Australian Facebook judgment - privacy lessons for New Zealand organisations

9 March 2022

In February 2022, the Full Federal Court of Australia delivered a judgment that Facebook Inc. (Facebook) may be subject to the extra-territorial provisions of the Privacy Act 1988 (Cth) (Australian Privacy Act) - a signal that other overseas entities (including New Zealand agencies) could also potentially be caught by the Australian legislation in specific circumstances.

The court's decision (Facebook Inc. v Australian Information Commissioner) hinged on how the phrase "carrying on business in" Australia applies in relation to the installation and use of cookies on Australian devices, and the provision of secure log-in APIs to Australian developers.  The same phrase of "carrying on business in New Zealand" is also used in the equivalent provision in the Privacy Act 2020 (NZ Privacy Act).

While it is important to note that the Australian federal court decision was a procedural decision, the judgment is useful for two reasons:

  • It serves as a warning to New Zealand organisations using cookies or other similar data collection methods for their users based in Australia - such use may be enough to require compliance with the Australian Privacy Act
  • It also serves as a reminder of the potential extra-territorial application of our own NZ Privacy Act which may apply to overseas organisations doing business in New Zealand.
What did the Australian court decide?

The federal court held that, through Facebook's installation of cookies on Australian users' devices, it was carrying on business in Australia under section 5B(1A) of the Australian Privacy Act.  This was because:

  • A core business of Facebook is the monetisation of information and data that it collects from its users, and that "acts done to collect, store, analyse, organise, distribute and deploy the information about people and their lives are integral to the methods of monetisation or extracting commercial value from the information" [3]
  • Both the Data Processing Agreement between Facebook Inc. and Facebook Ireland, as well as Facebook's 2013 Data Use Policy, established that cookies were installed on devices physically located in Australia to collect users' personal information.

Notably, it was not determinative that the following traditional indicia of business presence did not apply to Facebook's operation in Australia: physical presence, commercial contracts, employed personnel, paying customers, or direct derivation of revenue.  The court felt that this was "not an overly useful observation in the present context because it does not engage with the consequences of the two attributes it does actually have in Australia" [85], being (1) the installation and removal of cookies on devices of Facebook users and (2) managing the provision by Australian developers to Australian users of the Facebook log-in API.

A warning for New Zealand organisations

The ramifications of this decision for overseas businesses that engage with Australian users over the internet have not yet crystallised.  Regulators in Australia may wait for the facts to be considered at a full trial before applying the court's reasoning to other contexts, and the court disagreed that its decision would beleaguer the Australian legal system with "the menace of opened floodgates" [75].

The judgment gave particular attention to the centrality of cookie data to Facebook's core revenue-generating operations.  Not all businesses that collect data through cookies will have the same link between their data collection and their commercial activities, and the court was careful to warn against assuming a "one-size-fits-all" approach [75].

This analysis may narrow the scope of how this decision could be applied in other Australian cases.  However, the decision warrants some caution from New Zealand operators that are collecting and processing data of people in Australia through the use of cookies.  If the data your business or organisation collects through the use of cookies installed on Australian devices is integral to the nature of your revenue-generating activities (whether in Australia or elsewhere), then the court's decision signals that your business may be subject to the Australian Privacy Act.

A reminder of the NZ Privacy Act's extra-territorial jurisdiction

The equivalent provision in the NZ Privacy Act (section 4(2)(b)) states that the Act applies to "an overseas agency (B), in relation to any action taken by B in the course of carrying on business in New Zealand in respect of personal information collected or held by B".  If the New Zealand courts take the same approach as the Australian court, then the installation and use of cookies on user devices located in New Zealand could be regarded as within "the course of carrying on business in New Zealand", and the NZ Privacy Act would apply to those overseas agencies in respect of those actions.

Such a decision would, in our view, be consistent with both the language of the NZ Privacy Act and guidance issued by the Privacy Commissioner to date.  Section 4(3) of the NZ Privacy Act expressly provides that an agency may be treated as carrying on business in New Zealand without necessarily: (a) being a commercial operation; (b) having a place of business in New Zealand; (c) receiving any monetary payment for the supply of goods or services; or (d) intending to make a profit from its business in New Zealand.  In addition, guidance issued by the Office of the Privacy Commissioner (OPC) on section 4(3) further lists factors such as repetitive, systematic or continuing use of personal information in New Zealand, websites targeted at New Zealanders, and the holding of trademarks and registered web domains in New Zealand as indicators of an entity "carrying on business" in New Zealand.

Watch this space

As noted above, the Australian judgment was procedural - it was not a full trial on this point but rather a determination that a prima facie case exists.  We will await with interest further developments at full trial.  This may occur in the United States.