this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

Face it, nothing's private

Feature Articles

Cite as: March 2014 88 (03) LIJ, p.38

Using Facebook as a case study, this article considers whether the Privacy Act 1988 (Cth) applies to social media companies and the utility of the protections afforded by that Act. It also gives an overview of some of the privacy protections available under Facebook’s privacy policy. 

By Katie Miller

“You already have zero privacy. Get over it.”1

A quote from the pre-social media age, it sums up the zeitgeist on social media and privacy. Periodic pronouncements that “privacy is dead”2 or that privacy is no longer a “social norm”3, though seen as shocking, are rarely challenged. In Australia, this complacency may, in part, be attributable to the complexity of our privacy laws – a combination of the common law and federal and state statutes. Even after recent reforms, Australian privacy laws largely pre-date social media. Is it any wonder then that so many view social media as a Faustian bargain in which privacy is the price of entry to the world of social media?

The Privacy Act 1988 (Cth)

The Privacy Act 1988 (Cth) (the Act) regulates the handling of “personal information” by “Australian Privacy Principles (APP) entities”. “Personal information” is defined to mean information or an opinion (including information or opinions that are not true) about an identified individual or an individual who is reasonably identifiable.4

The Act prohibits APP entities from doing an act, or engaging in a practice, that breaches an Australian Privacy Principle.5 A body corporate with an annual turnover of more than $3 million is an “APP entity”.6

The Act and the APPs apply to acts done, or practices engaged in, outside Australia, by an APP entity if:

  • the act or practice relates to personal information about an Australian citizen, permanent resident or New Zealand citizen who is in Australia; and
  • the APP entity has an “Australian link”.7

Where a body corporate is not incorporated in Australia, it will relevantly have an “Australian link” if:

  • it carries on business in Australia; and
  • the personal information was collected or held by the body corporate in Australia.8

Prior to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Amendment Act), there was some uncertainty about whether information collected from users in Australia via the internet was “collected . . . in Australia” within the meaning of s5B(3)(c). This uncertainty stemmed from the bifurcated collection of information through the internet. Although a user may enter information into a website through a device in Australia, the website may be hosted by a server located outside Australia. Although the Amendment Act did not change the language of s5B(3)(c), the Explanatory Memorandum to the Amendment Act sought to address the uncertainty by stating that collection of personal information “in Australia” includes the collection of personal information from an individual who is physically within the borders of Australia, including where the information is collected via a website hosted outside Australia and owned by a foreign company that is not incorporated in Australia.9

Application of the Privacy Act 1988 (Cth) to Facebook

The application of the Act to personal information posted on Facebook is not comprehensive. In particular, the Act does not apply to personal information:

  • posted outside Australia;
  • about a person who is not an Australian citizen, permanent resident or New Zealand citizen in Australia (Australian users); or
  • posted to the wall of an American user.

There are many entities within the Facebook group of companies. In the context of privacy of Australian users, the relevant entities are Facebook Ireland Ltd (Facebook Ireland) and Facebook Ltd (Facebook America). Although there is a Facebook Australia Ltd, its focus is Australian advertisers rather than Australian users.

Personal information of Australian users is primarily collected by Facebook Ireland. When an Australian user (or any user outside America) creates an account with Facebook, they enter a contract with Facebook Ireland. Therefore, personal information on an Australian user’s Facebook wall is collected and held by Facebook Ireland.

In contrast, when a person in America creates a Facebook account (American user), they enter a contract with Facebook America. Facebook America may also collect and hold personal information about an Australian user if they or someone else posts information about the Australian user on the wall of an American user.

The Act applies to body corporates with an annual turnover in excess of $3 million. With an estimated turnover in excess of $12 billion, Facebook America clearly satisfies this requirement and is an “APP entity”. As a related body corporate of Facebook America, Facebook Ireland also satisfies the definition of “APP entity”.10

Neither Facebook Ireland nor Facebook America is incorporated in Australia and neither has a physical presence in Australia. Accordingly, their acts and practices will be regulated by the Act only when they have an “Australian link”.

Facebook Ireland has an “Australian link” because it carries on business in Australia. In particular, it contracts with Australian users regarding their use of Facebook. Facebook Ireland’s acts and practices will be regulated by the Act when it collects personal information about Australian users in Australia, that is, when an Australian user physically in Australia posts personal information on their wall or the wall of another user with a contract with Facebook Ireland (i.e. a non-American user).

It is arguable that Facebook America does not carry on business in Australia because it has no contracts or relationships with Australian users in Australia. However, Facebook America does have contact with some Australian users, e.g. when Australian users “like” pages operated by Facebook America, such as its governance or privacy pages. Given the limits of this article, it proceeds on the basis that Facebook America does not carry on business in Australia and that the Act therefore does not apply to Facebook America, even in respect of personal information about Australian users.

In summary, the APPs therefore apply to Facebook Ireland in respect of personal information:

  • about an Australian user;
  • uploaded by a person who is physically in Australia;
  • to the wall of a user with a contract with Facebook Ireland (e.g. the wall of an Australian user or at least a non-American user).

The APPs will not apply to Facebook with respect to personal information:

  • uploaded by a person who is not physically in Australia (including Australian users who are overseas – so be careful with those holiday happy snaps);
  • posted on a wall of an American user, even if the person uploading the information is an Australian user in Australia.

The above reasoning would apply equally to personal information collected and held by other social media companies that are body corporates incorporated outside Australia such as Twitter, Instagram (now owned by Facebook) and Google (which offers social media through its Google+ and Google Circles platforms). The key issue will be whether the company can be said to “carry on business in Australia”. This question may be difficult in respect of social media companies that, like Facebook, comprise multiple corporate entities, none of which is incorporated or located in Australia.

In any event, the protection afforded by the APPs to the personal information of Australian users may be limited, rendering the above analysis a largely theoretical exercise. Under the APPs, Facebook Ireland is permitted to collect most of the personal information it collects because it is reasonably necessary for its functions and activities (i.e. providing the user with access to Facebook) and is with the user’s consent.11 Similarly, it is arguable that users have consented to the use and disclosure of their personal information in accordance with Facebook’s service agreement, thereby authorising such use and disclosure under the APPs.12

The APPs may have more work to do where personal information about an Australian user is posted to Facebook by another person, especially where the Australian user does not consent to the posting. For example, abusive comments posted by one person about another or the creation of a Facebook account to impersonate another person may not be authorised by the APPs. Whether and how the APPs may apply to such information is a matter which requires further consideration, including by the (Commonwealth) Privacy Commissioner. Although privacy commissioners overseas have investigated Facebook, there is no publicly available information suggesting that the Privacy Commissioner has done so. Lawyers seeking to have information on Facebook removed may wish to contact the Privacy Commissioner to discuss the role the APPs may play.

Facebook’s privacy policy

The limited application and utility of the APPs in protecting personal information on Facebook reinforces the importance of each Facebook user taking control of their privacy protections using the tools provided by Facebook.

Facebook’s privacy policy spans a number of documents. Unlike most legal documents, it is not contained in a single multi-page document. Instead, the information is accessed by following hyperlinks to multiple Facebook pages. The task of obtaining a comprehensive understanding of Facebook’s privacy policy is an elusive one, rendered more difficult by the frequent changes made to it.

Having said that, Facebook’s privacy policy differs from those usually seen in Australia as it provides a number of tools for users to control and manage their privacy. Although the adequacy of the tools may be questioned, they present the most direct way for an individual user to exercise some control over their privacy on Facebook.

The basics that everyone should know and understand include:

  • Some Facebook information is always “public”, including your name, profile and cover pictures (past and present) and gender. You cannot restrict access to this information – so be careful which pictures you select as your profile and cover pictures.
  • You control the privacy of information posted on your wall. However, the privacy of anything you post to another person’s wall is controlled by that person.
  • You can restrict the audience for individual posts (past and present) using the audience selector tool, or all past posts using the privacy settings.
  • You can set up different audience groups. All of your connections are in the “friends” group. You can then, for example, allocate your work colleagues to a “work” group, relatives to a “family” group or footy friends to a “footy” group. You can then limit the audience for posts to or excluding one or more of the groups, e.g. post to “footy” only or post to “friends” except “work”.
  • You can control whether photos or posts in which you are tagged appear on your timeline. You can also remove tags of yourself in photos and posts.
  • You can block users, who then cannot post or see information on your wall. However, they will still be able to post and see information about you on other people’s walls and pages.
  • Your “Activity Log” lists every action you have taken on Facebook. You can edit the audiences for past actions or simply delete a specific action.


Social media presents significant challenges for the protection of privacy. The current legislation regulating privacy in Australia is inadequate with respect to social media companies. It is a significant task to identify whether the Act applies to a particular social media company at all, as the above exercise demonstrates. Even if the Act does apply, its utility in the face of social media service agreements and privacy policies may be limited. At the very least, its utility in protecting against unauthorised posting of personal information is untested in Australia. In the meantime, it is incumbent upon all social media users to learn what tools are available to them to take personal control of their privacy. This solution alone is inadequate, underlining the need for privacy reform that takes account of the new social norms presented by social media and privacy.

KATIE MILLER is a managing principal solicitor at the VGSO and president elect of the LIV. She chairs the LIV’s Social Media Taskforce.

1. Scott G McNealy CEO of Sun Microsystems Inc (1999).

2. CNN Money, “Online privacy is dead”, 17 October 2013.

3. Mark Zuckerberg, Facebook Ltd, 8 January 2010.

4. See definition of “personal information” in s6(1) of the Act.

5. The Act, s14.

6. See s6C and the definitions of “APP entity”, “organisation” and “small business operator” in s6(1) of the Act.

7. The Act, s5B(1).

8. The Act, s5B(1A).

9. Explanatory Memorandum to the Amendment Act, Schedule 4, item 6.

10. The Act, ss6C, 6D(3), 6D(9).

11. See APP 3.2, 3.3(a)(i).

12. See APP 6.1(a).


Leave message

 Security code
LIV Social