On 16 April 2021, in Australian Competition and Consumer Commission v Google LLC (No 2)  FCA 367, the Australian Federal Court agreed with the Australian Competition and Consumer Commission (ACCC) that Google LLC and Google Australia Pty Ltd ACN 102 417 032 (collectively Google) had engaged in conduct that misled or was likely to mislead some users of Android devices about the way Google collected and used their location data. In doing so, the Court found that the ACCC had partially made out its case against Google under section 18 of the Australian Consumer Law (ACL) in the Competition and Consumer Act 2010 (Cth). Comparable findings were made in favour of the ACCC under sections 29(1)(g) and 34 of the ACL.
This case, coupled with the broader regulatory trends we mention in this note, mean that privacy protection is likely to be in the news in coming months. Businesses should obtain advice on what this case means for them – and participate in law reform submissions directly or through their industry associations – to ensure their views are taken into consideration.
The case and the findings
The ACCC alleged that, in contravention of section 18 of the ACL, Google engaged in conduct that misled users of Android devices into thinking Google was not collecting and using their location data. In addition, the ACCC argued Google’s conduct could also constitute a false or misleading representation under section 29(1)(g) of the ACL, and ‘a conduct that is liable to mislead the public’ under either section 33 or 34 of the ACL. The alleged contraventions occurred in different periods between April 2018 and the commencement date of the proceedings.
The settings central to the case were the ‘Location History’ setting and the ‘Web & App Activity’ setting in Android devices. The default setting was for the Location History to be turned ‘off’ and the ‘Web & App Activity’ to be turned ‘on’. The engineering behind the settings meant that, irrespective of whether the Location History was turned ‘on’ or ‘off’, Google had the ability to collect and use the user’s location data as long as the Web & App Activity setting in the device was turned ‘on’.
The ACCC alleged that Google misled users of Android devices in three scenarios, which involved three classes of users.
Scenario 1 concerned users who set up a Google account on their Android devices between 30 April 2018 and 19 December 2018 and chose to click on ‘More Options’, rather than choosing ‘I agree’ or ‘Don’t create the account’ when viewing the Privacy and Terms screen. These users would have seen that the default setting on Android devices was for the Location History setting to be ‘off’ and the Web & App Activity setting to be ‘on’. The ACCC argued that the users viewing this page were misled into thinking that Google would not collect or use their location data because the Location History setting was turned ‘off’.
Finding: The Court agreed with ACCC that there were reasonable users in the class identified by ACCC who would not have concluded from the ‘More Options’ screen that Web & App Activity had to be turned off to prevent Google from collecting and using the users’ location data. This was despite the fact that if a user in this class thoroughly reviewed all the content in the Privacy and Terms screen and the ‘More Options’ screen, she would have understood that the Web & App Activity setting had to be turned to ‘off’ to prevent Google from collecting and using location data.
Scenario 2 concerned users who made a decision to turn the Location History ‘off’ in their Google account, in circumstances where they had at some other time turned the Location History setting to ‘on’, from its default position of ‘off’. The ACCC argued that the wording used on the screen incorrectly represented to these users that Google would not continue to collect and use the users’ location data after this setting was turned ‘off’. In making its case, the ACCC referred to three versions of the screens that the users would have seen between 1 January 2017 and the commencement date of the proceeding.
Finding: The Court distinguished between the different variations to the screen that the users would see when attempting to turn the Location History ‘off’. The Court agreed that reasonable users would not have been misled as to how Google collected and used location data where the screen noted that some location data may be saved as part of other Google services, even if the Location History was turned ‘off’. However, in any variations of the screen where this was not made clear, the Court determined that there were reasonable users who would have been misled.
Scenario 3 concerned users who considered whether to turn the Web & App Activity setting ‘off’ before October 2018. The ACCC argued that Google misrepresented to these users that the Web & App Activity setting being ‘on’ would not allow information about the user’s location to be retained and used by Google. This was because the relevant screens did not specify that location data would be collected by Google if this setting was on. In contrast, the screens used after October 2018 did specify that the information collected by Google included location data.
Finding: The Court agreed with the ACCC that reasonable users in this class included users who were looking to prevent or limit Google from obtaining, retaining and using data about the user’s location when using Google products or services. These users would have incorrectly come to the conclusion from reading the screens pre- October 2018 that:
- Web & App Activity was not the relevant setting which prevented personal information in relation to the user’s location from being obtained, retained and used by Google; and
- having the setting turned ‘on’ would not allow personal information regarding the user’s location to be obtained, retained and used by Google.
The Court assessed whether Google contravened the ACL by analysing whether Google’s conduct as a whole was misleading or deceptive, or likely to mislead or deceive reasonable members of the class of consumers likely to be affected by the conduct. This conduct included what was – and what was not – stated on the various screens presented to the users. The Court noted that Google’s arguments had more attraction, the longer the information on the various screens is reviewed and analysed. However, according to the Court, the appropriate approach is to put oneself in the position of reasonable users in the class identified by the ACCC, and determine whether users in that class would have been misled by Google’s conduct or representation.
Interestingly, both Google and the ACCC introduced expert testimony from behavioural economists regarding the effort users would put into reading and navigating the relevant screens. That testimony was inconclusive one way or the other, but the Court said the points made by the experts were useful in considering how a user faced with the various screens referred to in the proceeding might have reacted.
What happens next?
The Court has ordered the parties to confer, with a view to agree on the orders to be made and appropriate next steps. The ACCC has said it is intending to seek a penalty of ‘many millions’ from Google. Google is considering all its options – including an appeal.
Broader regulatory trends
Co-regulation of data privacy?
The Office of the Australian Privacy (OAIC) administers the Australian federal Privacy Act, which regulates the handling of personal information. The ACCC administers the ACL, which regulates consumer protection. In addition, the ACCC is Australia’s competition (anti-trust) regulator. In practice, many instances involving the (mis)handling of personal information may also trigger the ACCC’s consumer protection jurisdiction. This case is the most recent example of how the ACCC may use – or propose to use – its jurisdiction to address issues that also relate to the handling of personal information. Other examples include:
Expansion of the OAIC’s regulatory powers
The ACCC presently has a more significant regulatory armoury than the OAIC. In March 2019, the federal Attorney General announced proposed amendments to the Privacy Act. Among other things, those amendments will increase penalties from the current maximum penalty of $2.1 million per contravention for serious or repeated breaches to whichever is the greater of:
- $10 million; or
- three times the value of any benefit obtained through the misuse of information; or
- 10 percent of a company’s annual domestic turnover.
In addition, amendments were proposed in 2019 to give the OAIC new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals, for failure to cooperate with efforts to resolve minor breaches. These recommendations were endorsed by the Australian Competition and Consumer Commission in its Digital Platforms Inquiry – Final Report released on 26 July 2019, not just for digital platforms but across the economy.
The reforms to give the OAIC additional regulatory powers have been a long time coming. One reason for this is that 2020 was a year like no other in living memory. Based on comments made by representatives of the Attorney-General’s Department at a Senate Hearing in March 2021, it appears that Exposure Draft Legislation to give the OAIC the proposed additional regulatory powers will be released in May 2021 if not earlier.
Is consent an effective way for individuals to manage their personal information?
As noted above, the evidence led by the ACCC and Google from behavioural economists about how a user would react to the various screens presented to her was inconclusive. This may illustrate the real limitations of consumer consent in these contexts. The Privacy Act Review Issues Paper that the Attorney-General’s Department issued late in 2020 raised issues of consent fatigue and canvassed the possibility of imposing pro-consumer default settings. This is to give individuals confidence that when they obtain a product or service (or enter into a competition), their privacy preferences will by default be set to optimise the protection of their personal information. This would be an additional safeguard for individuals who don’t have the time or inclination to adjust their privacy settings to reflect their preferences. Again, the Department is expected to release a further issues paper in May 2021 on the review of the Privacy Act, at about the same time as the Exposure Draft Legislation to give the OAIC additional powers is released.
For further information please contact the authors or any member of our Fintech, Privacy & Emerging Technologies team.
This information and the contents of this publication, current as at the date of publication, is general in nature to offer assistance to Cornwalls’ clients, prospective clients and stakeholders, and is for reference purposes only. It does not constitute legal or financial advice. If you are concerned about any topic covered, we recommend that you seek your own specific legal and financial advice before taking any action.