of profit on a continuous and repetitive basis’. The concept has therefore two elements: (a) activities undertaken as a commercial enterprise as a going concern with a view to a profit; and (b) carried on in a continuous and repetitive basis. Where a company undoubtedly conducts business in one place, this two limbed definition can give rise to two distinct problems when the company then does an act or acts in another place which, however, satisfy only one of the limbs in Hope. The two problems are these:
(1) the company engages in a single commercial transaction in a place where it otherwise does not conduct business. Does the company conduct business in this place? The single transaction means that the repetition requirement in Hope is not satisfied in that place but the commerciality limb is satisfied; and
(2) the company engages in repetitive acts in the performance of its business in a place where it otherwise does not conduct business but in doing so it engages in no commercial activity. Does the company conduct business in this place? The repetition requirement in Hope is satisfied but the commerciality limb is not.
97 Question (2) is, of course, the unanswered question in Luckins and it is also the question in this case. The answer to question (1), on the other hand, is known. Indeed, it was provided by Gibbs J himself four years after Luckins in Smith v Capewell (1979) 142 CLR 509 (‘Smith’). The problem which arose in that case was different to the one in Luckins. This time there was no doubt that a business located in one jurisdiction had engaged in two single commercial acts in another jurisdiction but the question was now whether such limited and non-repetitious acts could constitute carrying on business given the repetition requirement in Hope.
98 The dispute in Smith concerned s 92 of the Constitution. Mr Capewell was charged by an officer of the National Parks and Wildlife Service with carrying on business as a skin dealer without a licence to do so under ss 124 and 125 of the National Parks and Wildlife Act 1974 (NSW) contrary to s 105(a). The skins in question were kangaroo skins. Mr Capewell operated from Charleville in Queensland (where he was licensed under Queensland legislation to sell kangaroo skins). Mr Capewell’s crime was that he had sold skins he had obtained in Queensland to two purchasers in New South Wales. The first purchaser had rejected the skins for disconformity with the contract of sale whereupon Mr Capewell had then sold the same skins to a second, less discerning, purchaser. There were therefore just two transactions in New South Wales (and only one set of kangaroo skins) although Mr Capewell undoubtedly conducted the business of a skin dealer in Queensland.
99 Gibbs J concluded that an isolated sale of kangaroo skins in New South Wales in the course of carrying on a wider interstate business of selling such skins would constitute the carrying on of a business as a skin dealer in New South Wales and hence an offence against s 105(a). He arrived at that conclusion by a close analysis of cases in which a business in one place had engaged in a single transaction in another place where it did not conduct business but as part of its business in the first place. One of these was the House of Lords decision in Cornelius v Phillips  AC 199 (‘Cornelius’) where it was held that a money lender had carried on the business of money-lending at a hotel which was not his registered address although he had effected only one transaction at the hotel.
100 Another was a South Australian decision, Lowe v Cant  SASR 333 (‘Lowe’). In that case, Mr Lowe was a milkman licensed to carry on business as a retail milk vendor in Zone 18. He lived in Zone 19. Mr Lowe was apprehended in the course of leaving two milk bottles on the verandah of Mrs Boyd who lived three doors down from him in Zone 19. He was charged with carrying on the business of a retail milk vendor other than in the zone which had been allotted to him. Leaving aside his picaresque defence that he had only been on Mrs Boyd’s premises in pursuit of his dog, he also said that leaving two milk bottles on Mrs Boyd’s verandah in Zone 19 could not constitute the carrying on of a business since it lacked the quality of repetition in Zone 19. As that argument had failed in Cornelius, it also failed in Lowe.
101 Having dealt with these authorities Gibbs J then concluded in these terms at 519:
It seems clear that a solitary transaction of sale or purchase of skins in New South Wales will only constitute an offence against s 105(a) of the Act, if the sale or purchase has been made by the defendant with the intention that it shall be the first of several transactions in a business which he thereby commences to carry on, or if it has been made in the course of a business which the defendant is carrying on elsewhere.
102 Consequently, although there were only two transactions in New South Wales they took place in the conduct of Mr Capewell’s business of selling skins in Queensland. In effect, this was a direct application of Cornelius and Lowe. Since Mr Capewell was engaged in interstate trade it followed, on the understanding of s 92 which then obtained, that s 105(a) was invalid.
103 It is difficult to see that a different approach should be taken to the second situation, i.e. where there is continuous business activity in the jurisdiction but where that activity does not result in any transactions in the jurisdiction. Just as one asks whether the single act in one jurisdiction took place in the course of the business conducted in another jurisdiction one should ask, in a case such as the present, whether the repetitive but non-commercial activity occurring in one jurisdiction took place in the course of the business conducted in the other. I would therefore answer the unanswered Luckin question ‘yes’. To put the problem in more general terms, if a company conducts business in a foreign jurisdiction and it does acts within Australia as part of that business which fall within either limb in Hope then, subject to any contrary implication arising from the statutory context, it will conduct business in Australia.
104 In this case, the business of providing data processing services is located in the data centres in the United States and Sweden. However, Facebook Inc has performed some of those data processing services in Australia. It has done so undoubtedly on a very large scale but without the generation of any revenue. But its actions here have been part of its business of providing data processing services to Facebook Ireland.
105 This entails, of course, that Facebook Inc has been conducting that business not only in the data centres United States and Sweden but also in Australia. I see no particular difficulty with that. Mr Capewell’s business was in Queensland but that did not stop it from also being in New South Wales when he sold a single kangaroo skin in that State. Mr Lowe’s business was in Zone 18 but that did not stop him from carrying on business in Zone 19 when he left the two bottles on Mrs Boyd’s verandah. In neither case did the fact that the businesses in question were now being conducted additionally in a new jurisdiction give rise to any want of logic. I do not think it gives rise to a want of logic now.
106 The primary judge was therefore correct to conclude that an inference was open that Facebook Inc was carrying on business in Australia. For completeness, I should note that the Commissioner sought to submit that Facebook Inc had been carrying on in Australia not only its business of providing data processing services to Facebook Ireland but also its own business of operating Facebook in North America. On this view, when Facebook Inc operated the Facebook platform in the rest of the world (on behalf of Facebook Ireland) this was of a direct benefit to Facebook Inc in the operation of its North American business. The submission fits comfortably with the fact that although the business of Facebook is divided between Facebook Ireland and Facebook Inc, this is not the experience of its users who perceive a single worldwide network. I do not think, however, that such a case was advanced to the primary judge and it is not the subject of the draft Notice of Contention. I do not think it is appropriate to consider it in that circumstance. I do not accept the Commissioner’s submission that this argument is within her contention that Facebook Ireland was Facebook Inc’s agent. It is quite a different argument.
107 In that circumstance, I accept that there is a prima facie case that Facebook Inc carried on business within Australia within the meaning of s 5B(3) of the Privacy Act. That conclusion, however, is not the end of the question of whether an ‘Australian link’ is present; there must also be collecting or holding of personal information by Facebook Inc.
108 As outlined above, the requirements of s 5B(3) of the Privacy Act are cumulative. Facebook Inc must not only carry on business in Australia, it must collect or hold personal information in Australia and this personal information must be the information which forms the subject matter of the acts or practices which the Commissioner complains of (see - above). What then is ‘the personal information’ which Facebook Inc is said to have collected or held, which can be used to ascertain whether an Australian link is present?
109 In this case the Commissioner has alleged that both Facebook Inc and Facebook Ireland have breached APP 6 and APP 11. The breach of APP 6 is said to be constituted by collecting personal information from Facebook users for one purpose and then using it for another. The personal information in question is the personal information provided to This Is Your Digital Life. The breach of APP 11 is said to be constituted by failing to take reasonable steps to protect personal information held by Facebook Inc and Facebook Ireland.
110 The Commissioner submitted that her case under APP 11 was sufficiently broad, such that the personal information which had not been released to This Is Your Digital Life, but had nevertheless been collected or held in Australia could be used to ascertain whether an Australian link was present. This was because the allegation that APP 11 had been breached applied not only in respect of the personal information of users which was provided to This Is Your Digital Life, but also to the personal information of the same users which was not supplied to This Is Your Digital Life. On the Commissioner’s submission, for example, if one of the users in question had supplied Facebook with personal information about their religious beliefs but this information had not been disclosed to This Is Your Digital Life, it would still be subject to her case under APP 11 (although not subject to her case under APP 6).
111 This is essentially a pleading question. Paragraph 63 of the Statement of Claim alleges that Facebook Ireland and Facebook Inc collected personal information although the nature of this information is not specified and is left general in nature. Paragraph 66 then alleges that Facebook Inc and Facebook Ireland disclosed particular categories of that personal information to This Is Your Digital Life and this is alleged in §69 to have been an infringement of APP 6. At §74 it is alleged that Facebook Inc and Facebook Ireland collected the same personal information referred to in §63, that is, generalised personal information. At §76 it is then alleged that they should have taken six steps to protect that personal information. Their failure to do so is alleged in §77 to have been a breach of APP 11.
112 On its face, the Commissioner’s submission that her case under APP 11 involves more personal information than her case under APP 6 appears correct. The case under APP 6 involves the personal information identified in §66 of the Statement of Claim, which consists of specified categories of the generalised personal information detailed in §63. The case under APP 11 appears to involve the generalised personal information referred to in §63 (through §74).
113 Facebook Inc submitted that this was not so because each of the six breaches of APP 11 alleged in §76 involved the failure to take a step that applied specifically to This Is Your Digital Life. This is no doubt true. However, it does not quite meet the Commissioner’s point. For example, the fifth alleged breach (at §76.5) was to the effect that Facebook Inc and Facebook Ireland should have implemented measures to ensure that any consent to disclose the personal information of the affected users ‘was obtained directly from those Affected Australian Individuals’. I do not accept that this alleged breach of APP 11 is concerned only with the personal information of those users which was provided to This Is Your Digital Life. This allegation is not limited in its effect to the personal information which was in fact disclosed. It is also worth noting that the allegation turns on the position of ‘Affected Australian Individuals’ which §45 and §64 together define as the installers of the app and the friends of those installers whose information the app requested (as distinct from received). Accordingly, I accept the Commissioner’s submission.
114 The consequence of this is that the personal information which is to be considered for the purposes of assessing whether Facebook collected or held personal information in Australia (and thus whether an Australian link is present) includes all of the personal information collected or held by Facebook Inc and Facebook Ireland for those individual users, some of which was provided to This Is Your Digital Life.
115 The Commissioner submitted to the primary judge, and his Honour accepted, that an inference could be drawn that Facebook Inc both collected and held that personal information in Australia. On the application for leave to appeal, Facebook Inc challenged both of these conclusions.
116 The word ‘collects’ is defined in s 6 of the Privacy Act in the terms:
Collects: an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.
117 As such, the collection of personal information will not constitute ‘collection’ within the meaning of s 5B(3)(c) if all that has happened is a bare act of collection; there must be a collection for inclusion in ‘a record or generally available publication’. Whilst the definition does not require collection in Australia, when the question is whether an organisation has an Australian link within the meaning of s 5B(3) the terms of that provision require the collection of the personal information to take place in Australia. Consequently, the Commissioner was obliged to show that there was a prima facie case that:
(1) there was an act of collection by Facebook Inc;
(2) which took place in Australia; and
(3) the personal information so collected was intended for inclusion in a record (the Commissioner did not rely upon the ‘generally available publication’ limb of the definition in s 6).
118 The Commissioner’s case on these matters was twofold. First, she submitted that Facebook Inc directly collected the personal information in Australia for inclusion in a record; secondly, she submitted that it did so constructively through Facebook Ireland.
119 The Commissioner submitted that an inference was open to be drawn that Facebook Inc directly collected the personal for three reasons. These were:
(1) Caching servers. The Commissioner submitted that an inference was open that Facebook Inc operated caching servers in Australia and that a further inference could be drawn that the personal information had been collected by it using those caching servers with a view to it being stored on servers within the data centres in the United States and Sweden;
(2) Cookies. The Commissioner submitted that an inference was open that Facebook Inc has installed cookies on the devices of Australian users and that it had used those cookies to collect the personal information and to store it on users’ devices or in their browser caches; and
(3) Instantaneous transfer. The Commissioner submitted that an inference was open that the personal information was in practice instantaneously transferred to Facebook Inc’s data centres at the time the data was provided to Facebook Ireland by the user.
120 It is convenient to deal with these in the above order.
121 The Commissioner asked Facebook Inc and Facebook Ireland a number of questions on 2 May 2019. The covering letter which accompanied Facebook Inc’s response said that ‘we use “Facebook” to refer to all relevant Facebook entities’. Facebook Inc and Facebook Ireland gave this answer to one of the questions:
Question: Identify the location and the owner of the servers used by Facebook Ireland to provide the service in paragraph 5 above?
Answer: For the purposes of this response, we have assumed that the term “servers” has been used to refer to computers on which data or content is stored and made available for access by users. User content and applications used to deliver the Facebook service are stored in various data centres around the world. Facebook group companies own or lease data centres in the United States, Ireland (Clonee), Sweden (Lulea), Denmark (Odense) and Singapore. Taking a simplified view of our architecture, data centres store full copies of user data as well as the full suite of applications and services used for the Facebook service. Like other global technology companies, Facebook relies on other types of equipment (such as network equipment and caching servers) which operate to reduce latency and transaction times for geographically proximate users (including in Australia). These modes improve connection and delivery times, but do not otherwise store data.
122 The Commissioner submitted that one could infer from the reference to ‘geographically proximate users’ that there were caching servers in Australia. The primary judge accepted this contention. Although Facebook Inc denied this in the present hearing, I do not think that the primary judge erred in accepting that this inference was open. Given that the purpose of caching servers is to overcome latency issues caused by the tyranny of distance and given also Australia’s unique position as a large island nation in the Southern Hemisphere, it is plainly open to infer that there are caching servers situated in Australia. For example, it is obvious that the caching servers which assist in the provision of the Facebook service to Australian users are not likely to be located in Sweden or the United States. Whilst it is possible that Facebook (here I speak generally) has the caching servers for Australia somewhere else nearby – perhaps New Guinea or New Zealand – it seems more plausible that they are situated in Australia. In my view, this inference is comfortably available.
123 There were then two further debates between the parties. First, was there a prima facie case that Facebook Inc operated these caching servers? Secondly, if there was such a case, was any of the personal information collected by Facebook Inc collected using these caching servers?
Who operated the caching servers?
124 The answer given above did not identify which Facebook entity was operating the caching servers, saying only that it was ‘Facebook’. The Commissioner, however, submitted, and the primary judge was inclined to accept, that because the covering letter which had accompanied its answers to the Commissioner had defined ‘Facebook’ as ‘all relevant Facebook entities’ it could be inferred that the caching servers were operated by Facebook Inc. Facebook Inc, after all, is a ‘Facebook entity’.
125 Facebook Inc took issue with this. It submitted that the evidence did not justify the drawing of such an inference. It argued that the answer it had given simply did not identify Facebook Inc as the operator of the caching servers. Mr Hutley submitted that there were many Facebook entities in many jurisdictions and there was no more reason to think that the reference to ‘Facebook’ in its answer was a reference to Facebook Afghanistan (assuming there was such an entity) than that it was a reference to Facebook Inc.
126 Whilst I think that it may be possible to infer that Facebook Inc has a somewhat more central role in the administration of the Facebook group of companies than does perhaps Facebook Afghanistan, I do not think that that observation can, at the end of the day, blunt the force of Mr Hutley’s submission. If there were only two or three Facebook entities it might well be a different question. One might well infer from such a situation, at least for the purposes of an application for service out of the jurisdiction, that the reference might well be to Facebook Inc. But that is not the situation, and the line-up of Facebook entity suspects is far too long to allow the drawing of the inference. In that regard, I respectfully differ from the primary judge.
127 Perhaps apprehending that the letter of 28 May 2019 provided only weak support for the inference the Commissioner sought to have drawn, she called up by way of reinforcement some other evidence to which the primary judge did not refer. (It is unclear whether his Honour was taken to this evidence or not but nothing turns upon this – Facebook Inc did not submit that this particular manoeuvre by the Commissioner was unavailable on appeal). Dr Higgins took the Court to an answer given by Facebook Ireland to the Commissioner in a letter dated 17 January 2020. The letter began with a discussion of who, for the purposes of the answers which then followed, ‘Facebook’ was. The discussion was contained in a section headed ‘Note 1’. It was in these terms:
In this document, references to “Facebook” and pronouns such as “we” and “us” refer, as applicable, are to Facebook Ireland Limited (Facebook Ireland) (in its capacity as the provider of the Facebook service to Australian Users) and/or Facebook, Inc. (Facebook Inc) (in its capacity as data processor for Facebook Ireland in relation to the provision of the Facebook service to Australian Users). In addition, references to the “Facebook service” are to the social media platform made available to Australian Users at facebook.com and via an application for mobile devices and tablets. This includes the platform that Australian Users are re-directed to via www.facebook.com.au.
128 Further into the document, Facebook Ireland indicated that it used a ‘network of caching servers around the world to temporarily hold high-demand content (e.g. frequently requested photos or videos) for the sole purpose of ensuring that it could be more quickly delivered to Users in different locations. The caching process was dynamic and the content held on the caching servers was continually updated and refreshed based on relevant user actions and requests. No information about Australian Users was permanently stored on the caching servers’.
129 The Commissioner had then asked Facebook Ireland who owned or leased the caching servers to which this answer was given:
The network of caching servers used to provide the Facebook service to Australian users was owned or leased by a combination of Facebook entities and third party managed service providers.
130 The Commission submitted that the reference to ‘Facebook entities’ should be taken to be a reference to Facebook Ireland and Facebook Inc because ‘Facebook’ had been defined in Note 1 to mean those two entities. I do not accept this submission. As a matter of ordinary language I do not read the ‘Facebook entities’ in the way suggested. Indeed, as Mr Hutley pointed out (T87.4-38) that the expression ‘Facebook entity’ was used elsewhere in the same response where it was clear that it could not be a reference to Facebook Ireland or Facebook Inc. For example, another question asked Facebook Ireland to identify ‘all Facebook entities’ which stored personal information of Australian users. Facebook Ireland responded, inter alia, ‘The processing of information about Australian Users stored in data centres was exclusively under the control of Facebook Ireland and not any other Facebook entity’. This makes clear that the expression ‘Facebook entity’ was not intended by Facebook Ireland to be a reference to Facebook Ireland or Facebook Inc. I do not think that the Commissioner’s contention to the contrary is viable and I do not accept that it is open to infer from the answer that Facebook Inc was operating the caching servers.
131 Since it was not said that there was any further material going to this issue, it follows that I do not accept that it is open to infer that the caching servers in Australia were operated by Facebook Inc.
In any case, was any of the personal information collected by Facebook Inc collected using the caching servers?
132 Given that I do not accept that it is open to infer that the caching servers in Australia were operated by Facebook Inc, it is strictly unnecessary to consider a further argument put by Facebook Inc as to why that inference should not be drawn. However, since it was argued I will record that I do not accept it. The argument went as follows: the evidence before the Court also included the Data Processing Agreement which showed that all of Facebook Inc’s data processing activities took place in the data centres in Sweden and the United States. Those data centres were not owned by Facebook Inc but rather by other entities within the group. These entities were Siculus Inc, Andale Inc, Vitesse LLC, Facebook Operations LLC and Pinnacle Sweden AB. Facebook Ireland had been asked to provide the names of any Facebook entities which ‘stored any personal information of Australian users’. It did not provide the name of Facebook Inc. Instead, it provided the names of the operating entities just referred to who owned or leased the data centres from which Facebook Inc conducted its data processing activities. Consequently, so Facebook Inc submitted, the evidence suggested that Facebook Inc could not be operating the caching servers.
133 The fact, however, that Facebook Inc’s data processing activities took place in the data centres does not displace the inference that the personal information was collected by the caching servers. It might be different if there were evidence that the operation of the caching servers was part of the data processing services provided in the data centres. In that circumstance, I would agree with Facebook Inc that this would then suggest that any collection was effected by Siculus Inc, Andale Inc, Vitesse LLC, Facebook Operations LLC and Pinnacle Sweden AB. However, I did not apprehend there to be any such evidence. Further, Facebook Inc did not go so far as to contend that the operation of the caching servers was, in fact, part of the data processing services. This was for obvious reasons. To do so would have cut across both its case that it was not operating the caching servers and its more general case that it was not conducting its data processing business in Australia.
134 Accordingly, I accept that the primary judge erred in concluding that it could be inferred that Facebook Inc was operating the caching servers. As such, it is not necessary to consider the further question of whether any of the personal information collected by Facebook Inc utilised these caching servers.
135 The primary judge concluded that there was a prima facie case that Facebook Inc had collected and stored the personal information through the installation of cookies and had done so in Australia: J. Facebook Inc submitted that the Commissioner had made no such submission to the primary judge, but that point did not form part of the grounds disclosed in the draft notice of appeal and no further mention of this observation need be made.
136 Facebook Inc’s first substantive contention about the primary judge’s treatment of the topic of cookies related to what it said was an absence of technical evidence about cookies before his Honour. In particular, it was said that there was no technical evidence as to: (i) how the cookies were alleged to have collected or stored information (of whatever kind); (ii) whether any information which was in fact stored by a cookie was the personal information the subject of the proceedings; and (iii) how any collection or storage of the information could be said to have taken place in Australia. Dealing with these separately:
How were the cookies alleged to have collected or stored information?
137 In the reasons above dealing with why an inference is available that Facebook Inc carried on business in Australia, I have explained my reasons for concluding that cookies were installed (and removed) on the devices of Australian users by Facebook Inc. For the reasons given there, it was not necessary to rely upon technical evidence to draw that inference, which was available on the face of Facebook Inc’s own documents. As I shortly explain, it is clear from the fact that the cookies are involved in the process of creating targeted advertising that an inference must be available that they were used for the collection of personal information.
Was any information collected and stored the personal information the subject of the proceedings?
138 Facebook Inc’s contentions about this depended for their efficacy on the notion that the personal information in question was the personal information which had been disclosed by This Is Your Digital Life. However, as I have previously explained, because of the way that the Commissioner advanced her case in relation to APP 11, the personal information involved was, in fact, not limited to the personal information which was in fact disclosed to This is Your Digital Life.
139 Next, Facebook Inc submitted that the evidence did not support an inference that the cookies which were installed on users’ devices were used to collect the users’ personal information. This submission involved a close parsing of the relevant portion of the 2013 Data Use Policy (set out above at -). What it said was that ‘technologies like cookies, pixels and local storage’ were used ‘to do things like … enable features and store information about you (including on your device or in your browser cache)’. The submission was that one could not conclude from this that it was the cookies which were used to store information about the user on their device. It was equally likely that it was the pixels or the local storage that were used to perform these activities.
141 For completeness, whilst it is perhaps too obvious to require stating, it should be noted that it may readily be inferred that Facebook Inc (on behalf of Facebook Ireland) targeted advertisements at the users whose personal information was provided to This Is Your Digital Life. It was not submitted that such an inference could not be drawn. Hence, it may also be inferred that Facebook Inc used cookies in that endeavour and collected personal information from those users. It is that personal information which is the subject of the Commissioner’s case under APP 11. There is no question, therefore, that the information collected included the personal information the subject of the Commissioner’s allegations.
Did collection and storage take place in Australia?
142 Facebook Inc submitted that there was no evidence that the cookies in question required or involved the storage of information in Australia. I reject this submission. Facebook Inc’s description of the activity as the installation upon terminal devices of cookies provides a prima facie case that the cookies were installed in Australia. I do not see how, having been installed on a device which is in Australia, the information collected by them could take place in any place apart from those devices.
143 In that circumstance, no error is shown in the primary judge’s conclusion that it could be inferred that Facebook Inc collected the personal information in Australia by means of cookies which it installed on the devices of Australian users.
Instantaneous transfer of personal information
144 There is no dispute that as a matter of formality Facebook Ireland provided the Facebook service to Australian users and was responsible for all of the processing of the personal information of those users. This processing was performed on its behalf by Facebook Inc under the Data Processing Agreement in data centres in Sweden and the United States. The agreement was explicit that the data was transferred by Facebook Ireland to Facebook Inc. This formed the basis for a submission by Facebook Inc that it could not have collected the personal information the subject of the proceedings because it had already been collected by Facebook Ireland before it was transferred to Facebook Inc under the Data Processing Agreement.
145 The primary judge was not disposed to accept this perspective on events. At J he said this:
It is arguable in the present context that multiple entities can collect the same information. Facebook Inc’s submission that Facebook Ireland collects the information and that, at the time it transfers the information to Facebook Inc for processing, the process of collection is complete, might conform to the words in or ideas generated by the relevant contracts, but it does so at the expense of reality; see also:  above.
146 His observations at J were in these terms:
It is relevant to note in this context that Facebook Inc performed the data processing for all users, wherever situated. The Facebook service links users all over the world. Facebook Inc contracted with North American users and those users authorised Facebook Inc to install, operate and remove cookies. Other users authorised Facebook Ireland to do so. The uploading of data to the Facebook website by a user and the processing of data must occur effectively simultaneously. Although the Data Transfer and Processing Agreement refers to the “transfer” of data by Facebook Ireland to Facebook Inc, it is unrealistic to think that data is first provided by a non-North American user to Facebook Ireland and then transferred to Facebook Inc where it is subsequently processed. The inference is available that data uploaded by an Australian user is received instantaneously by Facebook Inc directly from the user.
147 Facebook Inc submitted that the inference in the last sentence was not available. The Commissioner on the other hand supported the primary judge’s reasoning and drew attention to the fact, noted by the primary judge at J (but only as a submission), that the answers which had been given by Facebook Inc and Facebook Ireland were astute never to say which entity had actually collected a user’s personal information.
148 Whilst I accept that the answers given by Facebook Inc and Facebook Ireland have been drawn with great care and are obscure on the identity of the actual entity which, at a technical level, collected personal information from Australian users, I do not think that this studied obscurity may be used against Facebook Inc. As it correctly observed, on an application for service out of the jurisdiction it is the Commissioner who bears the burden of proof. This is not a situation where, for example, one can draw an inference adverse to Facebook Inc from its silence. It was not obliged to do any more than answer the Commissioner’s questions. What the Commissioner is able to do with the answers she has obtained is, at the end of the day, her own problem. Assuming in favour of the Commissioner, without deciding the point, it might be said that trying to locate who is actually running the Facebook platform from the answers given by Facebook Inc and Facebook Ireland has much in common with Where’s Wally. Nevertheless, it is not any part of Facebook Inc’s role on an application such as the present to answer that question.
149 It is for this reason that whilst I was initially attracted by Dr Higgins’ observation (T69.42-44) that there was no suggestion that Facebook Ireland maintained separate storage facilities in Australia, I do not think that the submission can succeed. Here the thinking was that if Facebook Ireland had no separate storage facilities in Australia then mystery lay in how it could be collecting the personal information in Australia. Dr Higgins’ submission, with respect, conceals a suppressed premise that any acts of collection by Facebook Ireland must occur in Australia but the correctness of that premise is far from obvious.
150 This means that the correctness of the primary judge’s inference that Facebook Inc instantaneously received the personal information at the same time as Facebook Ireland stands to be determined on its own terms. His Honour at J thought it was unrealistic to think that data is first provided by non-North American users to Facebook Ireland and then transferred to Facebook Inc where it is subsequently processed. With respect, I do not think this is unrealistic. It is what is expressly contemplated by the Data Processing Agreement. The primary judge at J thought that the uploading of the personal information and its processing by Facebook Inc had to occur simultaneously. I am not sure why this must be so. The Commissioner did not point to any evidence that indicated that the uploading of personal information and its processing had to be simultaneous. To my mind, this proposition is also far from obvious. For example, the targeting of advertising need not occur the instant new information is uploaded by a user. Nor is it obvious why, for example, in assessing whether Person A might be known to Person B because they have in common as friends Persons C and D, this is something which must occur instantaneously either. I would be prepared to infer that data processing must occur reasonably promptly but such an inference would be consistent with the Data Processing Agreement operating in accordance with its terms.
151 Consequently, I conclude that the primary judge erred in thinking that an inference was available that Facebook Inc had to collect the personal information of Australian users. Facebook Inc’s submission that it received the personal information of Australian users from Facebook Ireland at its data centres should be accepted. There is no material which would allow the inference to be drawn that the Data Processing Agreement did not take effect in accordance with its terms.
Conclusions on direct collection
152 The primary judge erred in concluding that an inference was open that Facebook Inc collected the personal information the subject of the claim under APP 11 by reason of the caching servers. In my respectful opinion, his Honour also erred in concluding that an inference was open that Facebook Inc collected the personal information by reason of the need for it to be collected simultaneously by both Facebook Inc and Facebook Ireland. However, his Honour did not err in concluding that an inference was open that the personal information was collected by Facebook Inc by means of cookies installed on Australian devices or that in doing so, it collected the personal information in Australia.
153 The determination that the primary judge did not err in this conclusion makes it unnecessary to consider whether Facebook Inc also collected the information constructively through Facebook Ireland. The primary judge did not deal with this point but it is the subject of ground 2 of the Commissioner’s draft Notice of Contention. Since I have concluded that the primary judge was correct to conclude that an inference was open that Facebook Inc directly collected the personal information it is not necessary to deal with this issue.
154 The definition of ‘collects’ means that it is possible for an entity to collect information without holding it. By contrast the definition of ‘holds’ in s 6 is in these terms:
Holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.
155 The reference to ‘possession or control’ opens up the possibility that more than one person may be in possession or control of the information. The word ‘possession’ can include a right to possession: Gamer’s Motor Centre (Newcastle) v Natwest Wholesale Australia (1987) 163 CLR 236 at 245 per Mason CJ, citing Mills v Charlesworth (1890) 25 QB 421 at 425; Pollock and Wright, An Essay on Possession in the Common Law (Law Press, 1990) at 119. It is not difficult to see that one person might hold information subject to the control of another or to which another has an immediate right.
156 The Commissioner submitted that even if the caching servers were being operated by another Facebook entity which was not Facebook Inc so that her case on collection by means of the caching servers failed, an inference was nevertheless open that any such entity was holding the personal information subject to the control of Facebook Inc. The primary judge accepted this argument at J:
The Commissioner submitted that the phrase “possession or control” included control though an agent and that control need not be exclusive. The Commissioner submitted it was reasonably arguable that, to the extent that Australian users’ personal information was physically located in caching servers in Australia, those caching servers were arguably controlled by Facebook Inc, such that Facebook Inc held personal information in Australia for the purposes of s 5B(3)(c). I accept that argument.
157 There is, with respect, a slight puzzle about this. The primary judge had, by this point, accepted that an inference was open that the caching servers were operated by Facebook Inc. The case under consideration here proceeds upon an assumption that some other entity was operating the caching servers albeit under the control of Facebook Inc. There is not necessarily an inconsistency in that conclusion. The primary judge may be taken to have approached the matter on the basis that Facebook Inc was either operating the caching servers or some other entity under its control was. On that view, one might conclude that a prima facie case was made out in relation to the caching servers.
158 The difficulty, however, is the agency his Honour refers to in J. Facebook Inc submitted that there was no evidence about the relationship between whatever entity was operating the caching servers and Facebook Inc. I accept that submission. The highest that the matter can be put is that Facebook Inc was the head company of the group and could presumably have secured adherence to its views if it wished to do so. However, I do not think it is open to infer on the basis of that matter alone that Facebook Inc held the information within the caching servers.
159 Although it does not matter in light of that conclusion I should indicate for completeness that I do not accept Facebook Inc’s submission that the personal information the subject of the proceedings was not held in the caching servers. If the case were limited to the personal information the subject of the claim under APP 6 there might be some force in the argument. But it cannot succeed in relation to the case under APP 11 where the breadth of the personal information involved makes it more than arguable that some of it must have been stored on the caching servers.
160 The primary judge concluded that Facebook Inc had used cookies to store the personal information on the devices of Australian users and had therefore held the personal information in those devices. Facebook Inc submitted that it could not be in possession or control of those devices. The definition of ‘holds’ in s 6 requires that Facebook Inc should be in possession or control of a ‘record’ which contains personal information. ‘Record’ is defined in s 6 in this way:
(a) a document; or
(b) an electronic or other device;
but does not include:
(d) a generally available publication; or
(e) anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or
(f) Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purposes of that Act; or
(fa) records (as defined in the Archives Act 1983) in the care (as defined in that Act) of the National Archives of Australia in relation to which the Archives has entered into arrangements with a person other than a Commonwealth institution (as defined in that Act) providing for the extent to which the Archives or other persons are to have access to the records; or
(g) documents placed by or on behalf of a person (other than an agency) in the memorial collection within the meaning of the Australian War Memorial Act 1980; or
(h) letters or other articles in the course of transmission by post.
161 It is clear from subsection (b) of the definition that a user’s device may be a ‘record’. Further, there is no particular difficulty in seeing that a user’s device upon which personal information has been stored by means of a cookie is a record which contains personal information. However, can it be said that Facebook Inc is in possession or control of the user’s device? Other than to repeat her submissions as to why the cookies were involved in the collection of the personal information, the Commissioner did not really meet Facebook Inc’s argument about this. It is, I think, clear that Facebook Inc could not be in possession of the devices of Australian users. It has neither actual possession nor constructive possession of those devices. For example, it plainly could not maintain a claim for conversion or trespass to goods in relation to any device. To my mind, it is less clear that it cannot relevantly be in control of the devices. Here the thinking would be that Facebook Inc had installed the cookies and was responsible for removing them. In that sense, it had at least that measure of control over the devices. There may be answers to this, however. It may be that when one examines closely the permissions on users’ devices all of this activity may be seen to be done with the authority of the owner of the device and therefore for the element of control to be absent. It is not necessary to express a concluded view on this matter because the Commissioner did not contend in this part of her case that Facebook Inc was in control of the devices. In that circumstance, I do not think that Facebook Inc’s submission about this matter has been met by the Commissioner which leaves me with no procedurally fair of way rejecting it. I therefore accept that it was not open to infer that Facebook Inc held personal information on users’ devices in Australia because no explanation has been given of how Facebook Inc could be in control of the devices of Australian users.
162 In light of these matters, I do not think that the primary judge was correct to conclude that an inference was open that the personal information was held by Facebook Inc. However, because it may be inferred that Facebook Inc did collect the personal information in Australia for inclusion in a record this is not material to the outcome.
163 The primary judge was correct to conclude that an inference was available that Facebook Inc was carrying on business in Australia and that it collected in Australia the personal information which is the subject of the Commissioner’s case under APP 11. There was therefore a prima facie case that an Australian link was present and therefore that the Privacy Act applied to extra-territorial conduct by Facebook Inc. In that circumstance, his Honour was correct to refuse Facebook Inc’s application to set aside service upon it.
164 I have mentioned ground 2 of the Commissioner’s draft Notice of Contention above at . By ground 1 of her draft Notice of Contention, the Commissioner sought to uphold the primary judge’s conclusions on the basis of an argument his Honour rejected. This was that Facebook Ireland and Facebook Inc were in truth conducting a single business which was the Facebook platform. Given that the appeal is to be dismissed it is not necessary to deal with this contention.
(1) Grant the Applicant leave to appeal on the terms of the draft notice of appeal.
(2) Direct that the notice of appeal be filed within 7 days hereof.
(3) Direct that the Respondent file her Notice of Contention within 7 days of the filing of the notice of appeal.
(4) Appeal dismissed.
(5) The Appellant pay the Respondent’s cost of the appeal (including the costs of the application for leave to appeal).
Dated: 28 January 2022
REASONS FOR JUDGMENT
166 I agree with the reasons for judgment prepared by Perram J and with the orders proposed by his Honour.
I certify that the preceding one (1) numbered paragraph is a true copy of the Reasons for Judgment of the Honourable Justice Yates.
Dated: 7 February 2022