Many regulators take an expansive view of their remit, and the Australian Privacy Commissioner has acted in this way in the Ashley Madison case.

The Ashley Madison data security breach attracted enormous publicity worldwide, when details of approximately 36 million subscribers were published by hacktivists operating under the monicker “The Impact Team”. The company that ran the affected business is headquartered in Canada and it seems that the relevant databases were located in Canada (although the terms of use apparently provided that Ashley Madison is based in Cyprus). In any event, the databases were certainly not located in Australia. About 670,000 of the affected individuals were located in Australia (less than 2% on my calculation).

It is entirely understandable that the Privacy Commissioner of Canada conducted an investigation into the incident and the company’s practices. What is more unusual is that the Australian Privacy Commissioner’s staff also participated in the investigation, which was conducted jointly in accordance with the APEC Cross-border Privacy Enforcement Arrangement.

As a result of the investigation, the company has given various undertakings with a view to improving its information handling practices. The Australian Commissioner’s findings were published on 24 August 2016 here.

For me, the concerning aspect of this process is the approach taken by the Australian Commissioner to the question of jurisdiction, remembering that none of the conduct took place in Australia and that the company had no presence here.

The Australian Commissioner decided that the company was regulated as an “APP entity” because it:

  • carries on business in Australia; and
  • collected personal information in Australia.

The most controversial part of the reasoning is as follows:

“Although ALM does not have a physical presence in Australia, it conducts marketing in Australia, targets its services at Australian residents, and collects information from people in Australia. ALM has advertised in Australia, and the Ashley Madison website at the time of the breach had pages targeted specifically at Australian users. For this reason, it carries on business in Australia.”

As evidence of the targeted pages, the reasons state that:

“the webpage https://www.ashleymadison.com/landers/australia_dating (accessed 20 August 2015) promotes Australian media coverage of the Ashley Madison website, and states ‘With more than 460,000 members in Australia, Ashley Madison is the final destination for married women and married men looking to maintain their anonymity while looking to have an affair.’”

The leading Australian authority on the question of whether a company carries on business in Australia through online activities is the Gebo Investments decision. Justice Barrett stated (at [30]):

“Advances in technology making it possible for material uploaded on to the Internet in some place unknown to be accessed with ease by anyone in Australia with Internet facilities who wishes (or chances) to access it cannot be seen as having carried with them any alteration of principles as to the place of carrying on business developed at times when such communication was unknown. It has never been suggested that someone who by, say, letters posted in another country and addressed to recipients in Australia, seeks to interest those persons in business transactions to be entered into in the other country and in fact succeeds in concluding such transactions with some of them thereby carries on business in Australia, even though, depending on precise circumstances, the solicitation may contravene some other Australian law. There is a need for some physical activity in Australia through human instrumentalities, being activity that itself forms part of the course of conducting business.” (emphasis added).

There is no evidence in the Commissioner’s reasons that AML (the company responsible for the Ashley Madison business) conducted any physical activity in Australia through any human instrumentalities.

The question of whether an online B2C business with Australian customers “carries on business in Australia” was recently considered by the Federal Court of Australia in ACCC v Valve Corporation in the context of a case under the Australian Consumer Law. In that case, Edelman J found that Valve carried on business in Australia. The scale of Valve’s connections with Australia was greater (2.2 million customers versus 670,000) but both are online businesses with North American headquarters, no Australian subsidiary nor staff in Australia. It is illustrative to contrast the approach taken by Edelman J and that of the Australian Privacy Commissioner:

Factors in support of Valve carrying on business in Australia Factors in support of Ashley Madison carrying on business in Australia
2.2 million accounts, earned significant revenue [199] 670,000 accounts; no evidence of revenue
Differential pricing for Australian consumers for some products (although this was not explicitly relied on in respect of the “carrying on business in Australia” issue) [181] Conducted marketing in Australia, had webpage targeted specifically at Australian consumers
Owned servers located in Australia (retail value of $1.2m), and sent employees to Australia twice to configure those servers [201] No evidence of any tangible property located in Australia
Deposited content onto the servers it owned in Australia when that content was requested by an Australian subscriber [200] No evidence of this kind
Paid tens of thousands of dollars per month to a data centre operator to host Valve’s servers in Australia [202] No evidence of this kind
Had contractual relationships with content delivery providers in Australia for proxy caching services [203] and [204] No evidence of this kind

It is much easier to justify the conclusion that Valve carried on business in Australia as a result of the physical activities that took place within Australia, none of which appears to have been present in the Ashley Madison case.

No doubt AML took a pragmatic approach to the involvement of the Australian Privacy Commissioner’s office in this instance. If the company has any chance of rebuilding its damaged reputation, it needs to demonstrate improvements in its information security practices. The implementation of the enforceable undertakings given to the Australian Commissioner will assist in that endeavour. And, as a practical matter, the measures do not seem to be more onerous than those negotiated with the Canadian Commissioner. So, there was nothing in it for AML to take the jurisdictional point with the Australian Commissioner. Things may have been different if the Australian Commissioner had determined that compensation was payable to affected Australian users of the site.

The lesson from this case for the future is that the Australian Privacy Commissioner’s office will be inclined to find that an offshore entity carrying on an online business with no presence in Australia is regulated under the Australian Privacy Act even where the connections with Australia are comparatively slight. Unless and until the Australian Commissioner proposes remedial action that is more onerous than that imposed by regulators in other jurisdictions, respondents will likely take a pragmatic approach to this point.