Australian Facebook judgment - privacy lessons for New Zealand organisations
9 March 2022
In February 2022, the Full Federal Court of Australia delivered a judgment that Facebook Inc. (Facebook) may be subject to the extra-territorial provisions of the Privacy Act 1988 (Cth) (Australian Privacy Act) - a signal that other overseas entities (including New Zealand agencies) could also potentially be caught by the Australian legislation in specific circumstances.
While it is important to note that the Australian federal court decision was a procedural decision, the judgment is useful for two reasons:
- It serves as a warning to New Zealand organisations using cookies or other similar data collection methods for their users based in Australia - such use may be enough to require compliance with the Australian Privacy Act
- It also serves as a reminder of the potential extra-territorial application of our own NZ Privacy Act which may apply to overseas organisations doing business in New Zealand.
What did the Australian court decide?
The federal court held that, through Facebook's installation of cookies on Australian users' devices, it was carrying on business in Australia under section 5B(1A) of the Australian Privacy Act. This was because:
- A core business of Facebook is the monetisation of information and data that it collects from its users, and that "acts done to collect, store, analyse, organise, distribute and deploy the information about people and their lives are integral to the methods of monetisation or extracting commercial value from the information" 
- Both the Data Processing Agreement between Facebook Inc. and Facebook Ireland, as well as Facebook's 2013 Data Use Policy, established that cookies were installed on devices physically located in Australia to collect users' personal information.
Notably, it was not determinative that the following traditional indicia of business presence did not apply to Facebook's operation in Australia: physical presence, commercial contracts, employed personnel, paying customers, or direct derivation of revenue. The court felt that this was "not an overly useful observation in the present context because it does not engage with the consequences of the two attributes it does actually have in Australia" , being (1) the installation and removal of cookies on devices of Facebook users and (2) managing the provision by Australian developers to Australian users of the Facebook log-in API.
A warning for New Zealand organisations
The ramifications of this decision for overseas businesses that engage with Australian users over the internet have not yet crystallised. Regulators in Australia may wait for the facts to be considered at a full trial before applying the court's reasoning to other contexts, and the court disagreed that its decision would beleaguer the Australian legal system with "the menace of opened floodgates" .
The judgment gave particular attention to the centrality of cookie data to Facebook's core revenue-generating operations. Not all businesses that collect data through cookies will have the same link between their data collection and their commercial activities, and the court was careful to warn against assuming a "one-size-fits-all" approach .
A reminder of the NZ Privacy Act's extra-territorial jurisdiction
Such a decision would, in our view, be consistent with both the language of the NZ Privacy Act and guidance issued by the Privacy Commissioner to date. Section 4(3) of the NZ Privacy Act expressly provides that an agency may be treated as carrying on business in New Zealand without necessarily: (a) being a commercial operation; (b) having a place of business in New Zealand; (c) receiving any monetary payment for the supply of goods or services; or (d) intending to make a profit from its business in New Zealand. In addition, guidance issued by the Office of the Privacy Commissioner (OPC) on section 4(3) further lists factors such as repetitive, systematic or continuing use of personal information in New Zealand, websites targeted at New Zealanders, and the holding of trademarks and registered web domains in New Zealand as indicators of an entity "carrying on business" in New Zealand.
Watch this space
As noted above, the Australian judgment was procedural - it was not a full trial on this point but rather a determination that a prima facie case exists. We will await with interest further developments at full trial. This may occur in the United States.