FEDERAL COURT OF AUSTRALIA
Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307
ORDERS
AUSTRALIAN INFORMATION COMMISSIONER Applicant | ||
AND: | First Respondent FACEBOOK IRELAND LIMITED Second Respondent | |
DATE OF ORDER: |
THE COURT ORDERS THAT:
1. The interlocutory application dated 6 May 2020 be dismissed.
2. The written reasons for judgment not be published beyond the parties until further order.
3. The parties have until 12 pm on 16 September 2020 to advise the Court of any orders for redactions sought, together with a concise written explanation as to why those redactions ought be made.
4. Unless any party applies within 7 days for a different order with respect to costs, the first respondent pay the applicant’s costs of the interlocutory application.
Note: Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.
THAWLEY J:
A INTRODUCTION
1 On 9 March 2020, the Australian Information Commissioner commenced proceedings in this Court against Facebook Inc and Facebook Ireland Limited (together, Facebook). Those proceedings were commenced by the filing of an Originating Application, Concise Statement and Statement of Claim. The brief account of facts outlined in this Introduction is taken from those documents and set out for the purpose of understanding the nature of the proceedings. They are not intended to constitute final conclusions of fact.
A.1 Nature of the proceedings
2 The website www.facebook.com, which is also accessible through Facebook’s associated mobile applications, allows users who create an account to build an online social network with other users. The network of connections through which users communicate and share information on the Facebook website is sometimes referred to as the “social graph”.
3 A Facebook user provides certain information to open an account including their name, date of birth, gender and an email address or, from early 2015, a mobile phone number. Users are able to add further personal information to their Facebook profile including a profile picture, the person’s hometown, educational history, work experience, sexual orientation, relationship status, occupation, political and religious views, interests and photographs. Users can create and “post” content on the Facebook website. A post could take various forms including: freeform text, photographs, videos, “check-ins” (indicating a user’s geographic location at a particular time) and links to websites, such as articles on news websites.
4 Facebook monetises the information it obtains by selling advertising, including advertisements targeted at users. Facebook’s global revenue is almost entirely comprised of advertising revenue.
5 The Commissioner alleges that, during the period 12 March 2014 to 1 May 2015, Facebook Inc and Facebook Ireland disclosed the personal information (including sensitive information) of approximately 311,127 Australian Facebook users to a third party application, the “This is Your Digital Life” app, which was a personality survey or quiz developed by Dr Aleksandr Kogan, a researcher, who later established Global Science Research Ltd.
6 It was not in dispute that the information uploaded by users to the Facebook website included information which was “personal information”, and arguably “sensitive information”, within the meaning of s 6 of the Privacy Act 1988 (Cth).
7 At the relevant time, apps could request personal information from users’ Facebook accounts using a tool called the Graph Application Programming Interface (Graph API). Through Version 1 of the Graph API (Graph API V1), an app could request a wide range of information about not only those who had installed an app (Installers) but also their friends who had not installed the app (Friends). This included requests for sensitive information. Facebook had rules about what kinds of information an app could request, but relied on app developers’ self-assessment that an app complied with its rules.
8 In response to a request from an app, Facebook disclosed information about Installers and Friends, subject to the particular user’s settings. The Commissioner alleges that most of the relevant Australian users whose personal information was disclosed did not install the “This is Your Digital Life” app; rather, their Facebook friends did. Whilst users could modify their settings, if they did not then, by default, their personal information was disclosed by Facebook to the “This is Your Digital Life” app.
9 The Commissioner alleges that Facebook did not adequately inform the users of the manner in which their personal information would be disclosed, or that it could be disclosed to an app installed by a Friend, but not installed by the individual. Nor did Facebook prevent the “This is Your Digital Life” app from disclosing the information obtained to third parties. The developers of the “This is Your Digital Life” app sold personal information obtained using the app to the political consulting firm Cambridge Analytica Ltd, in breach of Facebook’s policies. As a result, the users’ personal information was exposed to the risk of disclosure, monetisation and use for political profiling purposes. Facebook did not know the precise nature or extent of the personal information disclosed to the “This is Your Digital Life” app.
10 A new version of the Graph API (Graph API V2) was launched by Facebook on 30 April 2014. App developers wishing to request more than basic information from Friends and Installers had to undergo a manual app review process (App Review). Requests would only be approved where, among other things, the additional information clearly improved the user’s experience of the app. Facebook allowed apps using Graph API V1 a 12 month grace period to migrate to Graph API V2.
11 On 7 May 2014, Facebook rejected an application for App Review made by the developers of the “This is Your Digital Life” app on the basis that the app would not be using the data gained through extended permissions to enhance a user’s in-app experience. Nevertheless, Facebook permitted the developers to continue requesting Installers’ and Friends’ information using the Graph API V1 for a further 12 months until the end of the grace period on 1 May 2015.
12 The Commissioner alleges that:
(1) Facebook disclosed the users’ personal information for a purpose other than that for which it was collected, in breach Australian Privacy Principle (APP) 6;
(2) Facebook failed to take reasonable steps to protect the users’ personal information from unauthorised disclosure in breach of APP 11.1(b);
(3) these breaches amounted to serious and/or repeated interferences with the privacy of the users, in contravention of s 13G of the Privacy Act.
A.2 Procedural history to date
13 On 22 April 2020, the Court amongst other things:
(1) granted leave to the Commissioner to serve various documents, including the Originating Application, Concise Statement and Statement of Claim on Facebook Inc in the United States of America (Order 2) and Facebook Ireland in Ireland;
(2) made orders permitting substituted service on Facebook Inc to be effected by sending the relevant documents by email to two legal practitioners at King & Wood Mallesons (Order 4) and orders permitting substituted service on Facebook Ireland, again to be effected by email.
14 The reasons for making those orders may be found in Australian Information Commission v Facebook Inc [2020] FCA 531 (Facebook No 1).
15 On 6 May 2020, Facebook Inc filed an interlocutory application seeking orders that:
(1) Order 2, granting leave to serve Facebook Inc in the United States, be discharged pursuant to r 13.01(1)(d) of the Federal Court Rules 2011 (Cth);
(2) service of the Originating Application on Facebook Inc be set aside pursuant to r 13.01(1)(b) of the Rules; and
(3) Order 4 be discharged.
16 These reasons address that interlocutory application.
17 Facebook Ireland appeared at the hearing of Facebook Inc’s application, although it did not make any submissions. It has not sought relief equivalent to that sought by Facebook Inc.
18 Facebook Inc contends that service should be set aside because the Court should not be satisfied that there was a prima facie case for the relief claimed by the Commissioner as required by r 10.43(4)(c) of the Rules.
B THE PRIMA FACIE CASE THE COMMISSIONER MUST ESTABLISH
19 Before turning to the principles relevant to determining whether Facebook Inc’s application should be granted, it is useful to identify the prima facie case which the Commissioner must establish.
20 The extra-territorial operation of the Privacy Act is dealt with in s 5B, which relevantly provides:
5B Extra-territorial operation of Act
Agencies
…
Organisations and small business operators
(1A) This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link.
Note: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).
Australian link
(2) An organisation or small business operator has an Australian link if the organisation or operator is:
(a) an Australian citizen; or
(b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or
(c) a partnership formed in Australia or an external Territory; or
(d) a trust created in Australia or an external Territory; or
(e) a body corporate incorporated in Australia or an external Territory; or
(f) an unincorporated association that has its central management and control in Australia or an external Territory.
(3) An organisation or small business operator also has an Australian link if all of the following apply:
(a) the organisation or operator is not described in subsection (2);
(b) the organisation or operator carries on business in Australia or an external Territory;
(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.
21 It was common ground that Facebook Inc was not an “organisation or operator” which fell within s 5B(2) and that Facebook Inc would only have an “Australian link” if s 5B(3) was satisfied. It was not in dispute that the first of the three requirements in s 5B(3) was satisfied because Facebook Inc was not an “organisation or operator” described in s 5B(2). However, Facebook Inc contended that the Commissioner had failed to establish a prima facie case that, at the relevant time, Facebook Inc:
(1) carried on business in Australia within the meaning of s 5B(3)(b); or
(2) collected or held personal information in Australia within the meaning of s 5B(3)(c).
22 Absent a prima facie case as to either of these matters, the Commissioner would fail to establish a prima facie case that she might be entitled to the relief sought in the proceedings. The question on this application is only whether the Commissioner has established a prima facie case about those matters, not whether paras (b) and (c) are in fact satisfied.
C RELEVANT PRINCIPLES
C.1 Rule 13.01
23 The principles relevant to setting aside service under r 13.01 of the Rules were not in dispute. They may be summarised as follows:
(1) An application under r 13.01 of the Rules, for an order discharging an earlier order granting leave to serve out of the jurisdiction, or for an order setting aside such service, is in the nature of a review by way of rehearing of the original decision to grant leave to serve out of the jurisdiction: Israel Discount Bank Ltd v ACN 078 272 867 Pty Ltd (in liq) (formerly Advance Finances Pty Ltd) (2019) 367 ALR 71 at [46] (Yates, Beach and Moshinsky JJ).
(2) It is open to the party who sought and obtained an order for service out of the jurisdiction to adduce additional evidence, and make additional submissions: Israel Discount Bank at [46].
(3) The onus remains on the applicant in the proceedings to satisfy the Court in light of the material relied upon, including any additional material relied upon, that leave ought to have been granted: Tiger Yacht Management Ltd v Morris (2019) 268 FCR 548 at [100(9)] (McKerracher, Derrington and Colvin JJ); Armacel Pty Ltd v Smurfit Stone Container Corp (2008) 248 ALR 573 at [45] (Jacobson J); Voth v Manildra Flour Mills Pty Ltd (1990) 171 CLR 538 at 564 (Mason CJ, Deane, Dawson and Gaudron JJ).
24 As noted earlier, Facebook Inc contends that the relevant orders should not have been made because the Commissioner has not established a prima facie case for the purpose of r 10.43(4)(c) of the Rules.
C.2 Rule 10.43(4)(c)
25 Rule 10.43 of the Rules includes:
(2) A party may apply to the Court for leave to serve an originating application on a person in a foreign country in accordance with a convention, the Hague Convention or the law of the foreign country.
…
(4) For subrule (2), the party must satisfy the Court that:
(a) the Court has jurisdiction in the proceeding; and
(b) the proceeding is of a kind mentioned in r 10.42; and
(c) the party has a prima facie case for all or any of the relief claimed in the proceeding.
26 In Facebook No 1 at [30], the principles concerning the requirement in r 10.43(4)(c) of the Rules to demonstrate a prima facie case were summarised in the following way:
The requirement to demonstrate a prima facie case in the context of an application for leave to serve documents outside Australia is “not particularly onerous”: Yellow Page Marketing [[2010] FCA 1218] at [25]. It is relevant to assess whether sufficient material is placed before the Court to show:
(1) that findings of fact are available, and inferences are open to be drawn, which would support the relief claimed: Australian Securities and Investment Commission v Axis International Management Pty Ltd [2008] FCA 1605 at [14] (Gilmour J), citing Bell Group Ltd (In Liq) v Westpac Banking Corporation (1996) 20 ACSR 760 at 763;
(2) the existence of a controversy that warrants causing a proposed respondent to be involved in litigation in Australia: Century Insurance (in provisional liquidation) v New Zealand Guardian Trust [1996] FCA 376 (Lee J); Ho v Akai Pty Ltd (in liq) (2006) 247 FCR 205 at [10] (Finn, Weinberg and Rares JJ); Israel Discount Bank Limited v ACN 078 272 867 Pty Ltd (in liq) (formerly Advance Finances Pty Ltd) (2019) 367 ALR 71 at [47] (Yates, Beach and Moshinsky JJ).
27 Facebook Inc did not contend that this summary misstated the principles. Facebook Inc emphasised, however, that whilst it has been said that establishing a prima facie case is not “particularly onerous” (Australian Competition and Consumer Commission v Yellow Page Marketing BV [2010] FCA 1218 at [25] per Gordon J), it is nonetheless “necessary that there be a foundation established for an arguable case”: Akai Pty Limited (in liq) v Ho (2006) 230 ALR 107 at [6] per Gyles J, referring to: WSGAL Pty Limited v Trade Practices Commission (1992) 39 FCR 472 at 476 per Beaumont J; Sydbank Soenderjylland A/S v Bannerton Holdings Pty Ltd (1996) 68 FCR 539 at 549.
C.3 Prima facie case and the drawing of inferences
28 Facebook Inc contended that the Commissioner had failed to establish “an arguable case as [she] has merely posited ‘inferences’ which do not reasonably arise from the material tendered” and that all that the Commissioner had done was “speculated that a prima facie case might be found to exist at some point in the future”.
29 Although it has been stated that the question of whether a prima facie case has been established “should not call for a substantial inquiry” (Ho v Akai Pty Ltd (in liq) (2006) 247 FCR 205 at [10]), Facebook Inc analysed in detail the various inferences which the Commissioner contended were available in an endeavour to show that those inferences were, on proper analysis, mere speculation. There is nothing wrong in this approach. However, one must bear in mind that the question whether a prima facie case has been established arises in a particular statutory context and the question whether an inference is available arises before trial.
30 There is no doubt that the term prima facie case has a well understood meaning but its meaning is affected by the particular statutory context in which it is being used. It is used in the present context to test whether there exists a controversy which is sufficiently made out at the commencement of proceedings to warrant exposing the proposed respondent to litigation in Australia. That context is different, for example, to deciding whether the prosecution in a criminal trial has, after adducing its evidence and that evidence being tested by cross-examination, established a prima facie case sufficient to reject a no case submission.
31 In Merpro Montassa Limited v Conoco Specialty Products Inc (1991) 28 FCR 387 at 390, Heerey J observed that the question whether a prima facie case had been established arises at the outset of proceedings, before discovery, subpoenas and other procedural aids, meaning that inferences might more readily be drawn in favour of an applicant. After setting out the concept of a prima facie case by reference to May v O’Sullivan (1955) 92 CLR 654 at 658, Heerey J said of the predecessor rule:
It need only be added that the requirement of O 8, r 2(2)(c) [“that the applicant has a prima facie case for the relief of which he seeks”] has to be met at the outset of the proceedings. It does not suggest the kind of scrutiny that would occur in a submission of no case to answer following the closure of an applicant’s case at trial. As a matter of practicality, one is here concerned with, in Sheppard J’s words, “evidence which discloses in a little detail what the facts are ...” [Stanley Kerr Holdings Pty Ltd v Gibor Textile Enterprises Ltd [1978] 2 NSWLR 372]. It may be therefore that a court at this stage might draw inferences more readily in favour of an applicant, bearing in mind, amongst other things, that the applicant will not have had the advantage of discovery, subpoena and other procedural aids to the making out of a prima facie case at trial.
32 To similar effect were the observations of Carr J as a member of the Full Court in Bray v F Hoffman-La Roche Ltd (2003) 130 FCR 317 (Bray FCAFC) at [97]:
… The question is whether, on the material before the court, inferences were open which, if translated into findings of fact, would support the relief claimed. The scrutiny is not that which would occur in a submission of no case to answer following the closure of an applicant’s case at trial. A court can draw inferences more readily in favour of an applicant, bearing in mind, among other things, that the applicant will not have had the advantage of discovery and other procedural aids. The kind of evidence to be adduced should be in proportion to the nature of such an interlocutory issue by way of a mini rather than a mega trial.
33 In Apotex Pty Ltd v Les Laboratoires Servier (No 2) (2012) 293 ALR 272 at [18], Bennett J observed:
The principles to be applied in determining whether Servier has made out a prima facie case are not in dispute and are conveniently stated by the Full Court in Ho v Akai Pty Ltd (in liq) (2006) 24 ACLC 1526; [2006] FCAFC 159 at [10] (Ho). The determination does not call for a substantial inquiry and is met before the advantages of discovery, if ordered, and other procedural aids. The parties’ contentions are based on the available facts and inferences that may be drawn. A prima facie case is made out, generally, if on the material before the court, inferences are open which, if translated into findings of fact, would support the relief claimed. This test was described by Collier J in Bell v Steele (2011) 198 FCR 291; 94 IPR 502; [2011] FCA 1390 at [21] as a “relatively low” threshold. I would add that an available inference, to be open, should be made on the basis of evidence of facts; an inference should be clearly and properly drawn (Unilever Plc v Chefaro Proprietaries Ltd [1994] FSR 135 at 141 (Chefaro) per Glidewell LJ), not on the basis of mere speculation.
34 Facebook Inc submitted that the present context is different to Merpro Montassa and the other cases just mentioned. The Commissioner’s application has been brought after her investigation of approximately two years, which has included the use of investigative and coercive powers available under the Privacy Act. Accordingly, the Commissioner is not in the same position as the litigants to whom the observations of Heerey, Carr and Bennett JJ were directed.
35 That proposition can be accepted. The weight to be attributed to evidence, and whether an inference should be drawn in the absence of direct evidence on an issue, is affected by the capacity of the party to adduce evidence on the issue: Blatch v Archer (1774) 1 Cowp 63. I approach the matter on the basis that the Commissioner has a greater capacity to adduce evidence in respect of the relevant issues than was the position of the litigants in Merpro Montassa, Bray FCAFC and Apotex. Nevertheless, the question is being asked at the outset of the proceedings for the limited purpose of determining whether to set aside an order granting leave to serve the originating process out of the jurisdiction. The proceedings are only at a preliminary stage. It is possible that further information may be obtained as a result of Court processes such as discovery and interrogatories or the issuing of subpoenas. The Commissioner has not filed all of the evidence which would be relied upon in support of her case. As Carr J observed in Bray FCAFC at [97], “[t]he kind of evidence to be adduced should be in proportion to the nature of such an interlocutory issue by way of a mini rather than a mega trial”.
36 As to the drawing of inferences, in Carr v Baker (1936) 36 SR (NSW) 301 at 306, Jordan CJ stated, “[t]he existence of a fact may be inferred from other facts when those facts make it reasonably probable that it exists”. Jordan CJ also observed that conjecture can range from the barely possible to the quite possible. Inferences of probability might range from “a mere scintilla of probability” to one of near “practical certainty”: at 306. The result is that there is no bright dividing line as to when reasoning crosses from the permissible drawing of inferences to impermissible conjecture. As Spigelman CJ stated in Seltsam Pty Ltd v McGuiness (2000) 49 NSWLR 262 at [84]:
It is often difficult to distinguish between permissible inference and conjecture. Characterisation of a reasoning process as one or the other occurs on a continuum in which there is no bright line division. Nevertheless, the distinction exists.
37 Both Jordan CJ in Carr, and Spigelman CJ in Seltsam, referred to Jones v Great Western Railway Co (1930) 47 TLR 39 at 45, in which Lord Macmillan stated:
The dividing line between conjecture and inference is often a very difficult one to draw. A conjecture may be plausible but it is of no legal value, for its essence is that it is a mere guess. An inference in the legal sense, on the other hand, is a deduction from the evidence, and if it is a reasonable deduction it may have the validity of legal proof. The attribution of an occurrence to a cause is, I take it, always a matter of inference.
38 Despite the dividing line being difficult to draw, there are certain matters which can be stated:
(1) First, there can be no inference unless there are objective facts from which to infer the fact which it is sought to establish: Caswell v Powell Duffryn Associated Collieries, Limited [1940] AC 152 at 169-170; Seltsam at [87].
(2) Secondly, the making of a finding of fact through a process of inference can involve combining facts like strands in a cable or links in a chain: Seltsam at [91]. An inference can be drawn on the basis of circumstantial evidence: Rawson Finances Pty Ltd v Commissioner of Taxation (2013) 296 ALR 307 at [88] per Jagot J; Seltsam at [90].
(3) Thirdly, where it is the civil standard of the balance of probabilities that applies, the inference cannot be drawn if the evidence only establishes a possibility; the inference can only be drawn if the evidence establishes that the inferred fact is more probable than not: Seltsam at [80].
39 It is important to appreciate that the observations in Jones and in Seltsam were made in the context of whether an inference of causation could be drawn from the facts established after a fully contested trial. The observation that inferences might be drawn more readily in the present context (Merpro Montassa at 390; Bray FCAFC at [97]; compare Apotex at [18]) recognises that the question is being asked at the commencement of proceedings in an interlocutory context where the question is whether a prima facie case has been established sufficiently to warrant subjecting the proposed respondent to litigation in Australia: Tiger Yacht at [46].
C.4 Carrying on business
40 In Tiger Yacht at [50], the Full Court observed that the expression “carrying on business” may have a different meaning in different contexts and that, where used to ensure jurisdictional nexus, the meaning will be informed by the requirement for there to be sufficient connection with the country asserting jurisdiction. The Full Court said:
The expression “carrying on business” may have different meanings in different contexts: Luckins v Highway Motel (Carnarvon) Pty Ltd (1975) 133 CLR 164 at 178 (Gibbs J). So, care must be taken to understand the context in which the requirement is being considered. However, when used to ensure a jurisdictional nexus as a matter of comity it will have a meaning informed by the requirement to ensure there is sufficient connection with the country asserting jurisdiction. It requires resort to the usual or ordinary meaning of the phrase and invites a factual inquiry. As the Court said in Anchorage Capital Partners Pty Ltd v ACPA Pty Ltd (2018) 259 FCR 514 at [99]:
Whether a company is carrying on business in Australia is a question of fact: Luckins (Receiver & Manager of Australian Trailways Pty Ltd) v Highway Motel (Carnarvon) Pty Ltd (1975) 133 CLR 164 at 186. While it is correct to say that a company may be found to carry on business in Australia even though it does not maintain an office in Australia or the bulk of its business is carried on outside Australia, it does not follow that such a company will be found to carry on business in Australia merely because it has engaged in a small number of isolated transactions. Each case will depend on its own facts.
41 In Tiger Yacht, the question arose because relief could only granted if the relevant entity was a Pt 5.7 body within the meaning of s 9 of the Corporations Act 2001 (Cth) which would be established if it was a foreign company carrying on business in Australia. If the foreign company did not carry on business in Australia, there would not be a sufficient jurisdictional nexus to justify applying the Corporations Act 2001 (Cth), a law of Australia, to the foreign company.
42 As in Tiger Yacht, the question whether the Commissioner has established a prima facie case that Facebook Inc carries on business in Australia arises because it is one requirement necessary to establish jurisdictional nexus. The overall statutory context is, however, different to that in Tiger Yacht. The present context is the application of Australian privacy laws to foreign entities rather than the application of Australian corporate regulation on foreign corporations. The present statutory context includes the object of protecting the privacy of individuals and the responsible handling of personal information collected from individuals in Australia. Section 2A of the Privacy Act identified the following as express statutory objects:
2A Objects of this Act
The objects of this Act are:
(a) to promote the protection of the privacy of individuals; and
(b) to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities; and
…
(d) to promote responsible and transparent handling of personal information by entities; and
…
(f) to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected; and
(g) to provide a means for individuals to complain about an alleged interference with their privacy; and
(h) to implement Australia’s international obligation in relation to privacy.
43 The Commissioner placed particular reliance on the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth), which amended s 5B of the Privacy Act. It included a statement that paras (b) (carries on business) and (c) (collect or hold personal information) of s 5B(3) were intended to capture entities based outside of and with no physical presence in Australia which collect information from individuals in Australia via a website hosted outside of Australia. The Explanatory Memorandum included (emphasis added):
Item 6 will amend subsection 5B(3) by rephrasing the opening of the subsection and inserting a reference to the new term ‘Australian link’. This will clarify that the subsection lists additional connections with Australia which would be a sufficient link for the Privacy Act to operate extra-territorially in relation to organisations and small business operators under subsection 5B(1A).
The collection of personal information ‘in Australia’ under paragraph 5B(3)(c) includes the collection of personal information from an individual who is physically within the borders of Australia or an external territory, by an overseas entity.
For example, a collection is taken to have occurred ‘in Australia’ where an individual is physically located in Australia or an external Territory, and information is collected from that individual via a website, and the website is hosted outside of Australia, and owned by a foreign company that is based outside of Australia and that is not incorporated in Australia. It is intended that, for the operation of paragraphs 5B(3)(b) and (c) of the Privacy Act, entities such as those described above who have an online presence (but no physical presence in Australia), and collect personal information from people who are physically in Australia, carry on a ‘business in Australia or an external Territory’.
44 The phrase “carries on business” in s 5B(3)(b) has its ordinary meaning and invites a factual inquiry. The legislature selected the criteria required to establish a sufficient nexus with Australia. It could have chosen different criteria to those in fact required. It could have chosen only the requirement that there be collection or holding of personal information in Australia (s 5B(3)(c)) and not that the organisation or operator also carry on business in Australia (s 5B(3)(b)). The legislature chose both requirements.
45 The Full Court in Tiger Yacht also noted that:
(1) at [51]: in order to be carrying on business, the activities must form a commercial enterprise, citing Australian Competition and Consumer Commission v Valve Corp (No 3) (2016) 337 ALR 647 at [197];
(2) at [52]: the words “carrying on” imply the repetition of acts and activities which possess something of a permanent character, citing Hope v Bathurst City Council (1980) 144 CLR 1 at 8 per Mason J, and that participation in a single transaction or a number of isolated transactions will not satisfy this aspect;
(3) at [53]: a company may be carrying on business in Australia even though it does not have an identifiable place of business within Australia, citing Bray v F Hoffman-La Roche Ltd (2002) 118 FCR 1 (Bray FCA) at [63];
(4) at [54]: there are cases where a company has been found to be carrying on business in Australia because its subsidiaries are not carrying on business on their own account but rather are doing so as agent for their international parent.
46 It might be added that the means by which entities carry on business are constantly evolving. Much of the case law in which the concept has been discussed was decided long before the technological advances which underpin many modern forms of commerce. Ultimately, the question whether a particular entity carries on business, and does so in a particular place, is determined by reference to the particular facts.
D CARRIES ON BUSINESS
47 The Commissioner submitted that she had established a prima facie case that Facebook Inc carried on business in Australia through a combination of two matters: first, through the agency of Facebook Ireland; and secondly, through certain activities for which Facebook Inc was directly responsible in Australia.
D.1 Agency
48 The Commissioner’s case that Facebook Inc carried on business in Australia through the agency of Facebook Ireland was put at two levels: one narrow and one broad.
49 The first and more difficult was that there was a prima facie case that Facebook Inc carried on business in Australia through the agency of Facebook Ireland in the sense that Facebook Ireland had the capacity to and did enter into contracts on behalf of Facebook Inc with Australian users.
50 The second case adopted a broader understanding of the meaning of agency. The Commissioner submitted, and Facebook Inc did not dispute, that the relevant question included “whether, having regard to all of the relevant facts and circumstances, the putative agent [Facebook Ireland] is carrying on its own business or whether it is carrying on business on behalf of its foreign parent”.
51 In this regard, the Commissioner referred to the decision of Besanko J in Australian Competition and Consumer Commission v Yazaki Corporation (No 2) (2015) 332 ALR 396 (this aspect of Besanko J’s reasoning was not challenged on appeal: Australian Competition and Consumer Commission v Yazaki Corporation (2018) 262 FCR 243 at [40]). His Honour said:
[344] “Business” has been said to mean a commercial enterprise in the nature of a going concern, that is to say, activities engaged in for the purpose of profit on a continuous and repetitive basis (Hope v Bathurst City Council (1980) 144 CLR 1 at 8–9; 29 ALR 577 at 582–3 per Mason J). There was no dispute in this case that there was a business being carried on in Victoria. The issue in dispute is whether that business was being carried on by AAPL or by Yazaki or by both companies.
[345] It is trite to say that a wholly owned subsidiary is a separate legal entity from its parent capable of having its own assets, its own creditors and conducting its own business (Walker v Wimborne (1976) 137 CLR 1 at 6–7 per Mason J; Industrial Equity Ltd v Blackburn [(1997) 137 CLR 567] at 577; [17 ALR 575 at] 584 per Mason J).
…
[358] The test of when a corporation incorporated overseas and with a subsidiary operating in Victoria/Australia is carrying on a business in Victoria/Australia involves a consideration of a number of factors and the evaluation of the significance of the various factors before reaching a conclusion. Although the English Court of Appeal in Adams v Cape Industries [[1990] 1 Ch 433] and Merkel J in Bray v Hoffman-La Roche [(2002) 118 FCR 1] refer to agency or lifting the corporate veil, I do not think they are using those terms in a narrow sense. By that I mean I do not think the notion is confined to the ability to enter into contracts on another’s behalf. That is, according to the English Court of Appeal, a powerful factor but it is not a decisive factor. A number of matters are to be considered.
52 As to the matters to be considered in determining whether a foreign corporation is carrying on business through its locally operating subsidiary, Besanko J preferred as more relevant to the facts of the case before him those which had been referred to by Merkel J in Bray FCA rather than those which had been identified by the English Court of Appeal in Adams v Cape Industries [1990] 1 Ch 433: Yazaki at [359].
53 Besanko J summarised Bray FCA and the factors considered by Merkel J at [351]-[356]:
[351] Bray addressed the very issue involved in this case, that is to say, whether foreign corporations were carrying on business in Australia under the Trade Practices Act at the time of alleged contraventions of s 45(2) of the Act. The issue arose in an application under O 9 r 7 of the Federal Court Rules 1979 (Cth) to set aside service of the originating process upon them or, in the alternative, to discharge the order giving leave to serve that process.
[352] The case involved a class action against companies in the Hoffman-La Roche, Aventis and BASF groups of companies which were alleged to have entered into and carried into effect an international price fixing and market sharing arrangement in respect of vitamin products manufactured and sold by them and their subsidiaries. A number of the respondent companies were foreign corporations and leave to serve them outside Australia was required. That leave was granted ex parte.
[353] Merkel J considered the application of the Trade Practices Act to conduct outside of Australia. That issue turned on whether the foreign respondents were carrying on business in Australia at the time of the alleged contraventions. Merkel J said that that was the relevant time and not the time of the service of the proceeding.
[354] Merkel J said that Parliament could have included a provision which gave the Act extra-territorial operation where the conduct had consequences in Australia (Meyer Heine Pty Ltd v China Navigation Co Ltd (1966) 115 CLR 10; [1966] ALR 791). However, it did not do so and the expression of carrying on business should be given its ordinary or usual meaning (at [60]). His Honour said that whether a corporation was carrying on business in Australia was a question of fact and he referred to authorities which have considered the meaning of the word, “business”. His Honour said that it was not necessary that a foreign corporation have a place of business in Australia before it could be said that it was carrying on business in Australia (at [63]). His Honour noted that the Australian subsidiaries of the foreign respondents carried on business in Australia and the question was whether they did so on their account or on account of their parent companies.
[355] His Honour referred to Smith, Stone & Knight [Ltd v Lord Mayor, Alderman and Citizens of the City of Birmingham [1939] 4 All ER 116] and Adams and then addressed a submission put to him that, in effect, the companies, including the parent and the subsidiary, were a group of companies operating at a global level and that the subsidiary should be seen as an integrated part of a global enterprise and, therefore, as the agent of the parent. Merkel J rejected this submission on the basis that it was not consistent with established authority (at [72]).
[356] His Honour decided that the Australian subsidiaries were conducting their own businesses and not their parent’s business. He relied on the following matters:
(1) the Australian subsidiaries held their own assets (including bank accounts) in their own names and employed employees and purchased and sold products in their own names;
(2) their businesses were not confined to the class vitamins (ie, the vitamins the subject of the proceeding) or to products supplied by other companies in their respective groups;
(3) the accounts of each of the subsidiaries were included in the Consolidated group accounts, but that was commonplace with subsidiaries and accorded with established accounting and regulatory requirements;
(4) there may have been some overlapping board appointments in respect of the subsidiaries and the regional or parent companies in the respective groups but, for the most part, the subsidiaries had different boards to the European or regional parent;
(5) the evidence did not suggest that the Australian subsidiaries were not maintained as distinct or separate entities or that the parents had disregarded corporate boundaries;
(6) the European and regional parents did not appear to hold assets in Australia, save for intellectual property rights and shares in the Australian subsidiaries. They had no premises, offices or employees in Australia and, in general, did not purport to engage in business activities in Australia;
(7) in terms of foreign direction and control, his Honour said that something more was required than indirect legal and commercial capacity of the parent companies to control and direct the subsidiaries, plus the parent’s involvement in implementing the cartel arrangement, before the corporate veil between the subsidiaries and their parents is lifted on a finding made that each of the subsidiaries is carrying on its business as agent for the parent;
(8) his Honour was not satisfied at that stage that the foreign respondents were carrying on business in Australia. That conclusion might need to be revisited if the applicant was able to establish that some of the foreign respondents engaged in sufficient business activity in Australia in their own right (for example, by supplying group products to an Australian subsidiary) or that the parent’s involvement in the implementation of the cartel arrangement in Australia was sufficient to constitute carrying on business in Australia (at [77]–[81]).
54 Facebook Inc emphasised that the Commissioner had not approached the matter by analysing the various factors mentioned in Bray FCA as set out by Besanko J in Yazaki at [356].
55 The matters mentioned by the English Court of Appeal in Adams at 530-531 were:
(a) whether or not the fixed place of business from which the representative operates was originally acquired for the purpose of enabling him to act on behalf of the overseas corporation;
(b) whether the overseas corporation has directly reimbursed him for (i) the cost of his accommodation at the fixed place of business; (ii) the cost of his staff;
(c) what other contributions, if any, the overseas corporation makes to the financing of the business carried on by the representative;
(d) whether the representative is remunerated by reference to transactions, e.g. by commission, or by fixed regular payments or in some other way;
(e) what degree of control the overseas corporation exercises over the running of the business conducted by the representative;
(f) whether the representative reserves (i) part of his accommodation, (ii) part of his staff for conducting business related to the overseas corporation;
(g) whether the representative displays the overseas corporation’s name at his premises or on his stationery, and if so, whether he does so in such a way as to indicate that he is a representative of the overseas corporation;
(h) what business, if any, the representative transacts as principal exclusively on his own behalf;
(i) whether the representative makes contracts with customers or other third parties in the name of the overseas corporation, or otherwise in such manner as to bind it;
(j) if so, whether the representative requires specific authority in advance before binding the overseas corporation to contractual obligations.
56 Facebook Inc emphasised that it was rare for a Court to conclude that a foreign corporation carried on business in a jurisdiction in which it had no fixed place of business or representation with the capacity to enter into contracts for the foreign corporation, referring to the following passage in Adams at 529:
We would agree with Mr. Morison that the existence of a power in the resident agent to bind the foreign corporation to contracts can be neither an exclusive nor conclusive test of the residence of the corporation itself. As he pointed out, there are many cases in which the corporation has been held not to be carrying on business at the agency notwithstanding the existence of authority of this kind: see for example The Princesse Clementine [1897] P. 18; The Lalandia [1933] P. 56 and The Holstein [1936] 2 All E.R. 1660. Conversely, we can conceive hypothetical cases in which it might be absurd to regard the test as conclusive. If in any given case all other factors indicate that the business carried on by the representative of a corporation in a particular country was clearly the business of the corporation (rather than that of its representative), it could make no difference that the corporation required him to take its instructions before he actually concluded contracts on its behalf; the existence of such a requirement would not by itself prevent the corporation from being present in the country concerned and thus from being amenable to the jurisdiction of its courts.
Nevertheless, it is a striking fact that with one possible exception (The World Harmony [1967] P. 341) in none of the many reported English decisions cited to us has it been held that a corporation has been resident in this country unless either (a) it has a fixed place of business of its own in this country from which it has carried on business through servants or agents, or (b) it has had a representative here who has had the power to bind it by contract and who has carried on business at or from a fixed place of business in this country.
We do not find this surprising as a matter of principle. Indubitably a corporation can carry on business in a foreign country by means of an agent. “It may be stated as a general proposition that whatever a person has power to do himself he may do by means of an agent:” Halsbury’s Laws of England, 4th ed., vol. 1 (1973), p. 420, para. 703. However, though the terms “agency” and “agent” have in popular use a number of different meanings:
“in law the word ‘agency’ is used to connote the relation[ship] which exists where one person has an authority or capacity to create legal relations between a person occupying the position of principal and third parties:” Halsbury’s Laws of England, vol. 1, p. 418, para. 701.
57 The Commissioner relied on Amalgamated Wireless (Australia) Ltd v McDonnell Douglas Corp (1987) 16 FCR 238, in which Wilcox J concluded (by way of obiter dictum) that McDonnell Douglas Corp (a United States corporation) did not “as such and in person, carry on business in Australia” but that it did “carry on business in Australia through its agent, McDonnell Douglas Information Systems Pty Ltd”: at 240.
58 As to the former conclusion, his Honour explained:
The reason why I come to the first of those two conclusions is that, although it is plain that the United States company is extremely interested in what happens in Australia and that it supervises very closely the activities in this country, providing personnel and advice and apparently also contract documents and expertise in regard to information systems, the actual business activities – that is to say the earning of income by entering into contracts – is something which is done directly by the second respondent, McDonnell Douglas Information Systems. If one were looking at financial records, I have no doubt that they would show that the income derived from the Australian activities is included on the profit and loss account of McDonnell Douglas Information Systems, as income derived by that company. There may or may not be outgoings to recompense the United States parent company for the assistance which it has given. In terms of the relationship between the McDonnell Douglas organisation and parties with whom contracts are signed, I think that it would be correct to say that they would be entitled to look to McDonnell Douglas Information Systems and, if litigation occurred, for example, to sue that company rather than McDonnell Douglas Corp. For these reasons it seems to me that the actual business activity, which is undoubtedly being carried out in regard to information systems, is with the Australian subsidiary, the second respondent.
59 As to the latter conclusion, his Honour said at 240-241:
On the other hand, the degree of involvement of the United States parent is so great that it is impossible to characterise this as being merely a case where a company purchases shares in another company and leaves that other company to carry on its own business on its own account. McDonnell Douglas Corp is more than an investor in the Australian subsidiary; it is concerned to use the Australian subsidiary as part of a world-wide information systems enterprise. The local company has apparently been set up to run its business as part of the world-wide McDonnell Douglas organisation; and ultimately on behalf of the parent company in America.
60 Of this decision, Merkel J observed in Bray FCA at [76]:
A difficulty with the approach of Wilcox J is that he may have conflated the Adams v Cape criteria for piercing the corporate veil (which include control and its exercise) with the separate Adams v Cape criteria for agency. For example, his Honour did not appear to take into account the legal requirement that in this context agency connotes a relationship which exists where one person has an authority or capacity to create legal relations between a person occupying the position of principal and third parties: see Adams v Cape at 529-530. That conflation may have resulted in an inconsistency between his Honour’s finding in Amalgamated Wireless at 240 that the subsidiary, rather than its US parent, was the contracting entity with third parties and his later conclusion as to the existence of agency. While there may be some dispute as to whether Wilcox J arrived at the correct conclusion on the facts in Amalgamated Wireless I do not take his Honour to be stating principles that differ from those suggested in Smith, Stone or in Adams v Cape, the many cases that have cited those decisions, or the other decisions to which I have referred. Rather, in Amalgamated Wireless his Honour made a finding of agency based on his view of the facts in the particular case.
D.1.1 The narrow case
61 The Commissioner submitted that it was open to infer that Facebook Ireland’s conduct in entering into contracts with Australian users for the provision of the Facebook service was conduct carried on by Facebook Ireland on its own behalf and as agent of Facebook Inc in the narrow sense of an entity with legal capacity to bind its principal. This submission was primarily based on the Statements of Rights and Responsibilities being the contracts between the relevant Facebook entity and users.
62 There were two Statements of Rights and Responsibilities in evidence, one last revised on 15 November 2013 (2013 Statement) and the other on 30 January 2015 (2015 Statement). It was not contended that there were significant differences of relevance between the two Statements. The 2013 Statement began with the following, which was repeated in substantially similar terms in the 2015 Statement:
This Statement of Rights and Responsibilities (“Statement,” “Terms,” or “SRR”) derives from the Facebook Principles, and is our terms of service that governs our relationship with users and others who interact with Facebook. By using or accessing Facebook, you agree to this Statement, as updated from time to time in accordance with Section 14 below. Additionally, you will find resources at the end of this document that help you understand how Facebook works.
63 “Facebook” was defined in s 18(1) of the 2013 Statement (and in substantially similar terms in s 17(1) of the 2015 Statement) in the following way:
By “Facebook” we mean the features and services we make available, including through (a) our website at www.facebook.com and any other Facebook branded or co-branded websites (including sub-domains, international versions, widgets, and mobile versions); (b) our Platform; (c) social plugins such as the Like button, the Share button and other similar offerings and (d) other media, software (such as a toolbar), devices or networks now existing or later developed.
64 Section 17 of the 2013 Statement (s 16 of the 2015 Statement) included:
17. Special Provisions Applicable to Users Outside the United States
We strive to create a global community with consistent standards for everyone, but we also strive to respect local laws. The following provisions apply to users and non-users who interact with Facebook outside the United States:
1. You consent to having your personal data transferred to and processed in the United States …
65 Section 19 of the 2013 Statement (s 18 of the 2015 Statement) included:
19. Other
1. If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited. References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate.
2. This Statement makes up the entire agreement between the parties regarding Facebook, and supersedes any prior agreements …
66 The Commissioner observed that both Facebook Inc and Facebook Ireland offer the same website, namely www.facebook.com and that the domain name Facebook.com was owned by Facebook Inc.
67 The Commissioner made the following submissions. There was a prima facie case that Facebook Ireland provided the website on behalf of Facebook Inc or that Facebook Ireland did not provide the service alone. Objectively construed, one would not understand from the 2013 or 2015 Statements that Facebook Ireland alone was making available to the user “our website at Facebook.com and any other Facebook-branded or co-branded websites”: s 18(1). It was Facebook Inc’s website, not Facebook Ireland’s website; the reference to “any other Facebook-branded or cobranded website” should be read as a reference to all Facebook-branded websites worldwide. Section 19(1) of the 2013 Statement, when read with ss 17(1) and 18(1), left open an inference that Facebook Ireland was not contracting with an Australian user solely as principal. Whilst s 19(1) made it clear that Australian users were contracting with Facebook Ireland, it left open the capacity in which Facebook Ireland was so contracting – namely whether it was so contracting as principal or also as agent for Facebook Inc. When assessed with the fact that the website is owned by Facebook Inc and that Facebook Inc and Facebook Ireland are offering the same website, the possibility is left open that a user is dealing with Facebook Inc through Facebook Ireland.
68 Facebook Inc made the following submissions. The meaning of the words “we” and “our” in s 18(1) had to be read with s 19(1), namely as referring either to Facebook Inc or Facebook Ireland depending on the user’s residency or usual place of business; s 19(1) was clear: if you are an Australian user your contract is with Facebook Ireland not with Facebook Inc. The fact that the domain name might be owned by Facebook Inc was irrelevant; there was nothing unusual about a company in a group citing domain names in the ownership of other companies within the group and referring to the website as “our website”. Facebook Inc also pointed to the following clause in the 2013 Data Use Policy (discussed further below):
Information for users outside of the United States and Canada
Company Information: The website under www.facebook.com and the services on these pages are being offered to users outside of the U.S. and Canada by Facebook Ireland Ltd., Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland. The company Facebook Ireland Ltd. has been established and registered in Ireland as a private limited company, Company Number: 462932, and is the data controller responsible for your personal information …
D.1.2 Conclusion: the narrow agency case
69 In my view, the Commissioner has not established a prima facie case that an Australian user, by agreeing to the 2013 or 2015 Statements, enters in to a contractual relationship with Facebook Inc. Australian users enter into a contract with Facebook Ireland. Section 19(1) distinguishes the position of US and Canadian users (also referred to as North American users) to those of all other users. On the evidence adduced on this application, it is not reasonably arguable in light of s 19(1) that Facebook Ireland is contracting with Australian users as agent for Facebook Inc. Accordingly, I reject the Commissioner’s “narrow” case based on agency.
D.1.3 The broader case
70 The Commissioner pointed to a number of matters contended to establish a prima facie case that Facebook Ireland was in substance carrying on business on behalf of Facebook Inc and was an agent in the broader sense identified above – see, in particular, [50] and [51].
71 Although the matters the Commissioner relied upon are identified below individually they must be assessed as a whole. Many of the individual matters were relied upon to support an underlying submission advanced by the Commissioner that there was a “single worldwide business operated by multiple entities” and that Facebook Ireland conducts that business in Australia on behalf of Facebook Inc.
D.1.3.1 Facebook Inc was the ultimate holding company
72 First, the Commissioner observed, uncontroversially, that Facebook Inc was the ultimate holding company of a group of companies which included Facebook Ireland.
D.1.3.2 Same terms and conditions offered to all users
73 Secondly, the Commissioner observed that the terms and conditions of the services offered to users by Facebook Inc and Facebook Ireland, set out in the 2013 and 2015 Statements, were the same irrespective of whether the contractual relationship of the particular user was with Facebook Inc or Facebook Ireland.
74 In fact, as Facebook Inc submitted, there were some differences in the applicable terms. For example, s 17 of the 2013 Statement contained “special provisions applicable to users outside the United States”. Nevertheless, broadly speaking the terms were the same.
D.1.3.3 Single worldwide business
75 Thirdly, the Commissioner submitted that, as indicated by the 2013 and 2015 Statements, “[a]s a matter of substance, users throughout the world are provided with the same services”. It was submitted that this, assessed in the context of all of the facts, indicated a prima facie case that there was “a single worldwide business operated by multiple entities”.
76 In support of the proposition that there was a single worldwide business operated by multiple entities, the Commissioner referred to the “Data Hosting Services Agreement”, effective as of 1 June 2013, between Facebook Ireland and Facebook Inc as “Service Recipients” and Pinnacle Sweden AB (a Facebook entity) as “Service Provider” (Sweden Data Hosting Agreement). The Sweden Data Hosting Agreement was said to be entered into “in reference to the following facts” (set out in the form of recitals to a contract):
A. The Service Recipients are engaged in the business of maintaining an online social networking community of users, marketing and selling advertising to advertisers targeting this user community, and marketing and selling digital goods and other goods and services to this user community.
B. The Service Recipients commercialize the Facebook Online Platform, as defined herein, in the Facebook Ireland Territory and the Facebook US Territory, respectively, as defined herein.
C. From time to time, the Service Recipients may request Service Provider to perform website and data hosting services for their businesses.
D. Facebook Ireland is the data controller for all personal data relating to, or uploaded by users in the Facebook Ireland Territory. Service Provider shall act only as a data processing service provider on behalf of, and subject to directions from Facebook Ireland with respect to such personal data. Facebook Ireland will have the right to access the data and applications hosted in the Data Center, as defined herein, remotely. Service Provider retains control over all premises, hardware and personnel at the Data Center, but Service Provider shall not access or process any personal data controlled by Facebook Ireland, except as a data processing service provider under Facebook Ireland’s control with respect to such data.
E. Service Provider is willing to use its personnel, expertise and facilities to provide such services on the terms and conditions set forth herein.
77 The Commissioner placed particular emphasis on Recitals A and B as indicating a single worldwide business. It should be observed, however, that Recital C refers to the Service Recipients’ “businesses”.
78 Section 1 of the Sweden Data Hosting Agreement contained various definitions including:
1.3 “Data Center” shall mean the location(s) at which Service Provider provides the Services, as defined in Section 1.6 herein, including all hardware at that location and software applications installed on such hardware.
…
1.5 “Facebook Online Platform” shall mean and include the system that facilitates the sharing of data between users for social networking purposes, sales of credits and virtual items, development of applications by developers, delivery of targeted advertisements to user pages, and any related processes or technology that relates to facilitating communication and social networking among users and serving advertisements.
1.6 “Services” shall mean and include website and data hosting services as specified in Section 2.
1.7 “Facebook US Territory” shall mean and include the United States and Canada.
1.8 “Facebook Ireland Territory” shall mean and include all countries worldwide, excluding the Facebook US Territory.
79 Section 2 is headed “Engagement of Service Provider” and includes:
2.2 Service Provider shall operate and provide capacity to the Service Recipients at one or more Data Centers sufficient to provide website hosting and data hosting capacity as requested from time to time.
80 Section 5 is headed “Consideration” and includes:
5.4 Within thirty (30) calendar days after any payment by Facebook Ireland to Service Provider of Service Fees and Reimbursements pursuant to Section 5.3 or 6.4 hereof, Facebook US shall reimburse Facebook Ireland for that portion of such Service Fees and Reimbursements paid with respect to Services performed by Service Provider for Facebook US.
81 Facebook Inc emphasised that s 5 confirmed the parties’ intention, objectively ascertained, that they operate separate businesses, each responsible for their own expenses.
82 Facebook Inc submitted that little could be made from the Commissioner’s submission that there was a single worldwide business operated by multiple entities. It was observed that the same comment could be made of many multinational groups, for example those which sold branded products with a global reputation such as drinks or motor vehicles. The fact that a particular product is branded in the same way throughout the world, and the brand is owned by a particular group, does not lead to the consequence that each of the various entities in the group carries on business in every jurisdiction in which the product is sold or that the head entity carries on business in every jurisdiction in which it has an operating subsidiary.
D.1.3.4 Contractual relationship between Facebook Inc and Facebook Ireland
83 Fourthly, the Commissioner relied upon the contractual arrangements between Facebook Inc and Facebook Ireland, in particular:
(1) the “Data Hosting Services Agreement” between Facebook Ireland (described as “Company”) and Facebook Inc (described as “Service Provider”) effective as of 15 September 2010 (Data Hosting Agreement); and
(2) the “Data Transfer and Processing Agreement”, effective 13 November 2013, between Facebook Ireland (described as the “data exporter”) and Facebook Inc (described as the “data importer”).
The Data Hosting Agreement
84 The Data Hosting Agreement states it was entered into “in reference to the following facts” (set out in the form of recitals):
A. [Facebook Ireland] is engaged in the business of maintaining an online social networking community of users, marketing and selling advertising to advertisers targeting this user community, and marketing and selling digital goods and other goods and services to this user community.
B. [Facebook Ireland] commercializes the Facebook Online Platform, as defined herein, in its Territory, as defined herein [namely, all countries worldwide, excluding the United States and Canada].
C. From time to time, [Facebook Ireland] may request [Facebook Inc] to perform website and data hosting services for its business.
D. [Facebook Ireland] is the data controller for all personal data relating to, or uploaded by users in the Territory. [Facebook Inc] shall act only as a data processing service provider on behalf of, and subject to directions from [Facebook Ireland] with respect to such personal data. [Facebook Ireland] will have the right to access the data and applications hosted in the Data Center, as defined herein, remotely. [Facebook Inc] retains control over all premises, hardware and personnel at the Data Center, but [Facebook Inc] shall not access or process any personal data controlled by [Facebook Ireland], except as a data processing service provider under [Facebook Ireland’s] control with respect to such data.
E. [Facebook Inc] is willing to use its personnel, expertise and facilities to provide such services on the terms and conditions set forth herein.
85 Section 1 included:
1.3 “Data Center” shall mean the location(s) at which [Facebook Inc] provides the Services, as defined in Section 1.6 herein, including all hardware at that location and software applications installed on such hardware.
…
1.5 “Facebook Online Platform” shall mean and include the system that facilitates the sharing of data between users for social networking purposes, sales of credits and virtual items, development of applications by developers, delivery of targeted advertisements to user pages, and any related processes or technology that relates to facilitating communication and social networking among users and serving advertisements.
1.6 “Services” shall mean and include website and data hosting services as specified in Section 2.
1.7 “Territory” shall mean and include all countries worldwide, excluding the United States and Canada.
86 Section 2 included:
Section 2 - Engagement of Company
2.1 [Facebook Ireland] hereby engages [Facebook Inc], and [Facebook Inc] hereby agrees, to provide [Facebook Ireland] with Services as [Facebook Ireland] may request from time to time. [Facebook Ireland] shall use its best efforts to perform the Services in a timely and efficient manner.
2.2 [Facebook Inc] shall operate and provide capacity to [Facebook Ireland] at one or more Data Centers sufficient to provide website hosting and data hosting capacity as requested by [Facebook Ireland] from time to time.
2.3 [Facebook Inc] shall have operational and financial responsibility for operation of the Data Center at all times. [Facebook Inc] shall own or lease all equipment used in the Data Center to provide the Services and will select the hardware to be used in the Data Center. [Facebook Inc] shall maintain the Data Center in a secure facility. No persons other than [Facebook Inc] personnel shall have access to the Data Center without prior authorization from [Facebook Inc].
2.5 The Parties are and shall at all times remain independent contractors, and not partners, agent or joint venturers. Neither Party may (a) bind or control the other pursuant to this Agreement; (b) act as an agent or represent that it is authorized to act as an agent for the other; nor (c) create or assume any obligation on behalf or in the name of the other. All obligations entered into by [Facebook Inc] shall be its sole responsibility except to the extent specifically provided otherwise herein.
87 Section 2.1, read with s 1.6, indicates that Facebook Inc is to provide to Facebook Ireland website and data hosting services, which includes the Facebook Online Platform available for access in Australia by Australian users.
88 Section 2.2, read with ss 1.3 and 1.6, indicates that Facebook Inc is to operate and provide capacity to Facebook Ireland, at one or more “Data Centers”, sufficient to provide website hosting and data capacity as requested by Facebook Ireland. Under s 2.3, Facebook Inc shall own or lease all equipment used in the “Data Center” to provide the services and will select the hardware to be used in the “Data Center”. Whilst the Commissioner submitted that it was open to infer that there might be physical systems in Australia which Facebook Inc used to fulfil its obligations under these clauses, the Commissioner did not submit that there was a “Data Center” in Australia. As is noted below, the Commissioner did submit that there were caching servers in Australia which it could be inferred were operated and owned by Facebook Inc.
89 Facebook Inc emphasised s 2.5, which provided that Facebook Inc and Facebook Ireland “are and shall at all times remain independent contractors, and not partners, agent or joint venturers”. It may be that the facts are such that the parties are, notwithstanding such a term, in fact agents or partners or joint venturers – see: Board of Trade v Hammond Elevator Co 198 US 424 (1905) at 437-438, 441; Radaich v Smith (1959) 101 CLR 209 at 219 (Taylor J); Voli v Inglewood Shire Council (1963) 110 CLR 74 at 90-91 (Windeyer J). Facebook Inc submitted, however, that it was clear that the parties objectively intended to conduct separate businesses in separate territories and that the Commissioner had not pointed to any contract entered into by Facebook Ireland on behalf of Facebook Inc.
90 Facebook Inc also relied upon ss 4.1 and 5.1, which provided:
Section 4 - Report of Services
4.1 On a periodic basis, but no less frequently than quarterly, [Facebook Inc] shall furnish [Facebook Ireland] with a written report/invoice (a) summarizing all Services performed by [Facebook Inc] for [Facebook Ireland] for the applicable period; and (b) detailing [Facebook Inc’s] Expenses incurred with respect thereto.
…
Section 5 - Consideration
5.1 In consideration for the Services performed by [Facebook Inc], [Facebook Ireland] shall pay [Facebook Inc] an amount equal to [Facebook Inc’s] Expenses, plus [redacted] (“Service Fees”). The Parties agree to periodically review the Service Fees and to make adjustments to the Service Fees as appropriate to maintain an arm’s-length compensation.
91 The Commissioner relied on s 5.1 as indicating that Facebook Inc derived income from activities conducted in Australia. Section 5.1 does not of itself give rise to any inference that services were provided by Facebook Inc in Australia. All it provides is that consideration is payable to Facebook Inc for the services it provides.
92 Section 8.4 of the Data Hosting Agreement provided:
[Facebook Ireland] may, at its sole discretion, provide or make accessible to [Facebook Inc] personal data (as this term is defined in Article 2 of Directive 95/46/EC) relating to residents of the European Economic Area (“EEA Personal Data”) and other personal or business data for [Facebook Inc] to process on behalf of [Facebook Ireland] (collectively “Processed Data,” including, without limitation, “EEA Personal Data”). [Facebook Inc] shall not process (as this term is defined in Article 2 of Directive 95/46/EC) any Processed Data, except (a) on behalf and in the interest of, and subject to instructions from, [Facebook Ireland]; (b) in compliance with legal requirements applicable to [Facebook Ireland] as to technical and administrative data security measures, to be set forth in more detail in a separate data transfer agreement between the Parties; and (c) under an arrangement that ensures, for purposes of compliance with Directive 95/46/EC, adequate safeguards to data privacy and security if and to the extent [Facebook Inc] or subcontractors conduct processing activities outside the EEA (e.g., based on standard contractual clauses or a Safe Harbor registration by [Facebook Inc]). The requirements set forth in this Section 8.4 shall apply in addition to, not in lieu of, any obligations set forth in Section 8.1-8.3, and without regard to any exemptions in Section 8.3. Without limiting the generality of Section 9.10, this Section 8.4 shall not create any third party beneficiary rights.
93 Facebook Inc relied on s 8.4 as confirming that it processed data as part of its business of, amongst other things, providing services to Facebook Ireland. Facebook Inc emphasised that s 8.4 required Facebook Inc to process data only “on behalf of and in the interests of, and subject to … instructions” from Facebook Ireland. The Commissioner submitted s 8.4 showed that Facebook Inc would be conducting activities in respect of data that subjected it to the application of such laws.
Data Transfer and Processing Agreement
94 The “Data Transfer and Processing Agreement”, effective 13 November 2013, between Facebook Ireland (described as the “data exporter”) and Facebook Inc (described as the “data importer”) recorded by way of preamble that the parties:
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
95 Clause 2.3 stated that it “shall not impact upon the Data Hosting Services Agreement between the parties dated September 15, 2010”. This is the Data Hosting Agreement dealt with immediately above.
96 Clause 2.4 provided:
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
97 Appendix 1 to the Data Transfer and Processing Agreement included:
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
Data exporter
The data exporter [Facebook Ireland] is a provider of social network services to users domiciled outside of the United States of America and Canada.
Data importer
The data importer [Facebook Inc] is a provider of social network services to users domiciled in the United States of America and Canada. The data importer also provides technical, engineering and human resource services to the data exporter.
Data subjects
The personal data transferred concern the following categories of data subjects:
• Registered users of the Facebook platform;
• Employees of the data exporter; and
• Third parties with a commercial relationship with the data exporter (e.g. advertisers, contractors).
Categories of data
The personal data transferred is:
• the personal data generated, shared and uploaded by the registered users of the Facebook platform;
• the personal data of the data exporter’s employees generated in the normal course of staff administration; and
• personal data relating to external third parties with whom the data exporter has a commercial relationship.
Such personal data may be in the following forms:
• Photographs;
• Videos;
• Events attended/invited to;
• Group membership;
• Friends;
• Gender;
• Date of Birth;
• Relationship status;
• Email address;
• Phone number;
• Address;
• URL;
• Hometown;
• Family;
• Political views;
• Religious Views;
• Sexual Life;
• Biography;
• Employment history;
• Location;
• Education;
• Interests;
• Entertainment preferences, including music, books and television;
• Material shared by the data subject (e,g. “wall posts”, messages, pokes);
• Credit card information; and
• Actions taken on Facebook and other services.
Special categories of data
The personal data transferred concern the following special categories of data:
• Racial or ethnic origin;
• Political opinions;
• Philosophical beliefs;
• Trade union membership;
• Health; and
• Sex life.
…
98 The personal data transferred by Facebook Ireland to Facebook Inc is the data described in Appendix 1, set out above, and included:
• the personal data generated, shared and uploaded by the registered users of the Facebook platform; [and] …
• personal data relating to external third parties with whom the data exporter has a commercial relationship.
99 That data may take the forms identified in Appendix 1 including photographs, video, friends, gender, relationship status, political views, sexual life and credit card information.
100 Clause 4 included:
Obligations of the data exporter
The data exporter [Facebook Ireland] agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses; …
101 Facebook Inc submitted that cl 4(b) revealed that the control of data rested with Facebook Ireland, contrary to the Commissioner’s contention that Facebook Inc could call for data. This position was said to be consistent with privacy obligations owed by Facebook Ireland in the European Union and to other countries. This position was also said to be supported by cl 5(a).
102 Clause 5 included:
Obligations of the data importer
The data importer [Facebook Inc] agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; …
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred; …
103 Clause 5(a) requires Facebook Inc to process the data “transferred” to it by Facebook Ireland. The “processing operations” are described in Appendix 1 in the following way (emphasis added to indicate the matters emphasised by the Commissioner):
Processing operations
The personal data transferred will be subject to the following basic processing activities:
• Facilitating communication across the Facebook platform;
• Monitoring for abuse of the Facebook platform;
• Providing geo-location relevant information;
• Targeting advertisements and to assess their effectiveness;
• Identifying connections between Facebook users;
• Personalising content;
• Processing law enforcement and civil law requests for access to the personal data;
• Installing, operating and removing, as appropriate, cookies on terminal equipment for purposes including the provision [of] an information society service explicitly requested by Facebook users, security, facilitating user log in, enhancing the efficiency of Facebook services and localisation of content; and
• Transferring content to third parties with consent from the data subject; and
• Providing technical and engineering support.
104 The Commissioner also noted that cl 11 prohibits Facebook Inc from subcontracting any of its processing operations without the written consent of Facebook Ireland.
105 Appendix 2, relevant to cl 5(c), includes the following:
• Personal data is to be primarily held in a suitable facility/facilities
• Personal data is to be stored on secured servers behind firewalls.
• Servers are to be monitored by both industry standard and proprietary network monitoring tools to prevent any potential security breaches.
• Data importer to install, operate and remove, as appropriate, security cookies.
• Data importer to comply with all security policies of the Facebook group
• Data importers’ employees and contractors are to be trained in relation to specific technical and organizational security measures.
Answer provided by Facebook Inc and Facebook Ireland to the Commissioner
106 In addition to the two contracts just referred to, the Commissioner also relied on the following answer given by Facebook Ireland in response to a notice issued under s 44 of the Privacy Act:
2 A copy of all documentation issued by Facebook Inc containing rules, instructions, directions to Facebook Ireland Ltd, in relation to its handling of Facebook Users’ data.
Facebook Ireland was the provider of the Facebook service to Australian Users at all times during the period between 12 March 2014 and 17 December 2015. At all times during this period, Facebook Ireland was responsible, in that capacity, for the collected and storage of personal information of Australian Users through the Facebook service.
Facebook Inc performed data processing activities for Facebook Ireland during this time as contemplated by the Data Transfer and Processing Agreement between Facebook Ireland (as data exporter) and Facebook Inc (as data importer) dated 13 November 2013 (see FBI.001.006.0016). As set out in that agreement, Facebook Inc was obliged to follow instructions from Facebook Ireland in relation to relevant processing activities (rather than the other way around, as assumed in this request). In addition, all of those activities took place outside Australia.
To the best of our current understanding, we are not aware of any other documentation containing relevant rules, instructions, directions between Facebook Inc and Facebook Ireland in relation to handling of Facebook Users’ data in the period 12 March 2014 to 17 December 2015.
107 The Commissioner submitted that this answer showed that Facebook Ireland did not in fact give instructions to Facebook Inc as to how users’ data was to be stored or processed. This was said to lead to the inference that Facebook Inc was acting as principal and not as agent of Facebook Ireland.
108 The question posed by the Commissioner did not ask for a copy of instructions passing from Facebook Ireland to Facebook Inc; she asked the opposite. Nevertheless, Facebook Ireland responded that it was “not aware of any other documentation containing relevant rules, instructions, directions between Facebook Inc and Facebook Ireland”. That response, read in context, is open to the interpretation that there were no instructions either way.
D.1.3.5 Management of the Facebook Online Platform
109 Fifthly, in addition to the “processing operations” described above, the Commissioner relied on the fact that Facebook Inc was the entity which managed the Facebook Online Platform which allowed third party apps to create a link or interface between apps and the Facebook website’s “social graph”. As noted earlier, the “social graph” is the network of connections through which users communicated and shared information on the Facebook website.
110 The Commissioner referred in this regard to the following question asked of Facebook Ireland under a s 44 notice and Facebook Ireland’s response:
3 Names of any and all Facebook entities that:
…
d. made available for access, by any third party, any personal information of Australian Users;
Information shared by Australian Users on the Facebook service was available for access by other users on the Facebook service in accordance with the Facebook Data Policy and to the extent permitted by the settings choices (including choices regarding their privacy settings) of those Australian Users.
The Facebook service included an API called Facebook Login through which third party App developers could request permission directly from users to access certain categories of information that those users either uploaded or had access to on the Facebook service.
111 A footnote to the final paragraph explained:
The process of allowing third party App developers to access the API was managed by Facebook Inc for all Apps on the Facebook platform, including on behalf of Facebook Ireland as the provider of the Facebook service to Australian Users.
D.1.3.6 Employee numbers
112 Sixthly, the Commissioner relied upon what was said to be the “dramatic disparity in employee numbers”. It was observed that Facebook Ireland employed about one tenth of the number of persons employed by Facebook Inc, notwithstanding that Facebook Ireland was offering Facebook services worldwide to all users other than North American residents.
113 Facebook Inc submitted that, without more, this demonstrated little. It was observed that Facebook Inc contracts to provide services to Facebook Ireland, presumably being a potential explanation for the greater number of employees. It was also observed that nothing was known about the research and development activities of the group.
D.1.3.7 Data Use Policy
114 Seventhly, the Commissioner relied on a term in the “Data Use Policy”, which was incorporated into the contracts with users through the 2013 and 2015 Statements. There were two versions of the Data Use Policy in evidence, the 2013 Data Use Policy and the 2015 Data Policy. The 2015 Data Policy provided:
VI. How our global services operate
…
Facebook may share information internally within our family of companies or with third parties for purposes described in this policy. Information collected within the European Economic Area (“EEA”) may, for example, be transferred to countries outside of the EEA for the purposes as described in this policy.
D.1.3.8 Summary of parties’ submissions on broader agency case
115 The Commissioner submitted that, taking these various matters into account, the performance pursuant to the contractual arrangements by Facebook Inc of functions necessary for Facebook Ireland to provide the Facebook service (which includes the delivery of the Facebook Online Platform in Australia), including in Australia, indicated that Facebook Ireland was a convenient entity through which Facebook Inc carried on business in Australia during the relevant period. It was submitted that the conclusion was open, on the relevant prima facie basis, that there was a single world-wide business of Facebook Inc, conducted in Australia by Facebook Ireland.
116 Facebook Inc submitted that:
(1) The evidence indicated that certain important services, in particular processing services, were provided by Facebook Inc to Facebook Ireland for consideration. This was a conventional engagement by one company of another to provide services.
(2) The Data Hosting Agreement and the Data Transfer and Processing Agreement were carefully drafted for Facebook Inc to provide services to Facebook Ireland. Facebook Inc was providing services to Facebook Ireland’s business. The contractual arrangements indicated a careful and deliberate separating of roles and of businesses. There was no evidence or available inference that the agreements were not adhered to. It would invert the clearly expressed contractual language to suggest that the engaging organisation (Facebook Ireland) was conducting the business of the organisation engaged to provide services (Facebook Inc).
(3) Recital B of the Data Hosting Agreement between Facebook Ireland and Facebook Inc made it clear that Facebook Ireland commercialised the platform outside of the US and Canada. Facebook Inc did not generate revenue from providing the Facebook service, but rather from selling advertising. During the relevant period, Facebook Inc did not sell advertising in Australia. Rather, Facebook Ireland and Facebook Australia were the entities which sold advertising in Australia.
(4) An analysis of the various matters mentioned in cases such as Adams and Bray FCA leads to the conclusion that there is no prima facie case that Facebook Ireland conducted Facebook Inc’s business in Australia or that it conducted the business of both of them. There was no evidence that Facebook Inc controlled the board of directors of Facebook Ireland or that they had the same board members. There was no evidence that employees of Facebook Inc were directing or being involved in the activities of Facebook Ireland. Rather, the evidence overwhelmingly demonstrated a case for the entities choosing to operate, and in fact operating, separate businesses.
D.1.4 Conclusion: the broader agency case
117 I am not satisfied on the basis of the evidence adduced on this application that the Commissioner has established a prima facie case that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b) on the basis that Facebook Ireland conducted Facebook Inc’s business in Australia.
118 Rather, the evidence on this application suggests that, to the extent Facebook Ireland carried on business in Australia, it was carrying on its own business. The evidence adduced on this application and the inferences available to be drawn do not sufficiently allow for a possible conclusion that Facebook Ireland was also carrying on Facebook Inc’s business to warrant permitting service out of the jurisdiction.
119 However, for the reasons given next, the Commissioner has established a sufficient prima facie case to warrant exposing Facebook Inc to litigation in Australia on the basis that Facebook Inc directly carried on business in Australia. On its case, a part of Facebook Inc’s business was to provide services to Facebook Ireland, including the processing activities referred to earlier. I am satisfied that there is a prima facie case that Facebook Inc carried out sufficient activity in Australia in its business of providing services to Facebook Ireland for a conclusion to be available that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b) of the Privacy Act.
D.2 Activities carried out by Facebook Inc directly in Australia
120 The Commissioner relied upon various activities said to be carried on by Facebook Inc in Australia and said to show a prima facie case that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b). The activities relied upon were:
(1) entering into contracts with Australian users through Facebook Ireland as its agent;
(2) the installation and operation of cookies on computers and electronic devices of Australian users for the purpose of targeting advertising to those users;
(3) the provision of the Graph API to Australian app developers;
(4) the collection and holding of information from Australia users;
(5) the offering of stock in Facebook Inc to Australian employees;
(6) Facebook Inc considering itself able to draw on funds from foreign subsidiaries to apply to US operations and give directions with respect to those funds.
D.2.1 Entering into contracts with Australian users through Facebook Ireland as its agent
121 I have earlier concluded that it is not reasonably arguable that Facebook Ireland entered into contracts with Australian users as agent for Facebook Inc – see: [69] above. It follows that I do not consider this was an activity which could support a conclusion that Facebook Inc carried on business in Australia.
D.2.2 Installation, operation and removal of cookies
122 As noted at [103] above, one of the “processing operations” for which Facebook Inc was responsible in accordance with cl 5(a) of the Data Transfer and Processing Agreement was, as specified in Appendix 1, “[t]argeting advertisements and … assess[ing] their effectiveness”. Another was:
Installing, operating and removing, as appropriate, cookies on terminal equipment for purposes including the provision [of] an information society service explicitly requested by Facebook users, security, facilitating user log in, enhancing the efficiency of Facebook services and localisation of content …
123 Clause 5(c) and Appendix 2 to the Data Transfer and Processing Agreement included as an obligation on the part of Facebook Inc:
Data importer to install, operate and remove, as appropriate, security cookies.
124 The 2013 Data Use Policy included an explanation of what “cookies” are:
V. Cookies, pixels and other similar technologies
Cookies are small pieces of data that are stored on your computer, mobile phone or other device. Pixels are small blocks of code on webpages that do things like allow another server to measure viewing of a webpage and often are used in connection with cookies.
We use technologies like cookies, pixels, and local storage (like on your browser or device, which is similar to a cookie but holds more information) to provide and understand a range of products and services. Learn more at: https://www.facebook.com/help/cookies
We use these technologies to do things like:
• make Facebook easier or faster to use;
• enable features and store information about you (including on your device or in your browser cache) and your use of Facebook;
• deliver, understand and improve advertising;
• monitor and understand the use of our products and services; and
• protect you, others and Facebook.
For example, we may use these tools to know you are logged in to Facebook, to help you use social plugins and share buttons, or to know when you are interacting with our advertising or Platform partners.
We may ask advertisers or other partners to serve ads or services to computers, mobile phones or other devices, which may use a cookie, pixel or other similar technology placed by Facebook or the third party (although we would not share information that personally identifies you with an advertiser).
Most companies on the web use cookies (or other similar technological tools), including our advertising and Platform partners. For example, our Platform partners, advertisers or Page administrators may use cookies or similar technologies when you access their apps, ads, Pages or other content.
Cookies and things like local storage help make Facebook work, like allowing pages to load faster because certain content is stored on your browser or by helping us authenticate you to deliver personalized content.
…
Refer to your browser or device’s help material to learn what controls you can often use to remove or block cookies or other similar technologies or block or remove other data stored on your computer or device (such as by using the various settings in your browser). If you do this, it may affect your ability to use Facebook or other websites and apps.
125 This material indicates two matters of significance:
(1) First, being a matter the Commissioner emphasised, Facebook Inc is responsible for installing, operating and removing cookies on the devices of Australian users.
(2) Secondly, by reason of the second dot point in the third paragraph set out above, it is reasonably arguable that Facebook Inc, through its installation and operation of cookies, stores information about Australian users on the devices of those Australian users or in their browser caches. This is relevant not only to the issue under s 5B(3)(b) (carries on business), but also to the question which arises under s 5B(3)(c) (collecting or holding personal information).
126 Facebook Inc submitted that:
(1) First, Australia users authorised Facebook Ireland to install cookies and, in turn, Facebook Ireland subcontracted that function to Facebook Inc to perform on Facebook Ireland’s behalf.
(2) Secondly, processing operations carried out by Facebook, including installing, operating and removing cookies, were not carried out by any person located in Australia or otherwise in Australia. Facebook Inc submitted that cookies are uploaded through actions taken overseas and later downloaded in Australia when a user accesses the Facebook platform.
127 As to the first submission, it is true that Australian users authorised Facebook Ireland to install cookies. The 2013 Data Use Policy and 2015 Data Policy were incorporated into the 2013 and 2015 Statements respectively. Section 1 of the 2015 Statement provided:
1. Privacy
Your privacy is very important to us. We designed our Data Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information. We encourage you to read the Data Policy, and to use it to help you make informed decisions.
128 After s 18 (the final section), the 2015 Statement provided:
By using or accessing Facebook Services, you agree that we can collect and use such content and information in accordance with the Data Policy as amended from time to time …
129 Whilst the authorisation to install cookies was given by users to Facebook Ireland, the task of installing and operating cookies was carried out by Facebook Inc in accordance with the Data Transfer and Processing Agreement. The real issue is whether a prima facie case has been established that Facebook Inc engaged in activity in Australia sufficient to permit a conclusion that it carried on business in Australia.
130 As to the second submission at [126] above – that all of its processing activity occurred outside of Australia – Facebook Inc relied on various passages in the judgment of Barrett J in Campbell v Gebo Investments (Labuan) Ltd (2005) 190 FLR 209. A question in that case was whether the mere solicitation of business transactions by the internet constituted carrying on business in Australia in the context of the winding up provisions of the Corporations Act 2001 (Cth) that give the Court jurisdiction to wind up a “Part 5.7 body” where the body “has ceased to carry on business in this jurisdiction”. Over 2,000 residents of Australia had responded to solicitation through the LifeWealth 8 website and had become licensees for the purposes of simulated stock market activity by making credit card payments by means of the website. The solicitation was part of a systematic plan received and acted upon in Australia.
131 Barrett J explained that a document could be made available on the World Wide Web by a person uploading the document to a storage area managed by a web server. A person wanting to access the document could request the document from the server through his or her web browser such that the user could download the document. His Honour said at [29]:
The workings of the Internet were not the subject of evidence before me. The matter was, however, the subject of evidence and discussion in Dow Jones & Co Inc v Gutnick (2002) 210 CLR 575 and, because there is no controversy in that respect in the proceedings with which I am dealing, I am content merely to quote and adopt a passage in the joint judgment of Gleeson CJ, McHugh, Gummow and Hayne JJ at [14]–[16]:
[14] One witness called by Dow Jones, Dr Clarke, described the Internet as “a telecommunications network that links other telecommunication networks”. In his opinion, it is unlike any technology that has preceded it. The key differences identified by Dr Clarke included that the Internet “enables inter-communication using multiple data-formats ... among an unprecedented number of people using an unprecedented number of devices [and] among people and devices without geographic limitation”.
[15] The World Wide Web is but one particular service available over the Internet. It enables a document to be stored in such a way on one computer connected to the Internet that a person using another computer connected to the Internet can request and receive a copy of the document. As Dr Clarke said, the terms conventionally used to refer to the materials that are transmitted in this way are a “document” or a “web page” and a collection of web pages is usually referred to as a “web site”. A computer that makes documents available runs software that is referred to as a “web server”; a computer that requests and receives documents runs software that is referred to as a “web browser”.
[16] The originator of a document wishing to make it available on the World Wide Web arranges for it to be placed in a storage area managed by a web server. This process is conventionally referred to as “uploading”. A person wishing to have access to that document must issue a request to the relevant server nominating the location of the web page identified by its “uniform resource locator (URL)”. When the server delivers the document in response to the request the process is conventionally referred to as “downloading”.
132 Barrett J then considered whether, on the assumption that all of the uploading activity occurred outside Australia, that activity could amount to carrying on business in Australia, by reason of the receipt of a communication in Australia.
133 His Honour said at [30] to [34]:
[30] … I assume, without deciding, that the acts of uploading occurred outside Australia. That raises the question whether physical acts outside Australia which result in business communication with persons in Australia are, by reason of the territorial quality of the receipt of the communication, properly regarded as carrying on business in Australia. The question applies equally to a situation where a person outside Australia telephones persons in Australia or sends a messages by post or email to persons in Australia and, as a result of those acts performed by the person outside Australia, receives responses which amount to or lead to transactions forming part of some undoubted business activity.
[31] It is my opinion that the circumstances outlined are, of themselves, insufficient to constitute the carrying on of business in Australia. Case law makes it clear that the territorial concept of carrying on business involves acts within the relevant territory that amount to or are ancillary to transactions that make up or support the business. Many of the cases concern persons acting as agents within the jurisdiction of enterprise bases and operating outside the jurisdiction. One view has traditionally been taken where the agent within the jurisdiction has authority to bind the principal to dealings there; while another view has been taken of cases in which the agent is empowered to do no more than receive proposals or orders within the jurisdiction (often, no doubt, in response to solicitation there) and retransmit them to the principal. The distinction is discussed in several cases, including Okura & Co Ltd v Forsbacka Jernverks Aktiebolag [1914] 1 KB 715. Buckley LJ, speaking of a situation of the latter kind, there said (at p 721):
These being the facts, 101, Leadenhall Street is really only an address from which business is from time to time offered to the foreign corporation; the question whether any particular business shall or shall not be done is determined by the foreign corporation in Sweden and not by any one in London. In my opinion the defendants are not “here” by an alter ego who does business for them here, or who is competent to bind them in any way. They are not doing business here by a person but through a person. That person has to communicate with them, and the ultimate determination, resulting in a contract, is made not by the agents in London, but by the defendants in Sweden. It follows from this that one of the essential elements which must be present before a writ can be served in this country on the agent of a foreign corporation is lacking in this case. This appeal must, therefore, be dismissed.
By the same reasoning, the mere employment by a foreign company of a commercial traveller in Victoria to receive orders on commission and to forward them to its office abroad was held, in Pearce v Tower Manufacturing & Novelty Co Ltd (1898) 24 VLR 506, not to be carrying on business in Victoria.
[33] Advances in technology making it possible for material uploaded on to the Internet in some place unknown to be accessed with ease by anyone in Australia with Internet facilities who wishes (or chances) to access it cannot be seen as having carried with them any alteration of principles as to the place of carrying on business developed at times when such communication was unknown. It has never been suggested that someone who by, say, letters posted in another country and addressed to recipients in Australia, seeks to interest those persons in business transactions to be entered into in the other country and in fact succeeds in concluding such transactions with some of them thereby carries on business in Australia, even though, depending on precise circumstances, the solicitation may contravene some other Australian law. There is a need for some physical activity in Australia through human instrumentalities, being activity that itself forms part of the course of conducting business.
[34] Unless there is evidence of activities in Australia of placing material on the Internet or processing and dealing with inquiries or applications received by Internet, the question whether LifeWealth Labuan carried on business in Australia must be addressed by reference to the elements of the evidence that go beyond internet solicitation of persons to be licensees of the LifeWealth 8 simulated stock market game.
134 Gebo Investments was considered by a Full Court of this Court in Valve Corporation v Australian Competition and Consumer Commission (2017) 258 FCR 190 (Dowsett, McKerracher and Moshinsky JJ). The Full Court broadly agreed with the observations of Barret J set out above, but did not accept that there was an “inflexible rule” that there was in all cases “a need for some physical activity in Australia through human instrumentalities, being activity that itself forms part of the course of conducting business” as was the view expressed by Barrett J in Gebo Investments at [33]. After summarising the passages of Gebo Investments set out above, the Full Court stated:
[148] His Honour concluded (at [34]) that, unless there was evidence of activities in Australia of placing material on the internet, or processing and dealing with inquiries or applications received by internet, the question whether the relevant company (LifeWealth Labuan) carried on business in Australia needed to be addressed by reference to the elements of the evidence that went beyond internet solicitation of persons to be licensees. (His Honour then went on to consider those other facts and matters, concluding (at [113]) that LifeWealth Labuan carried on business in Australia.)
[149] Although Gebo Investments concerned different statutory provisions, we consider the discussion of principles regarding carrying on business generally to be of assistance for present purposes. We do not, however, see the reference to “human instrumentalities” in the last sentence of [33] as laying down an inflexible rule or condition as to the circumstances in which an overseas company may be taken to be carrying on business in Australia. We would instead place emphasis on the statement at [31] of Gebo Investments that the case law makes clear that the territorial concept of carrying on business involves acts within the relevant territory that amount to, or are ancillary to, transactions that make up or support the business.
135 Facebook Inc submitted that the “installing” of a cookie involves, as a matter of substance, a communication of data uploaded overseas which is then downloaded by a user in Australia. It submitted that this was insufficient for a conclusion on the relevant prima facie basis that Facebook Inc carried on business in Australia.
136 The observations made in Gebo Investments, and the partial explanation of aspects of the internet and the World Wide Web extracted by Barrett J from the High Court’s decision in Dow Jones v Gutnick (2002) 210 CLR 575, do not explain the data processing activities of Facebook Inc, including its activities in installing, operating and removing cookies on Australian users’ devices and storing information on those devices and those users’ browser caches. I do not accept Facebook Inc’s submission that installing and operating cookies is to be regarded as equivalent to uploading and downloading a document. The exact mechanism by which Facebook Inc installed, operated and removed cookies was not the subject of detailed evidence. Nor was there evidence specifically directed to the storing of information about Australian users on the devices of those users or in their browser caches. The inference is open that the installing of a cookie, by it being downloaded by an Australian user or otherwise, and its subsequent “operation” by Facebook Inc once installed, involves activity in Australia, albeit instituted or controlled remotely.
137 In my view, the Commissioner has discharged her onus of establishing that it is arguable, and the inference is open to be drawn, that some of the data processing activities carried on by Facebook Inc can be regarded as having occurred in Australia, notwithstanding that the evidence did not establish that any employee of Facebook Inc was physically located in Australia. It is arguable that this is sufficient for a conclusion that Facebook Inc carried on business in Australia. On Facebook Inc’s case, its business was one of providing services to Facebook Ireland and involved undertaking data processing activities which included operating cookies on the devices of Australian users. Facebook Inc’s argument that the data processing activities were carried out by Facebook Inc for Facebook Ireland says nothing about where Facebook Inc carried on its business of providing services to Facebook Ireland. It may be accepted that much or most of Facebook Inc’s business activities in so far as those activities related to data processing were carried on in the United States. However, it is also sufficiently arguable for the purpose of granting leave to serve out of the jurisdiction that parts of its business activity in providing a service to Facebook Ireland were carried on in Australia.
138 It is relevant to note in this context that Facebook Inc performed the data processing for all users, wherever situated. The Facebook service links users all over the world. Facebook Inc contracted with North American users and those users authorised Facebook Inc to install, operate and remove cookies. Other users authorised Facebook Ireland to do so. The uploading of data to the Facebook website by a user and the processing of data must occur effectively simultaneously. Although the Data Transfer and Processing Agreement refers to the “transfer” of data by Facebook Ireland to Facebook Inc, it is unrealistic to think that data is first provided by a non-North American user to Facebook Ireland and then transferred to Facebook Inc where it is subsequently processed. The inference is available that data uploaded by an Australian user is received instantaneously by Facebook Inc directly from the user.
D.2.3 Provision of the Graph API
139 As noted at [110] and [111] above, the Commissioner submitted that the evidence indicated that, in addition to processing operations, Facebook Inc managed the Facebook platform which allowed third party app developers to access certain categories of information that Australian users either uploaded or had access to on the Facebook service.
140 The Commissioner referred to the evidence which disclosed that there were Australian-based app developers which were accessing the Graph API to which Facebook provided the service. As noted in Facebook No 1 at [46], the Commissioner summarised the significance of the Graph API in the following way (footnotes omitted):
(6) The Graph API and Facebook Login (Statement of Claim [25]-[38])
23. During the Relevant Period, apps could request personal information from Users’ Facebook Accounts using a tool called the Graph Application Programming Interface (Graph API). The Graph API allowed apps to create a link or interface between the Facebook Website’s “social graph” (being the network of connections through which Users communicated information on the Facebook Website) and the app. Version 1 of the Graph API was in place during the Relevant Period (Graph API V1).
24. The link or interface between the Facebook Website and the app was facilitated by a further tool known as “Facebook Login”. This allowed an installer of an app (Installer) to utilise their Facebook account credentials (username and password) to login to an app. Where an Installer did so, a screen or page would appear on the app requesting the Installer’s permission for the app to request, through the Graph API, certain categories of the User’s personal information as that User had provided to the Facebook Website (Permission Request).
25. Through the Graph API V1, an app could request a wide range of information about not only those Installers who had responded to Permission Requests, but also their Facebook friends who had not installed the app (Friends). This included requests for sensitive information. In response to a request from an app, the Respondents disclosed information about Installers and their Friends to the app, subject to the User’s privacy settings on the Facebook Website … However, a User’s “privacy settings” did not alone control how a User’s personal information was shared with apps, including apps installed by Users’ Friends. Unless a User modified their “app settings”, various categories of the User’s personal information, including sensitive information, would be disclosed to apps installed by their Friends by default …
26. Although the Respondents had in place terms and conditions about what kinds of information an app could request (see the Platform Policy, the relevant terms of which are pleaded at [35] of the Statement of Claim), the Respondents relied upon app developers’ self-assessment that an app complied with these rules. In particular, as is alleged at [36] of the Statement of Claim, the Respondents did not have in place any procedures to approve an app’s ability to make requests of the Graph API V1; nor did it review the privacy policies of the apps themselves.
27. On 30 April 2014, a new version of the Graph API (Graph API V2) was launched by the Respondents. Under Graph API V2, app developers wishing to request more than basic information from Friends and Installers had to undergo a manual app review process (App Review). Such requests would only be approved where, among other things, the additional information clearly improved the User’s experience of the app. However, Facebook allowed apps using Graph API V1 a 12-month ‘grace period’ (Grace Period) to migrate to Graph API V2.
141 A response made by Facebook to an information request from the Commissioner included (footnotes omitted):
Facebook’s Graph Application Programming Interface (“API”) allows developers to build social apps on top of the “social graph” (the Facebook network of real connections through which people communicate and share information). The purpose of Graph API is to make Facebook more connected and social by allowing users to securely and conveniently access other experiences offered by third-party applications of interest to them, should they wish.
Developers using Graph API must comply with all of Facebook’s policies, including our Platform Policy, Terms of Service, and Data Policy. These policies are discussed in greater detail throughout our response …
One of the widely-used features of Graph API is Facebook Login, which enables third-party app developers to request consent from Facebook users to allow their apps to access specified categories of user data. During the currency of V1 Graph API, it also allowed developers to request consent from users to access specific categories of information shared with those users by their Friends (at all times consistent with, and subject to those Friends’ own privacy settings).
142 Facebook Inc noted that the 2013 and 2015 Statements not only governed the contractual relationship with users but also between the relevant Facebook entity and app developers. Section 8 of the 2015 Statement provided:
8. Special Provisions Applicable to Developers/Operators of Applications and Websites
If you are a developer or operator of a Platform application or website or if you use Social Plugins, you must comply with the Facebook Platform Policy.
143 Clause 11.1 of the Facebook Platform Policy referred to in s 8, as in force from 20 August 2013 to 24 July 2014, provided:
XI. License
1. We give you [the app developer] a license to use the code, APIs, data, and tools you receive from us for use with the Facebook Platform. Don’t sell, transfer, or sublicense our code, APIs, or tools to anyone without our prior written permission. If they need a license, they should get it from us.
144 Facebook Inc also pointed to clauses 6.4 and 6.7 in one of the Facebook Platform Policies which stated:
4. You give us all rights necessary to enable your app to work with Facebook, including the right to incorporate information you provide to us into other parts of Facebook, and the right to attribute the source of information using your name or logos.
…
7. You give us the right to link to or frame your app, and place content, including ads, around your app. If you use our social plugins, feed dialog or share button, you also give us permission to use and allow others to use such links and content on Facebook.
145 The Commissioner submitted that Facebook Inc’s provision of the Graph API to Australian apps was one act engaged in by Facebook Inc in Australia which went towards it carrying on business in the jurisdiction. The Commissioner submitted that, assessed with the other factual matters, an inference was reasonably open that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b).
146 Facebook Inc:
(1) submitted that the relevant contractual arrangements with non-North American app developers were with Facebook Ireland, referring to s 19(1) of the 2013 Statement (s 18(1) of the 2015 Statement);
(2) accepted that the Graph API process was managed by Facebook Inc for all apps on the Facebook platform, including on behalf of Facebook Ireland as provider of the Facebook service to Australia;
(3) submitted that the service which Facebook Inc provided with respect to the Graph API in respect of an Australian developer:
(a) occurred overseas, pursuant to a contract between the Australian app developer and Facebook Ireland; and
(b) resulted in Facebook Ireland, pursuant to its contract with the relevant app developer, making available through its platform means by which users could contract with app developers through the medium of the Facebook platform.
147 Accepting for the purpose of argument that Facebook Inc’s activities in managing the Graph API were performed as a service to Facebook Ireland and that app developers contracted with Facebook Ireland, that does not mean that Facebook Inc did not carry on business, as service provider to Facebook Ireland, in Australia. Whether or not the activity was performed by way of services provided to Facebook Ireland, the fact is that Facebook Inc managed the Graph API process as part of its business. If the inference is open that some of Facebook Inc’s activities in managing the Graph API process were carried out in Australia, it is reasonably arguable that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b). In my view, the inference is available that a part of Facebook Inc’s activities in making available the Graph API to Australian apps included activity in Australia. The Graph API allowed apps to create a link or interface between the Facebook website’s “social graph” and the app. It is arguable and the inference is open that this involved activity by Facebook Inc in Australia, albeit initiated, controlled or operated remotely, such as the installing and operation of data in various forms.
148 Facebook Inc observed that there was no evidence that Facebook Inc had employees in Australia and there was no evidence that Facebook Inc had a place of business in Australia. The fact that the activity which occurs in Australia might be controlled or facilitated by actions taken remotely and without the need for employees in Australia, does not necessarily mean that no relevant activity is performed by Facebook Inc in Australia. If, for example, an overseas corporation operating a delivery business decided to operate delivery drones in Australia, controlled from overseas, it would not be difficult to conclude that it carried on business in Australia. The same conclusion would flow for an overseas company operating driverless cars engaged in a taxi service in Australia.
D.2.4 Collecting or holding personal information
149 The Commissioner submitted that Facebook Inc collected or held personal information in Australia and this was an activity which pointed to it directly carrying on business in Australia.
150 Both parties addressed this matter in the context of the second requirement which the Commissioner had to establish to the requisite prima facie standard and is, accordingly, dealt with below in Section E in that context. I conclude in Section E that the Commissioner has established a prima facie case that Facebook Inc collected and held information in Australia. The matters referred to in Section E also support the conclusion I have reached that the Commissioner has discharged her onus of showing a prima facie case in the required sense that Facebook Inc carried on business in Australia in the relevant period.
D.2.5 Offering of stock
151 The Commissioner noted that employees of Facebook Australia were offered stock in Facebook Inc following the IPO of the company in 2012. During the relevant period, Facebook Inc was a non-registered organisation in Australia. It lodged three documents with ASIC in 2012, pursuant to a mutual recognition scheme. One of the documents was Facebook Inc’s offer of certain types of stock (“Restricted Stock Units”) to selected Australian resident employees or directors of Facebook Inc or its subsidiaries (which included Facebook Australia) as part of its share based compensation scheme. The document also annexed Facebook Inc’s prospectus for its May 2012 IPO and various other documents lodged with the United States Securities and Exchange Commission. The Commissioner submitted that the fact that Facebook Australia employees were rewarded with stock in Facebook Inc arguably demonstrates the strong connection between the parent company and its Australian subsidiary, which was carrying on business in Australia. I have not placed any weight on this factor in reaching the conclusion that the Commissioner has established a prima facie case that Facebook Inc carried on business in Australia.
D.2.6 Drawing on funds
152 The Commissioner referred to Facebook Inc’s 2012 IPO prospectus which included:
As of March 31 2012, $486 million of the $3,910 million in cash and cash equivalents and marketable securities was held by our foreign subsidiaries. We have provided for the additional taxes that would be due if we repatriated these funds for use in our operations in the United States.
153 The Commissioner submitted that this demonstrated that Facebook Inc considered itself able to draw on funds from its foreign subsidiaries to apply to United States operations. It was submitted that this gave rise to an arguable inference, absent evidence to the contrary, that Facebook Inc’s foreign subsidiaries (including Facebook Australia and Facebook Ireland) were subject to direction from Facebook Inc in respect of those subsidiaries’ funds, which in turn suggested that the parent company was also carrying on business in Australia.
154 Facebook Inc submitted that a general capacity to control is not evidence of agency, referring to what Merkel J said in Bray FCA at [79] and [80]:
For present purposes, I am prepared to accept that, directly or indirectly, the parent or regional parent companies in each group may have the ultimate legal entitlement, as shareholders, to elect the boards of the subsidiaries and therefore, in a practical and commercial sense, have a general capacity to direct and control their commercial operations. The evidence, at this stage, is extremely vague and uncertain as to whether, and if so to what extent, that capacity was exercised other than in the course of implementing the cartel arrangement. Of course, that implementation involved the parents, directly or indirectly, in supplying and fixing prices for the class vitamins. However, putting to one side any alleged illegality attending the implementation of the cartel arrangement, the situation described above reflects a quite unexceptional commercial and legal relationship which commonly exists between overseas parent and regional companies and their Australian subsidiaries in a vertically integrated worldwide group of companies.
In my view something more than the indirect legal and commercial capacity of the parent companies to control and direct the subsidiaries, plus the parent’s involvement in implementing the cartel arrangement, is required to lift the corporate veil between the subsidiaries and their parents or to find that each of the subsidiaries is carrying on its business as agent for the parent. That is particularly so where it is contended ( as it is in the present case) that the parent, rather than the subsidiary, is carrying on business in Australia or, put another way, the subsidiary is engaging in all of its commercial activities on behalf of, and therefore as agent for, the parent.
155 Likewise, the fact that an overseas parent might have the ability to influence or control funds being paid to it by a subsidiary does not, of itself, indicate that the parent is carrying on business in the jurisdiction in which the subsidiary carries on business. I have not placed any weight on this factor in reaching the conclusion that the Commissioner has established a prima facie case that Facebook Inc carried on business in Australia.
D.3 Conclusion: carries on business
156 For the reasons given in sections D.2.2 (installation, operation and removal of cookies) and D.2.3 (provision of the Graph API) and the further reasons given in Section E below concerning whether a prima facie case has been established that Facebook Inc collected or held information within the meaning of s 5B(3)(c), I am satisfied that the Commissioner has established a prima facie case, in the required sense, that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b). In summary, the Commissioner has established a sufficient prima facie case that Facebook Inc carried on business in Australia which included providing services to Facebook Ireland.
E COLLECTED OR HELD PERSONAL INFORMATION
157 As noted in Section B above, the second matter in respect of which the Commissioner was required to show a prima facie case was that the personal information was collected or held by Facebook Inc in Australia at the relevant time.
158 It is sufficient for the Commissioner to establish a prima facie case with respect to either collecting or holding personal information. Section 5B(3)(c) of the Privacy Act provides:
(3) An organisation or small business operator also has an Australian link if all of the following apply:
…
(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.
159 Section 6 of the Privacy Act defines “personal information” in the following way:
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
E.1 Collects
160 Section 6 defines “collects” in the following way:
collects: an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.
161 This definition operates by limiting what would ordinarily be understood by the word “collects”. The ordinary meaning of “collects” is to gather, assemble, accumulate or make a collection. When the s 6 definition of “collects” is read into s 5B(3)(c), it is apparent that para (c) is only satisfied, inter alia, if the collecting of information is for “inclusion in a record or generally available publication”. Put another way, an entity can collect information without falling within para (c) where the collecting is not for “inclusion in a record or generally available publication”. Paragraph (c) also includes a territorial limitation, namely that the collecting must be in Australia.
162 As noted at [43] above, the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) included:
Item 6 Subsection 5B(3)
…
The collection of personal information ‘in Australia’ under paragraph 5B(3)(c) includes the collection of personal information from an individual who is physically within the borders of Australia or an external territory, by an overseas entity.
For example, a collection is taken to have occurred ‘in Australia’ where an individual is physically located in Australia or an external Territory, and information is collected from that individual via a website, and the website is hosted outside of Australia, and owned by a foreign company that is based outside of Australia and that is not incorporated in Australia. It is intended that, for the operation of paragraphs 5B(3)(b) and (c) of the Privacy Act, entities such as those described above who have an online presence (but no physical presence in Australia), and collect personal information from people who are physically in Australia, carry on a ‘business in Australia or an external Territory’.
163 The Commissioner observed that the word “collects” must be read in the context of the statute as a whole and must have a different operation to that which is captured by the word “holds”. Section 6 (discussed in more detail below) defines “holds” in the following way:
holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.
164 Facebook Inc emphasised that the personal information which had to be collected or held by it was the personal information with which the proceedings were concerned. In response, the Commissioner submitted that nothing suggested that Facebook’s general operations and contractual relationships were not applicable to all types of information and, therefore, necessarily also the personal information the subject of the proceedings. As noted earlier, a user had to proffer certain information to open a Facebook account including their name, date of birth, gender and an email address or, from early 2015, a mobile phone number. Users were able to add further personal information into their Facebook profile including a profile picture, the person’s hometown, educational history, work experience, relationship status, occupation, political and religious views, interests and photographs. Users could create and “post” content on the Facebook website. A post could take various forms including: freeform text, photographs, videos, “check-ins” (indicating a user’s geographic location at a particular time), and links to websites (such as articles on news websites). I accept that this was arguably “personal information” within the meaning of s 6 of the Privacy Act. For reasons expanded upon below, particularly at [172], I also accept that, if the Commissioner has otherwise established a prima facie case that s 5B(3)(c) was met, there is a prima facie case that the personal information included the information the subject of the proceeding.
165 The Commissioner submitted that the key question in deciding whether information has been collected within the meaning of s 5B(3)(c) is not how the information was obtained or whether it was internally generated or transferred between two entities, but whether or not the information was intended for inclusion or included in a record or generally available publication. The Commissioner submitted that the conclusion was open that the information was collected for inclusion in a record because Facebook Inc in fact made a record of the personal information of Australian users in the United States or elsewhere for the purposes of providing the Facebook service to North American users upon that data being transferred to Facebook Inc by Facebook Ireland under the Data Transfer and Processing Agreement.
166 The Commissioner submitted that the evidence revealed a prima facie case that Facebook Inc: (a) in fact collected Australian users’ personal information in Australia directly from those users; and/or (b) “constructively” collected such information through Facebook Ireland.
E.1.1 Direct or actual collection
167 The Commissioner submitted that the conclusion was open that data was instantaneously transferred to Facebook Inc at the time the data was uploaded by an Australian user such that Facebook Inc directly collected the information. The Commissioner also relied upon three further matters as indicating a prima facie case of direct collection of personal information by Facebook Inc of personal information from Australian users:
(1) the use of caching servers;
(2) the installation, operation and removal of cookies; and
(3) various responses given to questions asked by the Commissioner.
168 The Commissioner asked Facebook a number of questions in a letter dated 2 May 2019. The covering letter under which Facebook’s response was sent indicated: “we use ‘Facebook’ to refer to all relevant Facebook entities”. Facebook gave the following answer in a response to a question put by the Commissioner during her investigation (italics added for emphasis):
7. Identify the location of and the owner of the servers used by Facebook Ireland to provide the service in paragraph 5 above?
For the purposes of this response, we have assumed that the term “servers” has been used to refer to computers on which data or content is stored and made available for access by users. User content and applications used to deliver the Facebook service are stored in various data centres around the world. Facebook group companies own or lease data centres in the United States, Ireland (Clonee), Sweden (Luleå), Denmark (Odense) and Singapore. Taking a simplified view of our architecture, data centres store full copies of user data as well as the full suite of applications and services used for the Facebook service. Like other global technology companies, Facebook relies on other types of equipment (such as network equipment and caching servers) which operate to reduce latency and transaction times for geographically proximate users (including in Australia). These nodes improve connection and delivery times, but do not otherwise store data.
169 The Commissioner placed particular reliance on the last two sentences, italicised above. The Commissioner submitted that the use of the word “otherwise” indicated that the equipment located in Australia (including network equipment and caching servers) stored data to improve connection and delivery time. The equipment would not be geographically proximate to Australian users unless located in Australia. I accept those submissions.
170 Facebook’s response does not specifically identify which entities owned the equipment located in Australia, except that it was a Facebook entity. An inference is open to be drawn from this response that Facebook Inc was one such entity.
171 The inference is also open that the information in the form of data was collected for the purpose of storing the data in caching servers to allow it to be quickly accessed, including by other users. The inference is open that the data uploaded and stored in caching servers located in Australia was instantaneously available upon upload. It is open to conclude that the data was not transferred to those caching servers by Facebook Ireland in the sense of it having first been received by Facebook Ireland and then transferred.
172 Facebook Inc submitted that there was no material which allowed for an inference that the information collected or held (temporarily) on caching servers was the personal information the subject of the proceedings. Facebook Inc submitted that it was only information of a particular kind which was cached and there was no evidence that the personal information the subject of the proceedings was information of that kind. Facebook Inc’s submission appeared to be based on the incorrect assumption that the personal information the subject of the proceedings was limited to the information specifically provided by Facebook to the “This is Your Digital Life” app. In fact, the personal information relied upon is the broad kind of personal information referred to at [164] above. It is open to conclude that that type of information, such as videos and photos, was precisely the kind of information likely to be stored on caching servers. In any event, the personal information that the “This is Your Digital Life” app was permitted to access through the Graph API was broad and the inference is available that it included information likely to have been stored on caching servers in Australia.
173 I am satisfied that the Commissioner has established a prima facie case that Facebook Inc directly collected (and stored) information in Australia through caching servers located in Australia.
E.1.1.2 Installation, operation and removal of cookies
174 As noted in Section D.2.2 above, a part of Facebook Inc’s processing activities included the installation, operation and removal of cookies on Australia users’ devices. One stated purpose of this activity was to “deliver, understand and improve advertising”. The inference is also open, from the terms of the Data Use Policy set out at [124] above, that one reason for installing and operating cookies was to store information about users on their devices or in their browser caches and about their use of Facebook; see also: [125] above. Another processing activity for which Facebook Inc was responsible was “[t]argeting advertisements and … assess[ing] their effectiveness”. These matters support the inference that the information uploaded by users is instantaneously provided to Facebook Inc. These matters also support the inference that, as part of its business activities, Facebook Inc collected (and stored) information directly from Australia users. It arguably does not matter for the case brought by the Commissioner that Facebook Inc’s activities in this respect were undertaken in performance of a contract with Facebook Ireland and by way of providing services to Facebook Ireland.
175 I am satisfied that the Commissioner has established a prima facie case that Facebook Inc directly collected (and stored) information in Australia through its installation and operation of cookies.
E.1.1.3 Responses to Commissioner’s questions
176 The Commissioner submitted that the various responses given by Facebook Inc and Facebook Ireland to questions posed by the Commissioner left open an inference that Australian users’ data was in practice instantaneously transferred to Facebook’s data storage facilities (or “Data Centers”) at the time the data was provided to the Facebook website or associated mobile applications by an Australian user.
177 Facebook Ireland answered the following questions in the following way:
4. Between 12 March 2014 and 17 December 2015 did Facebook Ireland:
a. collect any personal information of Australian Users?
b. store any personal information of Australian Users?
Facebook Ireland was the provider of the Facebook service to users outside of the United States and Canada, including Australian Users, between 12 March 2014 and 17 December 2015. At all times during this period, Facebook Ireland was responsible, in that capacity, for the collection and storage of personal information of Australian Users through the Facebook service.
c. make available for access by any third party any personal information of Australian Users?
d. make available for access by the “thisisyourdigitallife” app (the Life app) any personal information of Australian Users?
Information shared by Australian Users on the Facebook service was available for access by other users on the Facebook service to the extent permitted by the choices (including choices regarding their privacy settings) of those Australian Users.
As we stated in our previous response dated 6 July 2018, as part of the Facebook service, Facebook Ireland provided an API called Facebook Login through which third party app developers could request permission directly from users to access certain categories of information that those users either uploaded or had access to on the Facebook service. Facebook Login did not allow third party app developers to have direct access to Facebook Ireland’s systems or to user data.
Through its use of Facebook Login, the Life app may have had access to certain limited categories of personal information about Australian Users in this way. However, as we have noted in previous responses, this would have depended in each case on a number of factors, including:
• whether or not the Australian Users had installed the Life app, or were friends on the Facebook service with a user who had installed the Life app, during the relevant period; and
• the privacy settings the Australian Users had in place during the relevant period.
We also note that, as explained in previous responses, the Life app’s access to information about Australian Users was restricted from May 2015 following changes made to Facebook Login.
178 In response to a notice issued under s 44 of the Privacy Act, Facebook Ireland provided the following answers to questions:
3 Names of any and all Facebook entities that:
a. collected or received, directly or indirectly, any personal information of Australian Users and the purpose for which the entity collected the personal information;
Facebook Ireland was the provider of the Facebook service to Australian Users between 12 March 2014 and 17 December 2015. At all times during this period, Facebook Ireland was responsible, in that capacity, for the collection and storage of personal information of Australian Users through the Facebook service.
The purposes for which the personal information was collected were as set out in the Facebook Data Policy. We have produced copies of the Facebook Data Policy as it applied over the period between 12 March 2014 and 17 December 2015 (see FBI.001.001.0036 and FBI.001.001.0051).
b. stored any personal information of Australian Users;
The processing of information about Australian Users stored in data centres was exclusively under the control of Facebook Ireland and not any other Facebook entity. During the period between 12 March 2014 and 17 December 2015, personal information of Australian Users was stored in data centres located in the United States or Sweden (Luleå), which were used at the time by Facebook Ireland to provide the Facebook service to Australian Users. All relevant US data centres were owned or leased by Siculus Inc., Andale, Inc., Vitesse, LLC, or Facebook Operations, LLC, entities within the Facebook group of companies, and the Luleå data centre was owned by Pinnacle Sweden AB., also an entity within the Facebook group of companies.
c. had a right to access any personal information of Australian Users stored by another Facebook entity;
Please see the response to Question 2 above.
d. made available for access, by any third party, any personal information of Australian Users;
Information shared by Australian Users on the Facebook service was available for access by other users on the Facebook service in accordance with the Facebook Data Policy and to the extent permitted by the settings choices (including choices regarding their privacy settings) of those Australian Users.
The Facebook service included an API called Facebook Login through which third party App developers could request permission directly from users to access certain categories of information that those users either uploaded or had access to on the Facebook service.
e. made available for access by the Life App any personal information of Australian Users, including but not limited to Installers and/or Friends.
Through its use of Facebook Login, the Life App may have had access to certain limited categories of personal information about Australian Users in the manner described in the response to Question 3(d) above. However, this would have depended in each case on a number of factors, including:
• whether or not the Australian Users were Installers or Friends; and
• the privacy settings the Australian Users had in place during the relevant period.
We also note that, the Life App’s access to information about Australian Users was restricted from May 2015 following changes made to Facebook Login.
179 Facebook Inc gave the following answers in response to a notice issued under s 44 of the Privacy Act:
5 If Facebook Inc collected or stored the personal information of Australian Users, including personal information collected from another entity, please identify:
a. the purposes for which Facebook Inc collected or stored the personal information;
Facebook Ireland was the provider of the Facebook service to Australian Users between 12 March 2014 and 17 December 2015. At all times during this period, Facebook Ireland was responsible, in that capacity, for all processing of personal information of Australian Users through the Facebook service.
Facebook Inc performed data processing activities for Facebook Ireland during this time as contemplated by the Data Transfer and Processing Agreement between Facebook Ireland (as data exporter) and Facebook Inc (as data importer) dated 13 November 2013 (see FBI.001.006.0016). As set out in that agreement, Facebook Inc was obliged to follow instructions from Facebook Ireland in relation to relevant processing activities. In addition, all of those activities took place outside Australia.
The purposes for which the personal information was collected and stored were as set out in the Facebook Data Policy.
b. the number of Australian Users whose personal information was collected by Facebook Inc under:
i. the Data Transfer and Processing Agreement dated 13 November 2013;
ii. any amended versions of the above agreement; and
iii. any other contract or agreement effective in the period 12 March 2014 to 17 December 2015.
The arrangements described in response to Question 5(a) above applied for all Australian Users. There are no amended versions of the Data Transfer and Processing Agreement or other contracts or agreements relevant to this Question.
180 These responses indicate that personal information of Australian users was stored outside of Australia in data centres located in the United States or Sweden, none of which were owned or leased by Facebook Inc. Facebook Inc accepted it was arguable that Facebook Ireland collected the personal information because the entities which owned or leased the data centres were collecting the personal information on behalf of Facebook Ireland, the data controller. Facebook Inc accepted that the contracts with users permitted the information to be passed on, but submitted that collection had occurred by that point.
181 The Commissioner submitted that, whilst these responses were astute to identify that it was Facebook Ireland that was responsible for the provision of the Facebook service to Australian users and responsible in that capacity for all processing of personal information through the Facebook service, the responses did not identify the entity actually performing the act of collection of the Australian users’ personal information.
182 The Commissioner submitted that, read alongside the uncontroversial fact that Facebook Inc performed data processing activities in respect of Australian users’ data, the inference was open that personal information was instantaneously and physically collected by Facebook Inc for processing under the Data Transfer and Processing Agreement.
183 As noted above, I consider it arguable that Facebook Inc collected personal information by reason of the matters referred to above in relation to caching servers and in relation to the installation and operation of cookies. Those matters, together with the matters referred to next, also support a prima facie case that the personal information was instantaneously obtained by Facebook Inc, as opposed to being “transferred” to it, with the result that it is arguable that Facebook Inc “collected” the information within the meaning of s 5B(3)(c).
184 It is arguable in the present context that multiple entities can collect the same information. Facebook Inc’s submission that Facebook Ireland collects the information and that, at the time it transfers the information to Facebook Inc for processing, the process of collection is complete, might conform to the words in or ideas generated by the relevant contracts, but it does so at the expense of reality; see also: [138] above.
185 An inference is open that Facebook Inc collected the personal information of Australian users for processing. That Facebook Inc might have collected the information pursuant to a contract under which it provided services to Facebook Ireland does not immunise it from a prima facie case that it collected the information within the meaning of s 5B(3)(c). It is arguable that, assuming Facebook Ireland collected the information, Facebook Inc can also and simultaneously collect the same information. The precise ambit of the word “collects” does not need to be determined on this application. It is sufficient if there is a prima facie case that Facebook Inc collected personal information. In my view there is. Having regard to the terms of the Explanatory Memorandum, the fact that the personal information is uploaded in Australia and stored on Australian users’ devices and browser caches and on caching servers arguably owned or operated by Facebook Inc in Australia, it is arguable that Facebook Inc collected the personal information in Australia.
E.1.2 Constructive collection
186 The Commissioner submitted it was reasonably arguable that, to the extent information of Australian users was collected by Facebook Ireland, the information so collected was transferred to Facebook Inc for data processing and to allow Facebook Inc to provide the Facebook service to users located in North America.
187 The Commissioner submitted that Facebook Inc could be regarded as having “constructively” collected the information and that this was arguably sufficient for a conclusion that Facebook Inc collected information in Australia within the meaning of s 5B(3)(c).
188 The Commissioner submitted it was reasonably arguable that:
(1) the concept of collection under the Privacy Act captured a circumstance in which one entity physically collects personal information and that information is then transferred to another entity to enable the second entity to offer a service;
(2) Facebook Inc made a record of the personal information of Australian users for the purpose of providing the Facebook service to North American users upon that data being transferred under the Data Transfer and Processing Agreement;
(3) the phrase “in Australia”, as used in s 5B(3)(c), included collection “from an individual within Australia”; the fact that the repository of the personal information collected might not be physically located in Australia does not exclude the operation of the statutory provision.
189 As noted at [43] above, the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) included:
Item 6 Subsection 5B(3)
…
The collection of personal information ‘in Australia’ under paragraph 5B(3)(c) includes the collection of personal information from an individual who is physically within the borders of Australia or an external territory, by an overseas entity.
190 Facebook Inc submitted that all the Explanatory Memorandum supported as arguable was a conclusion that Facebook Ireland collected information, not that Facebook Inc could be regarded as having collected the information.
191 The Commissioner relied upon the fact that it was arguable that Facebook Inc operated networking equipment and caching servers in North America which contained Australian users’ information indicating that the information was collected for the purpose of Facebook Inc’s provision of the Facebook service to North American users. This is relevant to the requirement in s 5B(3)(c) that the information be collected “for inclusion in a record or generally available publication” – see: definition of “collects” in s 6 of the Privacy Act. The Commissioner did not submit that operating caching servers in North America meant that information was collected “in Australia”.
192 It is not necessary to reach a view concerning “constructive” collection given my earlier conclusion that the Commissioner has established a prima facie case that Facebook Inc directly collected information in Australia and the view I express next that the Commissioner has established a prima facie case that Facebook Inc held information in Australia.
E.2 Holds
193 As noted earlier, s 5B(3)(c) provides:
(3) An organisation or small business operator also has an Australian link if all of the following apply:
…
(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.
194 As noted earlier, s 6 defines “holds” in the following way:
holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.
195 The Commissioner submitted that the phrase “possession or control” included control though an agent and that control need not be exclusive. The Commissioner submitted it was reasonably arguable that, to the extent that Australian users’ personal information was physically located in caching servers in Australia, those caching servers were arguably controlled by Facebook Inc, such that Facebook Inc held personal information in Australia for the purposes of s 5B(3)(c). I accept that argument.
196 As noted earlier, the material also indicates a prima facie case that Facebook Inc held personal information through its installation and operation of cookies, through which Facebook Inc arguably stored information about users on their devices or in their browser caches.
197 The Commissioner also referred to Facebook Inc’s obligations under the Data Transfer and Processing Agreement. By cl 5(a) read with Appendix 1, Facebook Inc was obliged to process personal data transferred to it, including to facilitate communication across the Facebook platform. It is open to infer that Facebook Inc held the processed data to make it available to users across the Facebook platform, including by holding data in caching servers, including in Australia. To the extent Facebook Inc held information outside of Australia, such holding of information would not satisfy s 5B(3)(c) because the holding must be “in Australia”.
F CONCLUSION
198 The Commissioner has discharged her onus of establishing a prima facie case for relief sufficient to warrant service on Facebook Inc in the United States. It follows that the basis on which Facebook Inc sought a discharge of the orders permitting such service has not been made out and the interlocutory application should be dismissed.
I certify that the preceding one hundred and ninety-eight (198) numbered paragraphs are a true copy of the Reasons for Judgment herein of the Honourable Justice Thawley. |
