On 7 February 2022, the Full Federal Court unanimously agreed with the first instance judge that Facebook was carrying on a business in Australia for the purposes of the Privacy Act, when it installed and deployed cookies on users’ computers in Australia as well as providing an interface to Australian app developers, despite Facebook getting no revenue from Australia. This was only for the purposes of the Privacy Act, and was decided only to a ‘prima-facie’ basis. Nonetheless, the case has ‘mouth watering’ potential application to taxation of the digital global economy – which has had the attention of the OECD BEPS project for many years now.
In this case, the US company: Facebook Inc provided the Facebook platform to US users and its subsidiary: Facebook Ireland provided the platform to the rest of the world. Facebook Inc. had a ‘data processing’ agreement with Facebook Ireland, for which it had to place ‘cookies’ on Australian terminals and provide facilities for Australian developers to engage with the Platform.
The evidence was clear that the installation of cookies took place in Australia and that an offshore Facebook subsidiary’s use of cookies formed an important part of the operation of the whole Facebook platform – it was not an “outlier activity”. Accordingly, the Court confirmed that the installation of cookies in Australia, by Facebook Inc, occurred in the conduct of providing data processing and otherwise its business of globally monetarising its global platform.
I’ve reproduced a number of paragraphs from the judgement, which explain the issues at stake, how they came to Court, the basis on which the decision was made, and how this does NOT necessarily flow into the other circumstances when the concept of ‘carrying on business’ in one place or another arises. For instance, it was a consideration that the Privacy Act was about facilitating, whilst protecting the flow of information ‘information’, overseas – which was what was happening here. The Court noted that ‘information’ is not ‘physical’ and this helped explain why a US company could carry on business in Australia, without any physical presence at all.
The scope and type of personal information gathered, analysed and monetarised is staggering (to one of my age, in any event). This is set out in one of the judgment paragraphs below. It gives one some idea about how invasive the Facebook platform is.
This case remains, however, of considerable interest to the tax community, in my opinion, to examine its potential for applying in Australia and elsewhere.
(Facebook Inc v Australian Information Commissioner [2022] FCAFC 9, Full Federal Court, Allsop CJ, Perram and Yates JJ, 7 February 2022.)
Tax Month – February 2022 – Previous 2022] 19.2.22 [LTN 34, 22/2/22]
EXTRACTS FROM JUDGEMENT
Perram J gave the principal judgement and explained (in para 12) that this action had its genesis in mis-use of private information in the Facebook–Cambridge Analytica scandal and how the ‘carries on business in Australia’ issue arose – broadly in getting leave to serve Facebook overseas. To do so the Privacy Commissioner had to establish a ‘prima-facie’ case, which has to do with the capacity of the Privacy Act to apply to Australian private data sent to the USA for processing. The application of that act depended on having an ‘Australian link’ and one of the ways of establishing that, was carrying on business in Australia.
12 This application for leave to appeal arises out of the Facebook–Cambridge Analytica scandal and a Facebook application known as This Is Your Digital Life. It involves the apparently short question of whether the Australian Information Commissioner should have leave to serve her proceedings on Facebook Inc. Facebook Inc is incorporated in Delaware and is based in California. It is therefore ‘a person in a foreign country’ such that, irrelevant exceptions aside, leave is necessary before it can be served overseas with an originating process: rr 10.42 and 10.43(1)(a) of the Federal Court Rules 2011 (Cth). Generally, a grant of leave to serve out of the jurisdiction requires the demonstration of a prima facie entitlement to all or any of the relief claimed: r 10.43(4)(c). The Commissioner was successful in establishing a prima facie case on an application which, for obvious reasons, was argued in the absence of Facebook Inc. Leave to serve Facebook Inc out of the jurisdiction was granted. It then conditionally appeared, as it was entitled to do, to set aside service but that application was refused by the primary judge: Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307 (‘J’). That determination was interlocutory in nature and therefore is subject to appeal only if leave to appeal is first obtained. Facebook Inc has applied for that leave and it is that application which is presently before the Full Court. The matter was fully argued on the basis that if leave were granted nothing further would need to be submitted on the appeal.
The Australian private information in question, is set out in para 19, as follows.
19 In Australia, approximately 53 Facebook users installed This Is Your Digital Life but the Developers obtained not only their personal information but that of approximately 311,074 of their Facebook friends. The Commissioner’s suit alleges, in a nutshell, that these events involved Facebook in contraventions of the Privacy Act 1998 (Cth) (‘the Privacy Act’). Specifically, the Commissioner says that Facebook Ireland and Facebook Inc have each breached Australian Privacy Principles (‘APPs’) 6 and 11.1(b).
The need for an ‘Australian link’ is driven partly by the extra-territorial objectives of the Privacy Act and also Australian constitutional considerations, both of which are described in paras 21 & 22.
21 It is presumed that a Commonwealth statute does not apply to persons outside of Australia: Jumbunna Coal Mine NL v Victorian Coal Miners’ Association [1908] HCA 95; (1908) 6 CLR 309 at 363 per O’Connor J. That presumption will be displaced, however, where the statute exhibits an intention to displace it. The Privacy Act is explicit in applying to persons outside of Australia although only in some circumstances. So much flows from s 5B, which is entitled ‘Extra-territorial operation of Act’. Section 5B(1A) applies the Privacy Act to acts done or practices engaged in ‘outside Australia’ if they are done or engaged in by an organisation that ‘has an Australian link’.
22 Where a body corporate such as Facebook Inc or Facebook Ireland is concerned, an Australian link will be present if two requirements are satisfied: first, the body corporate must carry on business in Australia (s 5B(3)(b)); and secondly, it must have collected or held personal information in Australia (s 5B(3)(c)). …
The relevant provision establishing an ‘Australian link’ by reference to carrying on business in Australia, is s5B(3) of the Privacy Act, which provides as follows.
(3) An organisation or small business operator also has an Australian link if all of the following apply:
(a) the organisation or operator is not described in subsection (2);
(b) the organisation or operator carries on business in Australia or an external Territory;
(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice. [Ignore that this para (c) makes no sense on its own – Perram J explains how it works in para 24 of his judgement.]
The scale and scope of the information gathered, shared, processed and analysed is eye-watering (and gives real insight into how Facebook might monetarise what seems to be a free service.
What activities was Facebook Inc carrying on?
29 In my opinion, the evidence certainly presents a prima facie case that Facebook Inc was engaged in the business of providing data processing services to Facebook Ireland. The evidence consists of an agreement between Facebook Ireland and Facebook Inc entitled ‘Data Transfer and Processing Agreement’ (‘the Data Processing Agreement’). The agreement did a number of things but for present purposes it contained two core sets of obligations. First, it identified the data which Facebook Ireland was to transfer to Facebook Inc for processing. Secondly, it identified the nature of the processing which Facebook Inc was to carry out on that data.
30 Pursuant to cl 5(a) of the agreement, Facebook Inc promised to process the ‘personal data’ provided to it by Facebook Ireland. Appendix 1 to the agreement makes clear that the personal data to be provided by Facebook Ireland to Facebook Inc for ‘processing’ was the personal data of ‘registered users of the Facebook platform’. The data which was to be provided was also set out. It was the personal data ‘generated, shared and uploaded by the registered users of the Facebook platform’. This sounds broad and the agreement confirmed its breadth. It was to include: photographs, videos, events attended or invited to, group memberships, friends, gender, date of birth, relationship status, email address, URL, hometown, family, political views, religious views, sexual life, biography, employment history, location, education, interests, entertainment preferences, material shared by the user (i.e. wall posts, messages, pokes), credit card information and actions taken on Facebook and other services. Further it included ‘special categories’ of data. These were: racial or ethnic origin, political opinions, philosophical beliefs, trade union membership, health and sex life.
31 What was the purpose of the processing to which Facebook Inc was to subject this data? It was, inter alia, to ‘facilitate communications across the Facebook platform’. Pausing there, it is to be noted that the Facebook platform comprised all users of Facebook, not just those users to whom Facebook Ireland provided the service. The data was also to be processed for the purposes of ‘personalising content’, ‘targeting advertisements and to assess their effectiveness’ and ‘identifying connections between Facebook users’. Again, none of this was limited to the users of the service provided by Facebook Ireland.
32 The nature of the Facebook platform might suggest that it is impossible to disaggregate the Facebook business in North America from that in the rest of the world. For example, such a balkanisation is difficult to reconcile with the fact that a post by an Australian user may appear in the newsfeed of a user in New York. Such a train of thought might pursue the implications of the obligation Facebook Inc had to Facebook Ireland to ‘facilitate communications across the Facebook platform’ and inquire further into whether the network effects which make Facebook so successful can be put to one side when analysing the nature of its business structure.
Whether the business was carried on in Australia, was the key issue, centred on putting ‘cookies’ on Australian terminals, as Perram J explained in para 35.
Was this business being carried on in Australia?
35 That leaves, of course, Facebook Inc’s submission that assuming it was conducting a business, it was not conducting one in Australia. The primary judge was disinclined to accept this because the business being conducted by Facebook Inc appears to have included as two of its elements the installation of cookies upon the devices of users and the provision to Australian application developers of an interface known as the Graph API which includes as part of its functionality a facility which allows third party applications to utilise the Facebook login. The primary judge thought that there was a prima facie case that both of these activities occurred in Australia.
Whether acts in Australia amounted to carrying on a business here, is discussed in paras 66 & 67. In essence, Facebook Inc said that none of the indicia for carrying on a business existed (partly because Facebook Ireland might have done some of those things (and it didn’t contest the foreign service).
Do these activities constitute the carrying on of business within the meaning of s 5B(3) of the Privacy Act?
66 Having accepted that it is open to infer that Facebook Inc installed and removed cookies on users’ devices in Australia and that it managed the Graph API here too, the question then arises whether it can be said that it was carrying on business in Australia by reason of that conduct. The primary judge accepted that Facebook Inc was engaged in this conduct as part of the services it delivered to Facebook Ireland under the Data Processing Agreement. Consequently, his Honour accepted that Facebook Inc had conducted part of that business in Australia.
67 On the application for leave to appeal, Facebook Inc took issue with this conclusion. There were, in essence, two contentions. First, it argued that Facebook Inc had no physical presence in Australia. It entered into no contracts, employed no personnel, had no customers and derived no revenues. There was, Facebook Inc submitted, no decided case in which a foreign entity had ever been held to be carrying on business in Australia where all of these indicia were absent. Even if the installation of cookies and the management of the Graph API were acts which took place in Australia, therefore, they lacked from the perspective of Facebook Inc the quality of being business activities.
Construing the meaning of this, depends on statutory context, which, in this case, had to do with protecting the flow of information overseas (which was what was happening here).
70 I do not accept this submission. Whilst it is common to speak of the general approach to the question of whether an entity is carrying on business in a jurisdiction, usually the question arises in a particular statutory context. In this case, the question is whether Facebook Inc ‘carries on business in Australia’ within the meaning of s 5B(3)(c) of the Privacy Act. The expression ‘carries on business in Australia’ is not a defined term in the Act. However, its meaning is informed by the statute in which it appears. Two matters are relevant. First, the objects of the Act include by s 2A(f) the facilitation of ‘the free flow of information across national borders while ensuring that the privacy of individuals is respected’. The statute therefore has in its contemplation the regulation of the flow of information insofar as it concerns privacy. Secondly, the terms of s 5B(3)(c) suggest that the focus of the Act is on the enforcement of the APPs in relation to the collection or holding of personal information. It is true that s 5B(3)(b) imposes the additional requirement that the organisation carry on business in Australia but that does not change the fact that this statute has as its focus a non-material concept: information.
Getting to the heart of the matter, His Honour explained what separated this case, from the floodgates Facebook warned of, as follows.
74 Is it possible to conduct business in Australia without having any physical presence within the jurisdiction? The primary judge concluded that ‘the means by which entities carry on business are constantly evolving’. He then observed that many of the cases in which the concept of carrying on business was discussed were ‘decided long before the technological advances which underpin many forms of commerce’. I agree with his Honour. The concept of carrying on business must, of necessity, take its shape from the business being conducted. Whilst the indicia to which Facebook Inc points no doubt have their place, I do think that some care has to be exercised about those statements to ensure that obvious propositions about the qualities of businesses at one time are not misapplied to radically different businesses at another. Facebook Inc submitted that the primary judge had, by making these observations, stated that the test needed to be changed. It is quite clear, with respect, that his Honour said no such thing.
75 Nor do I accept the submission that the primary judge’s approach would entail that any modern business conducted on the internet with a website accessible in Australia would be carrying on business in Australia. What this case decides is only that an inference may be drawn that a firm which installs and removes cookies in Australia (and which also manages for Australian developers a credential system which is widely used in Australia) is carrying on its worldwide business of data processing in this country. Whether a particular foreign-based business providing goods or services in this country carries on business here will depend on the nature of the business being conducted and the activity which takes place in this country. There is no one size fits all answer to this question. Correspondingly, the menace of opened floodgates from which Facebook Inc was commendably keen to protect the Australian legal system, is in my view very much overstated.
How placing ‘cookies’ on computers in Australia could be part of a US or Global business, was addressed by Chief Justice Alsop, by way of analogy (one I take to mean, one of micro-surgery being done, remotely by a surgeon controlling robotic surgical equipment, on the patient).
5 This is particularly the case in relation to the placement of cookies on users’ devices in Australia. The act of a person need not be discrete and conceptually separated in reality from its consequences. An act may occur in more than one place, may be continuous, complex and multilateral, and not just physically instantaneous in one place. Micro-surgery is not undertaken by the physical, manual manipulation of a scalpel by the hand of a surgeon upon the body of a patient. The surgeon may be at an instrument, physically separated from the patient, controlling the minute device that effects the surgery. The act is taking place at both places: where the surgeon is and where the patient is. It can be characterised or conceived of as one act. There is no reason of logic or conceptual appreciation as to why the conclusion must be different depending upon the distance of separation between the two locations. The consideration of the matter and the proper characterisation of the act or activity is to be approached by reference to the nature of the business and the place of the act or activity within the business, and the context as to why the question is being asked, being here the operation of a statute concerned with the privacy of information concerning people.
There was no doubt that Facebook made money out of collecting, analysing and using this private information – which provided the commercial ‘business’ element. Alsop CJ described this in para as follows.
8 The place of these activities and these acts that are carried on and done by Facebook Inc in Australia in the overall commercial enterprise of Facebook Inc need not be precisely identified at this stage. Nor need the commercial significance of these activities and acts be drawn out beyond a recognition that they are part of the data collection and processing of the business described earlier. They may lack an intrinsic commercial quality in themselves looked at in isolation, but they take their place as a material part of the working of the business, which is held out as providing to its users a single global network for the instantaneous transmission and exchange of information. Much of the activity carried on by Facebook Inc does not generate revenue directly. An understanding that the revenue of the business is derived from monetisation of information collected, stored and analysed over a data sharing platform gives a ready intuitive explanation of that lack of direct revenue generation from such individual acts or activities in the overall commercialisation of the information. That does not, however, lessen the importance to the business, and to its being carried on, of the acts or activities occurring, where they occur.