Facebook has lost a major battle with the Australian regulator over the Cambridge Analytica scandal, after a court dismissed the social media giant’s claim that it neither conducts business nor collects personal information in the country.
The Office of the Australian Information Commissioner (OAIC) is suing Facebook, now Meta, for breaching the privacy of more than 300,000 Australian Facebook users in the Cambridge Analytica scandal, exposed more than four years ago by the Guardian.
Throughout the 2010s, consulting firm Cambridge Analytica harvested the personal data of millions of Facebook users without their consent using a personality test app called This is Your Digital Life. The information was then used predominantly for political advertising, including to assist the Brexit campaign and Donald Trump.
Only 53 people in Australia installed the This is Your Digital Life app, according to court documents, but it was able to harvest the data of about 311,127 people.
The OAIC was slow to launch a case against Facebook for the privacy breaches compared with other jurisdictions, announcing proceedings in 2020 in the federal court, where it alleged “serious and/or repeated interferences with privacy in contravention of Australian privacy law”.
It sought to sue the parent company Facebook Inc, based in the US, and its Irish subsidiary, Facebook Ireland Limited.
Facebook Inc has since attempted to have the case against it effectively thrown out, arguing it does not carry out business or collect or hold personal information in Australia, so it cannot be sued under the country’s privacy laws.
The full bench of the federal court on Monday threw out the argument, describing parts of Facebook’s case as “divorced from reality”.
It found the social media giant’s installation of cookies on the physical devices of Australian users was enough to show it was carrying out business in Australia.
“There is a readily available inference that Facebook Inc installs cookies on devices in Australia on behalf of Facebook Ireland as part of its business of providing data processing services to it,” justice Nye Perram said in his reasons.
“Further, it is clear that Facebook Ireland’s use of cookies (installed and removed by Facebook Inc) forms an important part of the operation of the Facebook platform.
“It is not an outlier activity. It is one of the things ‘which makes Facebook work’.”
The court also rejected Facebook’s argument that such a finding would “open the floodgates”, by assuming any website that is accessible in Australia is carrying on business in Australia.
“The menace of opened floodgates from which Facebook Inc was commendably keen to protect the Australian legal system, is in my view very much overstated,” Perram said.
The court was also scathing of a comparison by Facebook of its business to the process of sending mail by post.
Facebook said that what had happened in this case was that its datacentres had transmitted digital signals to user devices, and that this transmission had brought about a change to the digital state of those devices. This was likened to the act of sending a letter from overseas to Australia, which prompted its reader to do something that had an economic impact. This, the company said, could never be construed as the sender having conducted business in Australia.
“The problems with this submission are first that it proves far too much, and secondly that it is, with respect, divorced from reality,” the court ruled. “It proves too much because it has the consequence that no computer-based activity in one jurisdiction can ever amount to more than an effect in computers located in another.”
The full bench’s decision confirms an earlier ruling made by federal court justice Thomas Thawley and follows an appeal by Facebook.
The OAIC said in a statement that it welcomed the court’s decision and now looked forward to the hearing of the case proper.
Meta said it was reviewing the ruling and had no immediate comment.