In the 12 months since the Australian Competition and Consumer Commission (ACCC) released its final report on its Digital Platforms Inquiry (DPI), the ACCC has filed two law suits against Google with regard to its handling of personal data. In October 2019, ACCC alleged that Google had breached the Australian Consumer Law (ACL) through its undisclosed collection of users’ location data (October 2019 Proceeding). In late-July this year, the ACCC launched fresh proceedings alleging that Google misled customers by failing to obtain informed consent for changes to the way consumers’ personal data was being collected and used (July 2020 Proceeding). With the trial in the earlier proceeding set to commence on 30 November 2020, it is timely to consider the ramifications for Australian businesses.
In light of the DPI recommendations and the ACCC’s crack down on Google, it is clear that it is just a matter of time before the ACCC turns its attention to Australian businesses. This article explains what needs to be done to ensure businesses are ACL compliant and will not be next in the firing line.
What is the DPI and why is it significant?
The DPI Final Report is the culmination of the ACCC’s 18 month inquiry into the impact of online search engines, social media and digital platforms, on competition and advertising. The Report contains widespread recommendations to strengthen privacy legislation and improve data handling practices. Most notably, the Report recommended prohibiting unfair trading practices that induce consumers to agree to the release of their data without fully appreciating the consequences of their consent.
This recommendation is significant as it indicates that the ACCC sees its consumer protection role as evolving to include the regulation of data handling practices online. As such, what was once reserved for the Office of the Australian Information Commissioner (OAIC) via the Privacy Act 1988 (Cth) (Privacy Act) is now squarely within the ambit of the ACCC. The ACCC is willing to use the provisions within the ACL to address privacy and data law issues, and is doing just that in its two suits against Google.
The ACCC v Google Proceedings
October 2019 Proceeding
In this proceeding, the ACCC alleges that between January 2017 and late-2018 when android users were setting up their Google-Accounts, they were not advised that they had to switch off two settings, not just one, if they did not want Google collecting their location data. Google directed the users to switch off “Location History” if they did not want their location data collected, but remained silent on the fact that if “Web & App Activity” remained switched on, Google would still be able to obtain, retain and use personal data about the user’s location.
Furthermore, the ACCC claims that during certain timeframes, Google failed to disclose that location data would be used for more than just facilitating Google’s services to the user in question. For example, the data would also be used to personalise advertisements for other users, and infer demographic information.
The ACCC considers both these claims to be a breach of section 18 of the ACL, in that the conduct of Google was misleading or deceptive, or likely to mislead or deceive consumers.
July 2020 Proceeding
In this proceeding, the ACCC alleges that Google failed to gain explicit consent to combine user’s personal information in their Google accounts, with information about their activity on non-Google sites that use Google ad technology. Prior to 2016, this information was kept separate. Google sought consent to the change from consumers, via a pop-up notification that prompted account holders to simply click “I agree”; an extract of the notification is as follows:
Some new features for your Google Account
We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.
The ACCC alleges that the “I agree” notification did not inform the consumer of the true extent of the change. As a result, the ACCC considers that consumers are likely to have been misled and Google has again fallen foul of section 18 of the ACL (misleading or deceptive conduct).
This matter is yet to be set down for trial.
What is misleading or deceptive conduct?
Misleading or deceptive conduct under section 18 of the ACL is any behaviour that misleads or deceives, or is likely to mislead or deceive. In other words, any conduct that suggests to a consumer one circumstance/situation, when in fact the reality is another.
The section applies to any individual or business engaging in misleading or deceptive conduct whilst in trade or commence. This means, that when an individual or business makes a representation to consumers (whether directly or impliedly), they must ensure that the representation is not false or untrue, and as such is not likely to mislead the consumer. Importantly, the consumer does not actually have to be misled, it is enough that an ordinary or reasonable member of the class of consumer would be expected to have been misled or deceived.
What does this all mean for Australian businesses?
The DPI final report and the ACCC’s proceedings against Google send a clear signal to Australian businesses that the ACCC is steadfast about carrying out enforcement action against companies that deal with consumer data in a misleading or deceptive way.
The fact that the ACCC is relying on section 18 of the ACL means that Australian businesses of all sizes are at risk of falling foul, considering “trade or commerce” with section 18 of the ACL is defined broadly to include any business or professional activity whether or not carried on for profit, and regardless of size.
Accordingly, the time is now to consider the accuracy and transparency of data collection practices and procedures. Privacy policies and collection notices must explain to consumers what personal data is being collection, why it is being collected and how it will be used, or Australian businesses may risk a hefty fine and legal proceedings.
Gone are the days where the maximum civil penalty under the Privacy Act for privacy breach was capped at $2.1 million. Now, with the ACCC having the power under the ACL to enforce privacy obligations, the maximum penalty for mishandling consumer data has increased by almost 500% to being the greater of:
- $10 million;
- three times the value of the benefit received; or
- 10% of annual turnover in the preceding 12 months, if the benefit obtained from the offence cannot be determined.
Moreover, the Australian government has announced its intention to revise the penalty provisions of the Privacy Act so that the maximum civil penalties for data breaches align with the ACL. Accordingly, soon Australian businesses could be facing hefty fines for data breaches from all angles.