The Australian Competition and Consumer Commission (ACCC) has successfully shown that Google made misleading representations to consumers about collection and use of their personal data. Google was fined $60 million by the Federal Court for the conduct, which occurred prior to the increase in penalties for breaches of Australian Consumer Law, and we expect that the ACCC will continue to pursue increasingly high penalties.
So what happened here, and how can you and your business ensure your compliance?
The decision comes in the wake of increased litigation activity from the regulator, whose chair stated that the Google decision ‘sends a strong message to digital platforms and other businesses, large and small’. This comment reinforces that all businesses are obliged to conform with the requirements of the Competition and Consumer Act, especially when it comes to transparency in data collection and use.
The Google Case
This case involved breaches of the Competition and Consumer Act 2010 (Cth) relating to misleading conduct. In particular, the Court found these breaches occurred throughout 2017 and 2018 and involved misleading representations being made via messages conveyed to Android phone users when they set up or updated their Google accounts. These representations included that ‘Location History’ was the setting that controlled Google’s access to personal data about the user’s location, and an implication that Google would not obtain or retain such information if the default setting was turned off. The court found Google did not make it sufficiently clear that users would also need to turn off another default setting, named ‘Web & App Activity’ if they did not want Google to collect or retain their location data. Google used collected data to target ads to some consumers.
The primary role of the Federal Court in this case was to consider whether the $60 million figure jointly proposed by Google and the ACCC was appropriate. In doing so, the Federal Court considered the size and financial position of Google, the duration and scale of the conduct, and the number of affected customers (around 1.3 million Android phone users are expected to have seen the messages) as factors that increased the penalty, but did note the company’s cooperation with authorities and a corporate culture broadly conducive to compliance which were in the company’s favour. The fine will be paid by the US parent, because the Federal Court found that the Australian subsidiary was not responsible for the conduct.
Key Learnings for Businesses
- Transparency is key
This was the first success story from the ACCC’s Digital Platforms Inquiry, and the ACCC chair has since stated that
“companies need to be transparent about the types of data that they are collecting and how the data is collected and may be used, so that customers can make informed decisions about who they share that data with”.
This statement reflects the insistence that it is not the collection or use of data itself that is the offending conduct, but rather the lack of clarity for consumers in when or how that data was being collected.
- Good intentions alone aren’t a safeguard
That the relevant misleading message was not shown to all users, that not all users who did see the message were actually misled, or that the conduct was not deliberate, were not sufficient reasons to discount the potential harm here - especially given the personal nature of the information being collected by Google. This is a clear signal that the ACCC intends to be vigilant about enforcing the prohibition on misleading conduct regardless of whether a business intends to be misleading in its messaging. It is also important to note this reflects a larger shift towards ‘objectivity’, where the question of whether in fact individuals were misled or if there was an intention to mislead matter less than whether the conduct could be misleading. This means it is vital for businesses to carefully consider what ‘average user’ perceptions would be when accessing their offerings.
- Parent companies can be found liable for misconduct
The case also signals the ACCC’s intention to hold the relevant breaching party liable – including where that party is based overseas and is a parent company to an Australian subsidiary. Although this was an Australian regulator and an Australian court, because it was actions of the parent company that led to the breach and the local subsidiary had no oversight or control over the messages, the fine was issued to the parent company.
Companies should note that asset-rich parent companies can be found liable for conduct, even if they are based internationally and operate via a subsidiary in Australia.
Companies seeking to roll out measures to Australian subsidiaries without acquiring local input on compliance obligations should do so with caution, and in the knowledge that they can be held to account over their local counterparts.
Businesses should continue to ensure their compliance with legislation like the Competition and Consumer Act and be aware that the ACCC has both an increasing appetite for heavy hitting litigation, and an increasing reputation for landing their punches. This is especially the case for businesses collecting personal information and data from consumers that may influence their buying, operational, or consumption behaviours. It’s now more common than ever to collect and utilise reams of data… but it’s also never been more important to be clear about exactly how you’re doing it.
Material in this article is available for information purposes only and is a high level summary of the subject matter. It is not, and is not intended to be, legal advice. Hazelbrook does not guarantee the accuracy of the information provided. You should first obtain professional legal advice prior to taking any action on the basis of any information contained in this article. This article is copyright. For permission to reproduce this article please email Hazelbrook Legal: email@example.com