FEDERAL COURT OF AUSTRALIA
FACEBOOK IRELAND LIMITED
DATE OF ORDER:
THE COURT ORDERS THAT:
1. Pursuant to s 37AI of the Federal Court of Australia Act 1976 (Cth), on the ground set out in s 37AG(1)(a), until the conclusion of the first case management hearing at which the first and second respondents appear, or further order, the information in the following documents is not to be disclosed or published other than to the Court, the parties and their legal representatives:
(a) the following parts of Exhibit SJH-1 to the affidavit of Sophie Jane Higgins made on 9 April 2020:
(i) Tab 2;
(ii) Tab 4;
(iii) Tab 6;
(iv) Tabs 8-11;
(v) Tab 14 (parts highlighted in red on pages 340-341, 344-352);
(vi) Tab 14.1 (parts highlighted in red on pages 355-356);
(vii) Tab 14.3 (parts highlighted in red on pages 478, 480);
(viii) Tab 14.4 (parts highlighted in red on pages 481-482);
(ix) Tab 14.6 (parts highlighted in red on pages 486-489); 1.1.10. Tab 14.7 (parts highlighted in red on pages 492-493);
(x) Tab 14.8;
(xi) Tab 15 (parts highlighted in red on pages 499-501, 509-511, 536-537);
(xii) Tab 18.3;
(xiii) Tab 18.4;
(b) the confidential annexure to the statement of claim filed on 9 March 2020.
2. Pursuant to r 10.42 and r 10.43(2) of the Federal Court Rules 2011 (Cth) (Rules), the applicant be granted leave to serve:
(a) the originating application, statement of claim (excluding the confidential annexure) and concise statement filed on 9 March 2020;
(b) the interlocutory application;
(c) the affidavit of Adam Ian Zwi of 9 April 2020 (without annexures);
(d) the affidavit of Sophie Jane Higgins of 9 April 2020 (without exhibit);
(e) applicant’s written submissions of 9 April 2020; and
(f) any orders made by the Court on the hearing of this interlocutory application and any reasons for judgment, (together, Documents),
on the first respondent in the United States of America, in accordance with art 5 of the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, done at the Hague on 15 November 1965 (Hague Convention).
3. Pursuant to r 10.42 and r 10.43(2) of the Rules, the applicant be granted leave to serve the Documents on the second respondent in the Republic of Ireland:
(a) in accordance with art 5 of the Hague Convention; and
(b) by sending the Documents to the registered address of the second respondent in accordance with s 51(1) of the Companies Act 2014 of Ireland and art 10(a) of the Hague Convention.
4. Pursuant to r 10.24 of the Rules, the applicant may serve the Documents on the first respondent by sending the Documents by email to Ms Peta Stevenson (firstname.lastname@example.org) and Mr Luke Hawthorne (email@example.com) of King & Wood Mallesons.
5. Pursuant to r 10.24 of the Rules, the applicant may serve the Documents on the second respondent by sending the Documents by email to:
(a) Ms Peta Stevenson (firstname.lastname@example.org) and Mr Luke Hawthorne (email@example.com) of King & Wood Mallesons; and
(b) Ms Yvonne Cunnane of the second respondent (firstname.lastname@example.org).
6. The first and second respondents file a notice of address for service in accordance with r 5.02 of the Rules within 14 days after service upon them of the originating application.
Note: Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.
1 The Australian Information Commissioner commenced this proceeding against Facebook Inc and Facebook Ireland Limited on 9 March 2020 alleging contraventions of s 13G of the Privacy Act 1988 (Cth) as in force on 5 November 2018. The proceeding was commenced by the filing of an originating application, a concise statement and a statement of claim. In her originating application, the Commissioner seeks declarations under s 21 the Federal Court of Australia Act 1976 (Cth) (FCA Act) and civil pecuniary penalties under s 80W of the Privacy Act.
2 The Commissioner alleges that, from 12 March 2014 to 1 May 2015, Facebook Inc and Facebook Ireland did an act, or engaged in a practice, that was a serious or repeated interference with the privacy of approximately 311,127 Australian Facebook users, contravening paragraphs (a) and (b) of s 13G of the Privacy Act.
3 Neither of the respondents has yet been served personally with any document in the proceedings. Facebook Inc is a company incorporated in Delaware and based in California in the United States of America. Facebook Ireland is a company based in the Republic of Ireland.
4 By an ex parte interlocutory application dated 9 April 2020, the Commissioner seeks orders under r 10.42 and r 10.43(2) of the Federal Court Rules 2011 (Cth) granting her leave to serve various documents on Facebook Inc and Facebook Ireland in accordance with art 5 of the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, done at the Hague on 15 November 1965 (Hague Convention). The documents which the Commissioner seeks leave to serve are the originating application, the concise statement, the statement of claim, the interlocutory application, the various affidavits relied upon, the written submissions and the orders of the Court on the hearing of the interlocutory application together with these reasons for judgment (the Court Documents).
5 The Commissioner also sought orders for substituted service under r 10.24.
6 Before turning to whether those orders should be made, it is necessary to deal with a preliminary matter, namely whether interim suppression or non-publication orders should be made.
B INTERIM SUPPRESSION OR NON-PUBLICATION ORDERS
7 The Commissioner applied for interim suppression and non-publication orders under s 37AF and s 37AI of the FCA Act prohibiting the publication or disclosure (other than to the Court, the parties and their legal representatives) of certain information which Facebook Inc and Facebook Ireland claimed was confidential information and which they provided to the Commissioner during her preliminary inquiries and subsequent investigation under s 42(2) and s 40(2) of the Privacy Act.
8 The Commissioner relies upon the claimed confidential information in support of her interlocutory application seeking leave to serve the respondents outside Australia. The Commissioner submitted that it was appropriate for her to seek the interim suppression order pending the respondents being served with the originating application because the respondents have indicated their position that the information is confidential on the basis that it is: about the respondents’ commercial operations that is secret or known only to a limited group; potentially damaging to the respondents’ business if it is accessible by a competitor; or not public and may indirectly identify individuals. Searches made by the Commissioner have not suggested that the information is in the public domain.
9 Section 37AI of the FCA Act provides the Court with the power to make an interim suppression order, without determining the merits of the application, to have effect until the application is determined. Section 37AI provides:
1 If an application is made to the Court for a suppression order or non-publication order, the Court may, without determining the merits of the application, make the order as an interim order to have effect, subject to revocation by the Court, until the application is determined.
2 If an order is made as an interim order, the Court must determine the application as a matter of urgency.
10 The Commissioner applies for orders under s 37AF, on the ground identified in s 37AG(1)(a), for the purpose of engaging the requirement in s 37AI that there be an application for a suppression or non-publication order. It is permissible and appropriate for a party making an ex parte application to adopt this course in order to preserve and not frustrate a known claim for confidentiality of a person against whom the ex parte relief is sought. Such a course is consistent with s 37AG(1)(a).
11 I am satisfied it is appropriate on the evidence adduced to make interim orders under s 37AI, effective until the conclusion of the first case management hearing at which the respondents appear.
C SERVICE OF DOCUMENTS OUTSIDE OF AUSTRALIA
C.1 Relevant provisions of the FCR
12 Rule 10.42 provides that, subject to r 10.43, an originating application may be served on a person in a foreign country in a proceeding that consists of, or includes, any one or more of the kinds of proceeding mentioned in the table in the rule.
13 Rule 10.43(2) provides:
A party may apply to the Court for leave to serve an originating application on a person in a foreign country in accordance with a convention, the Hague Convention or the law of the foreign country.
14 Rule 10.43(4) provides that, for r 10.43(2), the party must satisfy the Court of three matters, namely that:
(1) the Court has jurisdiction in the proceeding;
(2) the proceeding is of a kind mentioned in r 10.42;
(3) the party has a prima facie case for all or any of the relief claimed in the proceeding.
15 Rule 10.44 provides for the same requirements in relation to an application by a party for leave to serve a document filed in or issued by the Court other than an originating application.
16 Rule 10.43(3) provides:
The application under subrule (2) must be accompanied by an affidavit stating:
(a) the name of the foreign country where the person to be served is or is likely to be; and
(b) the proposed method of service; and
(c) that the proposed method of service is permitted by:
(i) if a convention applies — the convention; or
(ii) if the Hague Convention applies — the Hague Convention; or
(iii) in any other case — the law of the foreign country.
17 The interlocutory application was accompanied by an affidavit complying with r 10.43(3). The affidavit of Mr Zwi stated that Facebook Inc was in the USA and that Facebook Ireland was in the Republic of Ireland. The proposed method of service of Facebook Inc was stated to be by:
(1) applying to the Registrar, in the Registrar’s capacity as a forwarding authority under the Hague Convention, for a request for service in the USA under the Hague Convention of the Court Documents upon Facebook Inc, pursuant to r 10.64;
(2) providing to the Registrar three copies of each of the following documents:
(a) a draft request for service abroad of judicial documents and certificate, in accordance with Form 25, being the form of model letter of request and certificate of service prescribed by the Court;
(b) the Court Documents;
(c) a summary of the documents to be served, in accordance with Form 26;
(d) a written solicitor’s undertaking to be personally liable for all costs incurred by the Registrar, in accordance with r 10.64(3);
(3) the Registrar, if satisfied, signing the requests for service abroad and forwarding copies of the relevant documents to ABC Legal Service (ABC Legal), contractor for the US Department of Justice, Civil Division, Office of International Judicial Assistance, for service upon Facebook Inc in accordance with the Hague Convention, pursuant to r 10.65;
(4) ABC Legal serving the documents by way of formal service, in accordance with the provisions of subparagraph (a) of the first paragraph of art 5 of the Hague Convention, by a method prescribed by the USA’s internal law for the service of documents in domestic actions upon persons who are within its territory. The Hague Convention website page relating to USA describes the prescribed methods as follows:
Formal Service (Art 5(1)(a))
Personal service is the method used by ABC Legal Services (ABC Legal) in executing all requests.
(5) upon ABC Legal having effected service upon Facebook Inc, ABC Legal providing to the Registrar a Certificate of Service in respect of Facebook Inc, for filing in the proceedings pursuant to r 10.66.
(1) applying to the Registrar, in the Registrar’s capacity as a forwarding authority under the Hague Convention, for a request for service in Ireland under the Hague Convention of the Court Documents upon Facebook Ireland, pursuant to r 10.64;
(2) providing to the Registrar three copies of each of the following documents:
(a) a draft request for service abroad of judicial documents and certificate, in accordance with Form 25, being the form of model letter of request and certificate of service prescribed by the Court;
(b) the Court Documents;
(c) a summary of the documents to be served, in accordance with Form 26; and
(d) a written solicitor's undertaking to be personally liable for all costs incurred by the Registrar, in accordance with r 10.64(3);
(3) the Registrar, if satisfied, signing the requests for service abroad and forwarding copies of the relevant documents to the Master of the High Court of Ireland (Master), for service upon Facebook Ireland in accordance with the Hague Convention, pursuant to r 10.65;
(4) the Master serving the documents, in accordance with the provisions of subparagraph (a) of the first paragraph of Article 5 of the Hague Convention, by a method prescribed by Ireland’s internal law for the service of documents in domestic actions upon persons who are within its territory; or, in accordance with the second paragraph of Article 5 of the Hague Convention, by delivery to the addressee, if he or she accepts it voluntarily. The Hague Convention website page relating to Ireland describes the prescribed methods as follows:
Formal Service (Art 5 (1)(a))
Personal or by post.
Informal delivery (Art 5(2))
This method can be used where the addressee has indicated in writing that he will accept service, or that service may be effected by delivering documents to an intermediary e.g. a solicitor acting for him.
(5) upon the Master having effected service upon Facebook Ireland, the Master providing to the Registrar a Certificate of Service in respect of Facebook Ireland, for filing in the proceedings pursuant to r 10.66.
19 The Commissioner also sought leave, if necessary, to serve Facebook Ireland under the law of the Republic of Ireland and in accordance with art 10(a) of the Hague Convention. The Commissioner’s proposed method of service under this course is, in accordance with s 51(a) of the Companies Act Ireland and art 10(a) of the Hague Convention, to post the Court Documents to the registered business address of Facebook Ireland.
20 The Federal Court of Australia’s Overseas Service and Evidence Practice Note (GPN-OSE) issued on 25 October 2016 (Practice Note) requires a party applying for leave to serve a document in a country other than Australia to include in its application information obtained from the Australian Government Attorney-General’s Department in relation to the appropriate method of transmitting documents for service in that country.
21 Mr Zwi set out the details of the information obtained by him from the Private International Law Section of the Attorney-General’s Department in respect of service of documents in the USA and Ireland, as required by the Practice Note.
22 The methods of service identified above are in accordance with the requirements of the Hague Convention, as set out in the materials annexed to Mr Zwi’s affidavit.
C.2 Rule 10.43(4)(a): Jurisdiction
23 This Court has such original jurisdiction as is vested in it by the laws made by the Parliament: s 19(1) of the FCA Act. Section 80W(1) of the Privacy Act, being a law made by the Parliament, provides that the Commissioner “may apply to the Federal Court … for an order that an entity, that is alleged to have contravened a civil penalty provision, pay the Commonwealth a pecuniary penalty”. Section 80W(3) provides that “[i]f the court is satisfied that the entity has contravened the civil penalty provision, the court may order the entity to pay the Commonwealth such pecuniary penalty for the contravention as the court determines to be appropriate”. Those matters also provide jurisdiction through s 39B(1A)(c) of the Judiciary Act 1903 (Cth) which provides that the original jurisdiction of the Court includes jurisdiction in any matter “arising under the laws made by the Parliament, other than a matter in respect of which a criminal prosecution is instituted or any other criminal matter”.
24 Further, the Commissioner seeks declaratory relief. Section 39B(1A)(a) of the Judiciary Act provides that “[t]he original jurisdiction of the Federal Court of Australia also includes jurisdiction in any matter… in which the Commonwealth is seeking an injunction or a declaration”. The Commissioner is an emanation of the Commonwealth.
25 The Court has jurisdiction in the proceeding because it has jurisdiction over the subject matter of the proceeding: Bray v F Hoffman-La Roche (2003) 130 FCR 317 at - (Carr J);  (Branson J). It follows that r 10.43(4)(a) is satisfied.
C.3 Rule 10.43(4)(b): Is the proceeding mentioned in r 10.42?
26 The Commissioner noted that the following kinds of proceeding are mentioned in the table in r 10.42:
17.1 a proceeding based on a cause of action arising in Australia (item 1);
17.2 a proceeding based on a contravention of an Act that is committed in Australia (item 12);
17.3 a proceeding in relation to the construction, effect or enforcement of an Act, regulations or any other instrument having, or purporting to have, effect under an Act (item 14);
17.4 a proceeding seeking any relief or remedy under any Act, including the Judiciary Act (item 15); and
17.5 a proceeding in which, if the person to be served is a corporation – the corporation carries on a business in Australia (item 18(b)).
27 As the Commissioner submitted, item 14 applies. The “proceeding [is] in relation to the construction, effect or enforcement of an Act”, namely the Privacy Act and the FCA Act. It is not necessary to determine whether any of the other items also apply – cf: Australian Competition and Consumer Commission v Yellow Page Marketing BV  FCA 1218 at  (Gordon J). It follows that r 10.43(4)(b) is satisfied.
C.4 Rule 10.43(4)(c): Does the Commissioner have a prima facie case?
28 The Commissioner provided evidence and detailed written submissions in support of the interlocutory application which addressed the issue of whether there was a prima facie case against the respondents. That evidence and those submissions are proposed to be served out of Australia together with the documents which commenced these proceedings. Parts of that material are the subject of the interim suppression and non-publication orders I propose to make under s 37AI.
29 For the reasons given below, I am satisfied that the material establishes a prima facie case in the limited sense described below. I express no view about the strength of the prima facie case other than that it is sufficient to warrant making orders allowing for service outside of Australia.
C.4.1 Relevant principles
30 The requirement to demonstrate a prima facie case in the context of an application for leave to serve documents outside Australia is “not particularly onerous”: Yellow Page Marketing at . It is relevant to assess whether sufficient material is placed before the Court to show:
(1) that findings of fact are available, and inferences are open to be drawn, which would support the relief claimed: Australian Securities and Investment Commission v Axis International Management Pty Ltd  FCA 1605 at  (Gilmour J), citing Bell Group Ltd (In Liq) v Westpac Banking Corporation (1996) 20 ACSR 760 at 763;
(2) the existence of a controversy that warrants causing a proposed respondent to be involved in litigation in Australia: Century Insurance (in provisional liquidation) v New Zealand Guardian Trust  FCA 376 (Lee J); Ho v Akai Pty Ltd (in liq) (2006) 247 FCR 205 at  (Finn, Weinberg and Rares JJ); Israel Discount Bank Limited v ACN 078 272 867 Pty Ltd (in liq) (formerly Advance Finances Pty Ltd) (2019) 367 ALR 71 at  (Yates, Beach and Moshinsky JJ).
31 Section 75 of the Evidence Act 1995 (Cth) is relevant to the assessment of the sufficiency of the material adduced, because it provides that the hearsay rule does not apply in an interlocutory proceeding, if the party adducing the evidence also adduces evidence of the source of the hearsay evidence – cf: Bray at  and  (Carr J); Yellow Page Marketing at  (Gordon J).
32 The Commissioner only need establish a prima facie case in relation to one cause of action or remedy: Israel Discount Bank at . Under s 13G of the Privacy Act, an entity will be liable for a civil penalty if: (a) it does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or (b) repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals. Whilst the Commissioner only needs to establish a prima facie case under one of these paragraphs, for the reasons given below, the Commissioner has established a prima facie case under both.
C.4.2 Whether respondents are entities and organisations within the Privacy Act
33 Section 13G of the Privacy Act focuses on acts or practices of “entities”. An “entity” is defined as including an “organisation” which is defined as having the meaning in s 6C: s 6(1). The extra-territorial operation of the Privacy Act relevantly depends on whether the respondent is an “organisation”: s 5B(1A).
34 An organisation includes a body corporate “that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory”: s 6C(1). A body corporate is not a small business operator if it carries on a business that has an annual turnover of more than $3 million: s 6D(4).
35 I am satisfied that Facebook Inc and Facebook Ireland are “organisations” for the purposes of the Privacy Act.
C.4.3 Extra-territorial operation of the Privacy Act
36 Section 5B of the Privacy Act includes:
Organisations and small business operators
(1A) This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link.
Note: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).
(2) An organisation or small business operator has an Australian link if the organisation or operator is:
(a) an Australian citizen; or
(b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or
(c) a partnership formed in Australia or an external Territory; or
(d) a trust created in Australia or an external Territory; or
(e) a body corporate incorporated in Australia or an external Territory; or
(f) an unincorporated association that has its central management and control in Australia or an external Territory.
(3) An organisation or small business operator also has an Australian link if all of the following apply:
(a) the organisation or operator is not described in subsection (2);
(b) the organisation or operator carries on business in Australia or an external Territory;
(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.
37 The Commissioner did not contend that s 5B(2) applied. She contended that each paragraph of s 5B(3) was satisfied.
38 Relevant to s 5B(3)(c), s 6(1) defines “collects” and “holds” in the following way:
collects: an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.
holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.
39 In my view, there is a prima facie case, in the limited sense earlier described, that each of the paragraphs of s 5B(3) is satisfied. As to s 5B(3)(b), the evidence, some of which is the subject of the proposed interim suppression or non-publication order, establishes a prima facie case that the respondents carried on business in Australia in the relevant sense – cf: Tiger Yacht Management Ltd v Morris (2019) 268 FCR 548 at - (McKerracher, Derrington and Colvin JJ); Anchorage Capital Partners Pty Ltd v ACPA Pty Ltd (2018) 259 FCR 514 at  (Nicholas, Yates and Beach JJ); Australian Competition and Consumer Commission v Valve Corporation (No 3) (2016) 337 ALR 647 at - (Edelman J). The prima facie case arises from material which is capable of supporting the conclusion that:
(1) Australian users contracted with Facebook Ireland, which described itself as the “data controller for Australian Facebook users”;
(2) Facebook Ireland provided the Facebook service to Australian users as agent for Facebook Inc.
40 As to s 5B(3)(c), whilst substantial argument might be anticipated, the material was sufficient to establish a prima facie case that Facebook Ireland and Facebook Inc collected personal information in Australia. Facebook Ireland stated it was the provider of the Facebook service to Australian users and that it was responsible, in that capacity, for the collection and storage of personal information of those users through the Facebook service. The material is less clear about whether Facebook Ireland collected or stored personal information “in Australia” and there may be debate about what facts must be established to satisfy that requirement. When account is taken of inferences which can be drawn, sufficient has been shown in terms of a prima facie case for service out of the jurisdiction.
41 The contractual relationship between Facebook Ireland and Facebook Inc is such that a prima facie case is also shown as against Facebook Inc.
C.4.4 Whether prima facie contraventions
42 The phrase in s 13G, “interference with the privacy of an individual”, is defined in the Privacy Act as having the meaning given by sections 13 to 13F: s 6(1). In summary, an act or practice of an “APP entity” is an interference with the privacy of an individual if the act or practice breaches an “APP” in relation to personal information about the individual. An “APP entity” includes an “organisation”: s 6(1). “APP” is an acronym for “Australian Privacy Principle”.
43 The phrase “Australian Privacy Principle” has the meaning given to it by s 14: s 6(1). Section 14(1) provides that the APPs are set out in the clauses of Schedule 1. The Commissioner relies upon contended breaches of APP 6.1 and APP 11.1 in alleging that the respondents engaged in acts or practices constituting “serious” and “repeated” interference with the privacy of individuals in contravention of paragraphs (a) and (b) of s 13G.
APP 6.1 – use or disclosure of personal information
44 APP 6.1 (contained in Part 3 of Schedule 1) provides:
Part 3 – Dealing with personal information
6 Australian Privacy Principle 6 – use or disclosure of personal information
Use or disclosure
6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
(a) the individual has consented to the use or disclosure of the information; or
(b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.
Note: Australian Privacy Principle 8 sets out requirements for the disclosure of personal information to a person who is not in Australia or an external Territory.
45 It is not necessary for present purposes to set out cl 6.2 or 6.3
46 The Commissioner summarised the critical underlying facts in the following way, these facts being sufficiently supported, at least for the purposes of the present application, by the material presented on the interlocutory application (footnotes omitted):
(6) The Graph API and Facebook Login (Statement of Claim -)
23. During the Relevant Period, apps could request personal information from Users’ Facebook Accounts using a tool called the Graph Application Programming Interface (Graph API). The Graph API allowed apps to create a link or interface between the Facebook Website’s “social graph” (being the network of connections through which Users communicated information on the Facebook Website) and the app. Version 1 of the Graph API was in place during the Relevant Period (Graph API V1).
24. The link or interface between the Facebook Website and the app was facilitated by a further tool known as “Facebook Login”. This allowed an installer of an app (Installer) to utilise their Facebook account credentials (username and password) to login to an app. Where an Installer did so, a screen or page would appear on the app requesting the Installer’s permission for the app to request, through the Graph API, certain categories of the User’s personal information as that User had provided to the Facebook Website (Permission Request).
25. Through the Graph API V1, an app could request a wide range of information about not only those Installers who had responded to Permission Requests, but also their Facebook friends who had not installed the app (Friends). This included requests for sensitive information. In response to a request from an app, the Respondents disclosed information about Installers and their Friends to the app, subject to the User’s privacy settings on the Facebook Website … However, a User’s “privacy settings” did not alone control how a User’s personal information was shared with apps, including apps installed by Users’ Friends. Unless a User modified their “app settings”, various categories of the User’s personal information, including sensitive information, would be disclosed to apps installed by their Friends by default …
26. Although the Respondents had in place terms and conditions about what kinds of information an app could request (see the Platform Policy, the relevant terms of which are pleaded at  of the Statement of Claim), the Respondents relied upon app developers’ self-assessment that an app complied with these rules. In particular, as is alleged at  of the Statement of Claim, the Respondents did not have in place any procedures to approve an app’s ability to make requests of the Graph API V1; nor did it review the privacy policies of the apps themselves.
27. On 30 April 2014, a new version of the Graph API (Graph API V2) was launched by the Respondents. Under Graph API V2, app developers wishing to request more than basic information from Friends and Installers had to undergo a manual app review process (App Review). Such requests would only be approved where, among other things, the additional information clearly improved the User's experience of the app. However, Facebook allowed apps using Graph API V1 a 12-month ‘grace period’ (Grace Period) to migrate to Graph API V2.
(7) The “This is Your Digital Life” App (Statement of Claim -)
28. The “This is Your Digital Life” App was a personality survey or quiz. It was developed by Dr Aleksandr Kogan, a researcher, who later established Global Science Research Limited (GSR).
29. The Graph API V1 allowed the “This is Your Digital Life” App to request information from the Facebook Accounts of 305,000 Facebook Users globally who were also Installers of the app, of which approximately 53 were Australian. The Graph API also allowed the app to request from the Respondents the personal information of approximately 86,300,000 Facebook Users globally (approximately 311,074 of whom were Australian Facebook Users) who were Friends (that is, they did not install the app themselves). The Australian Installer and Friends are referred to as the Affected Australian Individuals. Dr Kogan and/or GSR further disclosed personal information it obtained from the Respondents to third parties, including Cambridge Analytica Ltd, and/or its parent company, for profit.
30. On 6 May 2014, the developers of the “This is Your Digital Life” App submitted an application for App Review. On 7 May 2014, the Respondents rejected that application, on the basis that the app would not be using the data gained through extended permissions to enhance a User's in-app experience. Despite this, the Respondents permitted Dr Kogan and/or GSR to continue requesting Installers’ and Friends’ information using the Graph API V1 for a further 12 months until the end of the Grace Period on 1 May 2015. In effect, this meant that Dr Kogan and/or GSR were able to continue requesting Friends’ and Installers’ information under Graph API V1 until 1 May 2015.
47 The Commissioner contended that:
(1) the primary purpose for which the respondents collected the personal information of the affected individuals was to allow them to build an online social network with other users on the Facebook website;
(2) the disclosure of that information to the “This is Your Digital Life” app was not for that primary purpose and was, rather, for a secondary purpose. The “This is Your Digital Life” app did not operate with a view to enabling users to build an online social network with other users on the Facebook website. It instead provided a separate service, on a third party app, which allowed installers of the app to undertake a personality survey or quiz.
48 The Commissioner contended that, on each occasion on which Facebook Ireland and Facebook Inc disclosed the personal information of the affected individuals to the “This is Your Digital Life” app, this was an act or practice that was a serious interference with the privacy of each such individual in contravention of s 13G(a).
49 The Commissioner also contended that the repeated act or practice of disclosing the personal information of the affected individuals to the “This is Your Digital Life” app was an act or practice that contravened the privacy of those individuals, in contravention of s 13G(b). The Commissioner relied upon material which arguably showed that the respondents were likely, or at least potentially likely, to have repeatedly disclosed the personal information of 53 Australian installers of the app and 311,074 Australian friends of installers of the app to the “This is Your Digital Life” app by allowing the app to access the Graph API.
50 The Commissioner noted that the respondents might contend that, because the Commissioner has not identified with precision the identities of the Australian individuals affected and the particular information allegedly collected and held about them, the Court could not conclude that the information was in fact “personal information”: Privacy Commissioner v Telstra Corporation Ltd (2017) 249 FCR 24 at  (Kenny and Edelman JJ). In this context, it should be noted that the respondents themselves have not been able to provide the Commissioner with the identities of the relevant individuals, but have acknowledged that Australians have been affected. This fact does not negate the existence of a prima facie case.
APP 11.1 – Integrity of personal information
51 APP 11.1 (contained in Part 4 of Schedule 1) provides:
Part 4 – Integrity of personal information
11. If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
52 The Commissioner contended that, having regard to the respondents’ size and resources, as well as the sensitivity of the personal information it collected and held, the steps that the respondents should have taken to comply with APP 11.1 included at least the following:
(1) conducting an initial assessment and regular review of whether the “This is Your Digital Life” app’s requests for users’ information complied with Facebook’s policies;
(2) maintaining records of the personal information disclosed, and regularly reviewing these records to audit the nature and scope of disclosures;
(3) implementing measures to ensure that any consent was obtained directly, before or at the time of disclosure, and was clear and specific;
(4) after 7 May 2014, when Facebook had rejected the “This is Your Digital Life” app’s application to access Graph API V2:
(i) carrying out a review of the categories of data which the “This is Your Digital Life” app had previously requested and obtained about the affected Australian individuals; and
(ii) ceasing the disclosure of the affected Australians individuals’ personal information (including sensitive information) to Dr Kogan and/or GSR.
53 In respect of the first matter set out above, the Commissioner submitted that, in order to protect the users’ personal information from unauthorised disclosure, the respondents were required to take steps akin to the “App Review” process in respect of third-party apps that sought to access the Graph API. She submitted that, to the extent that those steps were not taken with respect to those third-party apps which accessed Graph API V1, the respondents breached APP 11.1. It was insufficient and unreasonable, so it was submitted, for the respondents merely to devolve to third-party apps compliance with the terms of Facebook’s policies without Facebook undertaking any investigation into the nature of the apps accessing version 1 of the Graph API and the purposes for which those apps sought access. The Commissioner noted that the reasonableness of each of the above steps would need to be assessed at the final hearing.
54 The Commissioner contended that:
(1) the failure of Facebook Inc and Facebook Ireland to take the steps identified above, was an act or practice that was a serious interference with the privacy of the affected individuals contravening s 13G(a); and
(2) the repeated and consistent failure, over the relevant period, of Facebook Inc and Facebook Ireland to take the steps identified above to prevent the unauthorised disclosure of the personal information of the affected individuals contravened s 13G(b).
C.4.5 Conclusion with respect to r 10.43(4)(c)
55 A sufficient prima facie case on the basis articulated by the Commissioner has been shown, in the sense earlier described, to warrant service outside of Australia. At the risk of repetition that is not to say anything about the strength of the case. Rather, the material demonstrates a genuine argument about contravention, sufficient to justify causing the respondents to be subject to the litigation in Australia where the merit of that argument can be judicially determined.
56 It is to be recognised that there are defences which might be available to the respondents. The fact that defences might be available does not, in the circumstances of this case, undermine the existence of the prima facie case. For example, APP 6.1(a), read with the definition of “consent” in s 6(1) of the Privacy Act, contains a defence for an APP entity to use or disclose personal information for a secondary purpose where the individual has expressly or impliedly consented to the use or disclosure. It may be that there will be an argument about whether this defence is available at least in respect of certain individuals. It is not possible, however, on the material on this application to conclude that friends of an installer, being friends who did not install the app, relevantly provided consent.
57 The requirements of r 10.43(4)(c) are satisfied.
C.5 Residual discretion
58 The Court retains a residual discretion to refuse relief even where the requirements for service outside Australia are satisfied: Humane Society International Inc v Kyodo Senpaku Kaisha Ltd (2006) 154 FCR 425 at  (Black CJ and Finkelstein J).
59 The Commissioner pointed to the following discretionary matters as favouring the exercise of the discretion to order service outside Australia:
(1) First, correspondence and a media report indicate that the respondents are aware of the proceedings and of the fact that the Commissioner proposed to make this interlocutory application:
King & Wood Mallesons (KWM) had represented the respondents during the Commissioner’s inquiries, culminating in the commencement of the proceeding. On 6 March 2020, the Australian Government Solicitor (AGS) emailed KWM to request confirmation of whether KWM had instructions to accept service of the originating process. On 6 March 2020, KWM emailed AGS advising that KWM acted for the respondents but were not instructed to accept service on their behalf; and stating that, in order to serve the respondents, the Commissioner would need to comply with relevant requirements for service at their respective domiciles in the United States and Ireland. The letter also made clear that KWM had instructions to discuss the substantive issues raised in the proceedings.
On 9 March 2020, AGS emailed KWM attaching sealed copies of the originating application, statement of claim and concise statement, asking KWM to draw these to their clients’ attention, and inviting the respondents to reconsider their position in respect of service so as to avoid the delay and expense that would be caused by an application by the Commissioner to serve the above documents outside the jurisdiction. On 12 March 2020, KWM emailed AGS advising that KWM did not have instructions in relation to the matters raised in the documents that AGS provided on 9 March 2020.
On 10 March 2020, a media report attributed comments, which I infer were related to the proceeding, to a Facebook spokesperson.
(2) Contemporary developments in communications and transport make the degree of “inconvenience and annoyance” to which a foreign defendant would be put, if brought into the courts of this jurisdiction, “of a qualitatively different order to that which” prevailed at the time of earlier decisions considering these issues: Agar v Hyde (2000) 201 CLR 552 at 571 (Gaudron, McHugh, Gummow and Hayne JJ).
60 There are no compelling countervailing considerations suggesting that an order for service out of Australia should not be made.
61 Given that the relevant requirements have been met, including those in r 10.43(3) and (4), and that there is no good reason not to make the order, the discretion should be exercised to grant leave to the Commissioner to serve the respondents outside Australia with the various documents specified in the interlocutory application.
D SUBSTITUTED SERVICE
62 The Commissioner applies for substituted service under r 10.24.
63 Rule 10.49 provides for substituted service if service on the person in a foreign country in accordance with a convention, the Hague Convention or the law of a foreign country “was not” successful. This implies that some attempt must first be made. The power in r 1.34 could be exercised to dispense with compliance with the implied requirement in r 10.49 that, before substituted service under that that rule be ordered, an attempt at service first be made, although it has been said that such cases are likely to be rare, for example perhaps “where there is real urgency for service and where the evidence suggests an impossibility or serious impracticability in service by the means contemplated in the Convention”: Park (Trustee) v Tschannen (Bankrupt)  FCA 137 at  (Edelman J). The Commissioner did not expressly apply for substituted service under r 10.49.
64 Rule 10.45 provides:
The other provisions of Part 10 apply to service of a document on a person in a foreign country in the same way as they apply to service on a person in Australia, to the extent that they are:
(a) relevant and consistent with this Division; and
(b) consistent with:
(i) if a convention applies — the convention; or
(ii) if the Hague Convention applies — the Hague Convention; or
(iii) in any other case — the law of the foreign country.
65 By reason of r 10.45, r 10.24 applies to service of the respondents provided that the rule is regarded as consistent with Pt 10 and, in particular, Div 10.4 and with the Hague Convention or foreign law.
66 This Court has held, in circumstances analogous to the present, that an order for substituted service may be made under either r 10.24 or r 10.49: Commissioner of Taxation v Zeitouni (2013) 306 ALR 603 at  (Katzmann J); see also: Australian Competition and Consumer Commission v Kokos International Pty Ltd  FCA 2035 at  (French J); Commissioner of Taxation v Oswal  FCA 1507 at  (Gilmour J). Even if that position is incorrect, I would have ordered substituted service under r 10.49, with a dispensation from the implicit requirement to attempt service under r 1.34, for equivalent reasons to those for which I will order substituted service under r 10.24, explained next.
67 Rule 10.24 provides that a person may apply for an order if “it is not practicable to serve a document on a person in a way required by these Rules”. In Commissioner of Taxation v Caratti (No 2)  FCA 1500 at , Colvin J observed:
The preponderance of authority is to the effect that the current rule requires the applicant for orders for substituted service to demonstrate that it is not sensible or realistic to effect personal service even though it may be possible or feasible to do so. This will usually be done by taking steps to effect personal service and providing evidence as to any difficulties that have arisen in doing so. It is not necessary to go so far as to demonstrate that there is an inability to effect personal service or that it would be extraordinarily difficult to do so. Further, there must be a proper evidential basis upon which to conclude that in all probability the mode of substituted service that is proposed will bring the relevant documents to the attention of the party to be served.
68 In Kosmos Capital Pty Ltd v Turiya Ventures LLC  FCA 528 at  Jackson J said:
In the context of r 10.23(a), the word ‘practicable’ has a wide meaning which will depend on the circumstances of the particular proceeding: Australian Securities and Investments Commission v China Environment Group Ltd  FCA 286 at -. Rule 10.23 does not require the applicant to prove the impossibility of service of documents upon a party in accordance with the rules, or that further attempts to effect service in accordance with the rules would be futile or not sensible or feasible: Speedo Holdings BV v Evans  FCA 1089 at . The question is not whether reasonable effort has been shown by the applicant over a particular period, but whether at the date on which the application regarding service is made, the applicant, using reasonable effort, is unable to serve the respondent personally: Foxe v Brown (1984) 58 ALR 542 at 547 as applied in O'Neil v Acott (1988) 59 NTR 1 at 2. Evidence of attempts to serve, attempts to speak by telephone and lack of knowledge of whereabouts will be relevant to the question of practicability: see eg Ross v Cotter  FCA 310 at .
69 The Court takes judicial notice under s 144(1)(a) of the Evidence Act that COVID-19 is presently spreading globally; it has been declared a pandemic by the World Health Organisation and is directly affecting the USA and Ireland, the two jurisdictions in which documents are sought to be served. The evidence also addresses these matters. These circumstances inform the Court’s view of what is “practicable”.
70 An extract from ABC Legal’s website indicates that ABC Legal, the contractor for the USA Department of Justice, Civil Division, Office of International Judicial Assistance, and the entity through which it is proposed to serve the Court Documents on Facebook Inc, has “suspended service of process nationwide” across the USA in response to the COVID-19 pandemic. This means it is not practicable to effect service of Facebook Inc pursuant to art 5 of the Hague Convention without substantial difficulty.
71 As the Commissioner frankly conceded, the impracticability of service in accordance with the Hague Convention in the Republic of Ireland is not as strong. There is a National Public Health Emergency in the Republic of Ireland. However, the High Court of Ireland and postal services in the country remain operative. The Hague Convention permits service of the court documents on Facebook Ireland by post. The Commissioner submitted, however, that given the rapidly evolving nature of the COVID-19 pandemic globally, and having regard to various discretionary matters referred to earlier, the Court ought be satisfied that it would not be practicable to serve Facebook Ireland in accordance with the Hague Convention.
72 A consideration against ordering substituted service arises out of principles of international comity. There is an applicable agreed regime for service outside the jurisdiction. That agreed regime is subverted where jurisdiction is exercised permitting a party to substitute an alternative form of service – cf: Laurie v Carroll (1958) 98 CLR 310 at 325. I take that fact into account.
73 The proposed method of substituted service is to email the various documents to identified individuals at KWM. As both respondents have retained KWM in connection with the events giving rise to the proceedings and KWM has recently confirmed that it acts for both respondents, substituted service is very likely to bring the documents to the respondents’ attention.
74 It is also proposed that the Court Documents be emailed to a named individual being the Head of Data Protection and Privacy and Associate General Counsel at “Facebook” located in Ireland. As the Commissioner submitted, that individual appears to be a person of appropriate senior authority within Facebook Ireland and is the person with whom the Commissioner corresponded throughout her preliminary inquiries. There is little in the way of practical difference between service by post and service by email.
75 Orders for substituted service pursuant to r 10.24 of the Rules should be made. It is not presently practicable to effect service on Facebook Inc pursuant to art 5 of the Hague Convention. It is presently possible to serve Facebook Ireland in accordance with Hague Convention. However, it is impracticable to do so in the rapidly changing and evolving environment caused by the current pandemic; the present situation may have changed by the time service in the relevant way would be sought to be effected. The proposed method of substituted service is plainly likely to bring the proceeding to the attention of the respondents. Indeed, I infer that the respondents are aware of the proceeding. That inference arises from the correspondence between the parties identified above and the media article. I note that KWM held instructions on 6 March 2020 to discuss the foreshadowed proceeding with the Commissioner’s legal representatives, “including to satisfy the requirements inherent in section 37N of the Federal Court of Australia Act 1976 (Cth) and the Civil Dispute Resolution Act 2011 (Cth)”.
76 For the reasons given, interim orders should made under s 37AI of the FCA Act. Orders should be made granting leave to the applicant to serve the respondents outside Australia. Orders should be made for substituted service.