Australian Information Commission v Facebook Inc [2020] FCA 531 (22 April 2020): application for service outside of Australia, the Commissioner’s prima facie case. The opening round in the first civil proceeding for breach of the Privacy Act by the Commissioner

April 26, 2020 |

On 23 April 2020 in  Australian Information Commission v Facebook Inc the Australian Information Commissioner successfully obtained interim suppression and non publication orders and orders to serve outside Australia and substituted service against Facebook Inc.

This is the first of what is likely to be a number of interlocutory judgments as the civil penalty proceedings slowly move towards a hearing.

FACTS

The Australian Information Commissioner commenced  proceedings against Facebook Inc and Facebook Ireland Limited on 9 March 2020 alleging contraventions of s 13G of the Privacy Act 1988 (Cth) [1].

The Commissioner seeks declarations under s 21 the Federal Court of Australia Act 1976 (Cth) and civil pecuniary penalties under s 80W of the Privacy Act[1].

The allegation that from 12 March 2014 to 1 May 2015, Facebook Inc and Facebook Ireland acted, or engaged in a practice, that was a serious or repeated interference with the privacy of approximately 311,127 Australian Facebook users, contravening paragraphs (a) and (b) of s 13G of the Privacy Act[2].

Neither of the respondents had  been served personally with any document [3].

Facebook Inc is incorporated in Delaware and based in California in the United States of America [3].

Facebook Ireland is based in the Republic of Ireland [3].

DECISION

The Commissioner filed an ex parte interlocutory application on 9 April 2020 seeking orders:

  • under r 10.42 and r 10.43(2) of the Federal Court Rules 2011 (Cth) for leave to serve the originating application, the concise statement, the statement of claim, the interlocutory application, the various affidavits relied upon, the written submissions and the orders of the Court on the hearing of the interlocutory application together with these reasons for judgment (the Court Documents) on Facebook Inc and Facebook Ireland in accordance with art 5 of the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, (Hague Convention) [4].
  • for substituted service under r 10.24 [5].
  • for interim suppression or non-publication orders should be made under sections 37AF an 37AI of the Federal Court Act [6] & [7].

Suppression/non publication orders

The Commissioner obtained certain information which Facebook Inc and Facebook Ireland claimed was confidential information during her preliminary inquiries and subsequent investigation under s 42(2) and s 40(2) of the Privacy Act[7].

The Commissioner relies upon the claimed confidential information in support of her interlocutory application seeking leave to serve the respondents outside Australia [8].

The Commissioner sought the interim suppression order pending the respondents being served with the originating application because the respondents position is that the information is confidential on the basis that it is:

  • about the respondents’ commercial operations that is secret or known only to a limited group;
  • potentially damaging to the respondents’ business if it is accessible by a competitor;
  • not public and may indirectly identify individuals [8].

The Court was satisfied that it was appropriate to make interim orders under s 37AI, effective until the conclusion of the first case management hearing.

SERVICE OF DOCUMENTS OUTSIDE OF AUSTRALIA

Rules 10.42 and 10.43 set out the process by which leave can be grated to serve an originating application may be served on a person in a foreign country [12].  It is necessary for the applicant to satisfy the Court of three matters:

(1) the Court has jurisdiction in the proceeding;
(2) the proceeding is of a kind mentioned in r 10.42;
(3) the party has a prima facie case for all or any of the relief claimed in the proceeding.

Jurisdiction

Th Court found it had jurisdiction as is vested in it by the laws made by the Parliament because:

  • Section 80W(1) of the Privacy Act, being a law made by the Parliament, provides that jurisdiction as it empowers the Commissioner to  “..apply to the Federal Court … for an order that an entity, that is alleged to have contravened a civil penalty provision, pay the Commonwealth a pecuniary penalty” and under Section 80W(3) court may order the entity to pay the Commonwealth such pecuniary penalty for the contravention as the court determines to be appropriate” [23].
  • through s 39B(1A)(a) of the Judiciary Act 1903 (Cth) the Commissioner seeks declaratory relief [24].

Does the Commissioner have a prima facie case?

The Court stated that the requirement to demonstrate a prima facie case in the context of an application for leave to serve documents outside Australia is “not particularly onerous” [30] and the Commissioner only need establish a prima facie case in relation to one cause of action or remedy [32]

The Court had no difficulty in finding that the Facebook Inc and Facebook Ireland are “organisations” for the purposes of the Privacy Act though took paragraphs to reach this conclusion [33] – [35].

Similarly the court found that the respondents carried on business in Australia in the relevant sense [39] because:

(1) Australian users contracted with Facebook Ireland, which described itself as the “data controller for Australian Facebook users”;
(2) Facebook Ireland provided the Facebook service to Australian users as agent for Facebook Inc.

The court found that because The contractual relationship between Facebook Ireland and Facebook Inc is such that a prima facie case is also shown as against Facebook Inc.

PRIMA FACIE CASE AGAINST FACEBOOK

The Commissioner set out in broad strokes the nature of her claim against Facebook in order to make out a prima facie case.

The Court undertook a detailed, if not laborious, analysis stating:

  • an “interference with the privacy of an individual” is if the act or practice breaches an “APP” in relation to personal information about the individual. An “APP entity” includes an “organisation”: s 6(1). [42]
  • the Commissioner relies upon contended breaches of APP 6.1 and APP 11.1 in alleging that the respondents engaged in acts or practices constituting “serious” and “repeated” interference with the privacy of individuals in contravention of paragraphs (a) and (b) of s 13G. [43]

The facts the Commissioner relies upon are, based on the statement of claim, are, at [46]:

  • apps could request personal information from Users’ Facebook Accounts using a tool called the Graph Application Programming Interface (Graph API) which allowed apps to create a link or interface between the Facebook Website’s “social graph” and the app.
  • the link between the Facebook Website and the app was facilitated by the “Facebook Login” which  allowed an installer of an app (Installer) to utilise their Facebook account credentials (username and password) to login to an app.
  • an app could request a wide range of information about not only those Installers but also their Facebook friends who had not installed the app (Friends). This included requests for sensitive information.
  • in response to a request from an app, the Respondents disclosed information about Installers and their Friends to the app.  A user’s “privacy settings” did not alone control how a User’s personal information was shared with apps, including apps installed by Users’ Friends & unless a User modified their “app settings”, various categories of the User’s personal information, including sensitive information, would be disclosed to apps installed by their Friends by default …
  •  the Respondents relied upon app developers’ self-assessment that an app complied with these rules and did not have in place any procedures to approve an app’s ability to make requests of the Graph API V1 was there any review the privacy policies of the apps themselves.
  • on 30 April 2014, a new version of the Graph API (Graph API V2) was launched by the Respondents requiring a manual app review process (App Review) and requests were only be approved where the additional information clearly improved the User’s experience of the app. However, Facebook allowed apps using Graph API V1 a 12-month ‘grace period’ (Grace Period) to migrate to Graph API V2.
  • the “This is Your Digital Life” App was a personality survey or quiz developed by Dr Aleksandr Kogan, a researcher, who later established Global Science Research Limited (GSR).
  • the Graph API V1 allowed the “This is Your Digital Life” App to request information from the Facebook Accounts of 305,000 Facebook Users globally who were also Installers of the app, of which approximately 53 were Australian & the personal information of approximately 86,300,000 Facebook Users globally (approximately 311,074 of whom were Australian Facebook Users) who were Friends
  • Dr Kogan and/or GSR further disclosed personal information it obtained from the Respondents to third parties, including Cambridge Analytica Ltd, and/or its parent company, for profit.
  • Dr Kogan and/or GSR were able to continue requesting Friends’ and Installers’ information under Graph API V1 until 1 May 2015.

The Commissioner contends, at [47], that:

(1) the primary purpose for which the respondents collected the personal information of the affected individuals was to allow them to build an online social network with other users on the Facebook website;
(2) the disclosure of that information to the “This is Your Digital Life” app was not for that primary purpose and was, rather, for a secondary purpose. The “This is Your Digital Life” app did not operate with a view to enabling users to build an online social network with other users on the Facebook website. It instead provided a separate service, on a third party app, which allowed installers of the app to undertake a personality survey or quiz.

  • on each occasion on which Facebook Ireland and Facebook Inc disclosed the personal information of the affected individuals to the “This is Your Digital Life” app, this was an act or practice that was a serious interference with the privacy of each such individual in contravention of s 13G(a). [48]
  •  the repeated act or practice of disclosing the personal information of the affected individuals to the “This is Your Digital Life” app was an act or practice that contravened the privacy of those individuals, in contravention of s 13G(b). [49]
  • at [52],having regard to the respondents’ size and resources, as well as the sensitivity of the personal information it collected and held, the steps that the respondents should have taken to comply with APP 11.1 included at least the following:

(1) conducting an initial assessment and regular review of whether the “This is Your Digital Life” app’s requests for users’ information complied with Facebook’s policies;

(2) maintaining records of the personal information disclosed, and regularly reviewing these records to audit the nature and scope of disclosures;

(3) implementing measures to ensure that any consent was obtained directly, before or at the time of disclosure, and was clear and specific;

(4) after 7 May 2014, when Facebook had rejected the “This is Your Digital Life” app’s application to access Graph API V2:

(i) carrying out a review of the categories of data which the “This is Your Digital Life” app had previously requested and obtained about the affected Australian individuals; and

(ii) ceasing the disclosure of the affected Australians individuals’ personal information (including sensitive information) to Dr Kogan and/or GSR. [52]

  •  in order to protect the users’ personal information from unauthorised disclosure, the respondents were required to take steps akin to the “App Review” process in respect of third-party apps that sought to access the Graph API [53] &:
    • to the extent that those steps were not taken with respect to those third-party apps which accessed Graph API V1, the respondents breached APP 11.1.
    • it was insufficient and unreasonable, so it was submitted, for the respondents merely to devolve to third-party apps compliance with the terms of Facebook’s policies without Facebook undertaking any investigation into the nature of the apps  and the purposes for which those apps sought access.

The court  found there was a sufficient prima facie case [55].

After a review of the authorities the court made orders for substituted service pursuant to r 10.24 of the Rules [75]

ISSUE

It is not surprising that a suppression order was made until the first directions hearing.  Facebook has a claim of confidentiality over the material obtained by the Commissioner during her investigation.  As such Facebook was obliged to provide that material, no doubt under a very comprehensive and expensive letter from its lawyers, Kings Wood Mallesons

While the decision relates to a fairly standard process of seeking leave to serve an overseas party it sets out the the basis upon which the Commissioner will prosecute the civil penalty proceeding.  There will be no doubt  more applications if Facebook’s history of litigation is a guide.  Given the corpus of privacy law is small and that relating to the Privacy Act is even less significant the approach taken by the Federal Court in this case will be of outsized importance.  As foreshadowed by the Commissioner in submissions the very unfortunate Full Bench of the Federal Court decision in Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4 (the Ben Grubb case) is likely to compromise what should have been a straightforward prosecution.

Leave a Reply





Verified by MonsterInsights