The way the cookie crumbles: Facebook / Meta loses Privacy Act Appeal
The Full Federal Court of Australia recently handed down their decision dismissing an appeal from Meta (Formerly Facebook) which challenged the validity of service of a lawsuit against Meta on the grounds that Meta either conducted business nor collected personal information within Australia.
The litigation against Meta arose from alleged "serious and repeated interferences with privacy in contravention of Australian privacy law" arising from the Cambridge Analytica scandal of 2018. Cambridge Analytica harvested the personal data of millions of Facebook’s consumers without their consent using a personality test app called ‘This is Your Digital Life.’ The data harvested was notably used for the Brexit campaign in 2016 for targeted advertising.
The Office of the Australian Information Commissioner (OAIC) announced proceedings in 2020 in the Federal Court of Australia against Facebook Inc – the U.S. based parent company – as well as its Irish subsidiary, Facebook Ireland Limited.
The latest proceedings saw the Full Federal Court sensationally throw out Facebook’s argument that, as it did not carry out business or collect and hold personal information in Australia, it could not be sued under the Privacy Act 1988 (Cth). Chief Justice Allsop and Justices Perram and Yates noted (at ) that Facebook’s arguments were
divorced from reality
The Full Federal Court held that it was sufficient that Facebook installed cookies on the physical devices of Australian consumers on behalf of its parent company and other subsidiaries – which forms a critical operational mechanism for the Facebook platform, where those cookies stored a variety of data used in the platform.
The Court also rejected Meta’s contention that finding that any website accessible within Australia carries on business in Australia would ‘open the floodgates’ for litigation against tech service providers, with Perram noting (at  and ) that the matter related to a narrow appeal of an interlocutory matter, and that the facts would drive the analysis, specifically a simple password cookie was identified as something which may be treated differently to a complex cookie (as was used by Facebook).
The Court also rejected Facebook’s argument likening their business to sending mail by post. Facebook relied upon the fact that their datacentres transmitted signals to Facebook user’s devices and subsequent to this, the transmission changed the digital state of those devices. Facebook compared this to an international post model, where the recipient of an international letter acted in a way so much that an economic benefit might accrue to them. Facebook contended that this model meant that it could not operate within Australia.
Importantly, the Federal Court noted at :
Whether a particular foreign-based business providing goods or services in this country carries on business here will depend on the nature of the business being conducted and the activity which takes place in this country. There is no one size fits all answer to this question. Correspondingly, the menace of opened floodgates from which Facebook Inc was commendably keen to protect the Australian legal system, is in my view very much overstated.
The decision may be held up as a broadening of the test of when a business is doing business in Australia, the Court was at pains to qualify the position and emphasize that the facts determine each case. However, being potentially the subject of the full weight of the laws of another jurisdiction is a matter which is serious and needs careful consideration for each business, particularly given our globally connected and increasingly decentralised world.