The Federal Court of Australia recently confirmed the wide extraterritorial application of the Privacy Act 1988 (Cth) and the notion of holding personal information without physical presence in Australia.
The origin of this decision dates back to the Facebook-Cambridge Analytical scandal in 2018. With the discovery of Facebook’s unethical data harvesting practices, the Australian Information Commissioner instituted proceedings against Facebook over the alleged contravention of Principles 6 and 11 of the Privacy Act. Facebook’s primary counterargument was that by virtue of being a social media platform headquartered in the US, there was no ‘Australian link’ present in this case.
The Federal Court broke down the Australian link requirement of the Privacy Act into the two elements of carrying on business in Australia and collecting or holding personal information in Australia. By examining the use of cookies on devices such as mobile phones and computers to target advertising at users, as well as an application programming interface (API) used to connect users to Facebook’s web services, the Federal Court held that Facebook did in fact carry on business in Australia. It did not matter in the eyes of the Court that Facebook had no physical assets or local revenues in Australia to satisfy the first limb of the Australian link requirement. Secondly, in regard to collecting or holding personal information in Australia, the Court rejected the Commissioners argument of using caching servers and collecting information via instantaneous transfer. There was not enough evidence to suggest that these two methods allowed Facebook to collect or hold personal information in Australia. However, the Court instead again relied on the use of cookies installed on users’ devices to demonstrate a right to possession under the Privacy Act.
As such, the Privacy Act was held to apply to Facebook despite being overseas via a substantial Australian link. This decision has widespread implications for other digital platforms and social media companies as the Federal Court has clarified that the Australian link requirement is now easier to satisfy thanks to modern technology. It is likely that other international organisations with an Australian link will updated their privacy policies in accordance with Australian privacy legislation.
For the full reading of the case, see here.