How many times have you navigated your way to a new café, friend’s house or your son’s best friend’s birthday party in Woop-Woop using Google Maps? Countless, we’d imagine and Google knows it. It is fair to say in today’s world, the services Google offers are essential for many of us. So when the Australian Competition and Consumer Commission (ACCC) announced on 29 October that it was taking on this tech giant, we listened.
The proceedings shine a spotlight on the potential consequences arising from a disconnect between the consent provided by a person for a business to use their personal information, and how the organisation actually uses that personal information. The proceedings are also a clear message from the regulator that it will continue to address misuse of personal information and misleading representations through consumer protection mechanisms.
Key issues
By commencing proceedings, the ACCC has framed data collection as not only a privacy issue, but a consumer one as well. While the Office of the Australia Information Commissioner (OAIC) has the power to hold a business accountable for failure to deal with personal information in accordance with privacy requirements, the proceedings demonstrate that the ACCC may also take action to address misleading representations to customers occurring during the process of data collection. Individuals also have the right in their personal capacity to raise issue with a business’ privacy practices.
With an ever-increasing number of businesses across the Australian economy collecting and monetising consumer data, these proceedings should serve as a timely reminder that transparency in data collection is key. One of the simplest ways to achieve this is having unambiguous and upfront privacy documentation so you and the people you interact with understand how your business will use their personal information.
Businesses should keep in mind both the reputational and financial damage that may result from non compliance with consumer protection and privacy practices.
The proceedings
The ACCC instituted proceedings alleging that Google misled consumers regarding how it obtained, retained and used location data. The ACCC alleges that Google represented to users of Android devices that it would not obtain data about their location or that, where such data was obtained, it would only be used for the user’s own purposes. According to the ACCC, Google in fact obtained and retained consumers’ location data and used that data for its own purposes. The ACCC claims that from at least January 2017 to December 2018, Google breached the Australian Consumer Law (ACL) when it made representations to consumers via on-screen statements on Android mobile phones and tablets about the location data Google collected or used when certain Google account settings were enabled or disabled. Specifically, consumers who withdrew their consent for Google to access their ‘Location History’ (whether completely or by activating the pause feature in Android settings) were allegedly still having similar information tracked by Google if the user had not also disabled the ‘Web & App Activity’ setting.
HopgoodGanim discusses this landmark case in which the ACCC alleges Google LLC and Google Australia Pty Ltd engaged in misleading conduct and made false or misleading representations to its consumers.
Google’s obligations under privacy law
Similar to other jurisdictions, Australia takes a strict approach to how organisations must handle personal information. One of the drivers for this is that unlike other assets (a warehouse or intellectual property), an organisation does not own the personal information of those it interacts with.
When Google collects personal information, it must be open and transparent as to the way it manages that information, including informing the person of the purposes for which it will use that information. Under the Australian privacy law, Google may also use or disclose such information for a related purpose only if a person has consented.
Google’s privacy policy states it collects location information to provide its services, maintain and improve its services, develop new services, provide personalised content and ads, measure performance, communicate and protect Google, its users and the public. ‘Location History’ includes information about the users’ location obtained from various linked devices, the device’s GPS location, Wi-Fi access, sensor data, IP address, cookies and more. Pretty broad, isn’t it?
A person’s consent to an organisation’s use of their personal information may be express or implied, but the OAIC tells us that four key elements must be present: (1) the individual is adequately informed before giving consent; (2) the individual consents voluntarily; (3) the consent is current and specific and (4) the individual has capacity to understand and communicate their consent. Further, the OAIC provides that implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and organisation.
Central to the ACCC’s claims is a privacy issue - if an individual withdrew their consent for Google to use their ‘Location History’, how could the individual have known or given consent to use of similar information for another purpose under the guise of Google tracking ‘Web & App Activity’?
Collection and use of data - Protections under the consumer law
The ACCC’s commencement of proceedings is not unexpected, the ACCC having revealed in its Digital Platforms Inquiry Final Report (Final Report) published on 26 July 2019, that it was conducting investigations into whether representations made by Google to some users about the control users have over Google’s collection of location data, raised issues under the ACL. The Final Report also indicated that, while Australian privacy law is the main regulatory framework to address market and regulatory failures in the collection, use and disclosure of personal information, data collection practices may raise concerns under Australian competition and consumer laws.
In its Final Report, the ACCC voiced its concerns that the existing regulatory frameworks for the collection and use of user data and personal information had not properly responded to the challenges of digitalisation and business models which rely on the monetisation of consumer data. The ACCC concluded that the existing regulatory framework does not effectively deter data collection practices that exploit the information asymmetries and bargaining power imbalances between digital platforms and consumers. Such market and regulatory failures prevent consumers from properly assessing whether services align with their privacy preferences and from making genuine choices as to how their personal information is collected, used and shared.
The proceedings reflect the outcome of the investigations detailed in the Final Report and indicate the ACCC’s continuing pursuit of one of its key compliance and enforcement priorities for 2019, which is the impact on consumers arising from the collection and use of consumer data by digital platforms, with a focus on the transparency of data practices and the adequacy of disclosure to consumers.
By instituting these proceedings, the ACCC has made clear that it considers data collection to be not only a privacy issue, but also a consumer one as well.
What changes might we see ahead?
A key emphasis of the ACCC’s extensive Final Report was on the interaction between data protection, competition and consumer protection. The ACCC’s recommendations in relation to the existing regulatory framework included both economy-wide and industry-specific recommendations to increase the effectiveness of both the Privacy Act and the ACL. Specifically, Recommendation 16 contained a range of targeted amendments to the Privacy Act, including:
- that the definition of personal information be updated to clarify that it captures technical data such as IP address, device identifiers, location data and any other online identifier that may be used to identify an individual (recommendation 16(a)); and
- strengthening notification and consent requirements to ensure consumers can make informed decisions about the personal data they allow digital platforms to collect (recommendations 16(b),(c)).
Currently, the types of information listed in recommendation 16(a) may constitute personal information only if an individual is identifiable or reasonably identifiable from that information. For this type of information, it will often need to be combined with other information about that individual for an individual to be identifiable or reasonably identifiable from the same. Should the changes recommended by the ACCC become law, this will significantly broaden the types of information that identify someone personally and how businesses must deal with that information. This in turn will increase the level of transparency and control that consumers have over their personal information.
While we await legislative response to those recommendations, it should be expected that the ACCC will continue to enforce “proper” data collection practices through the avenue of consumer protection.