The Federal Court last Friday issued a finding that Google engaged in misleading or deceptive conduct by virtue of statements made to users about collection of location data.
The Privacy Act 1988 (Cth) (Privacy Act), and the Australian Privacy Principles (APPs) therein, are the key piece of privacy legislation in Australia, administered by the Office of the Australian Information Commissioner (OAIC). The APPs set out the manner in which Commonwealth Government agencies and private businesses collect, hold, use and disclose personal information. These proceedings in the Federal Court were unusual, in that they were not brought by the OAIC under the Privacy Act, but were instead brought by the Australian Competition and Consumer Commission (ACCC) under the Australian Consumer Law.
Users of mobile phones running Google’s Android operating system were given separate options as to whether to allow Google to collect ‘Location History’ and ‘Web & App Activity’ in connection with their Google user account. However, even if ‘Location History’ was disabled, Google would continue to collect, store and use personally identifiable location data if ‘Web & App Activity’ was enabled. Per the summary given by Justice Thawley:
“At the core of the ACCC’s case was the contention that there were users who were misled or likely to have been misled by what was, and what was not, stated or shown on various relevant screens on the users’ devices; there were users who, acting reasonably, would have been led into thinking that, with Location History “off”, Google LLC would not obtain, retain and use personal data about a user’s location, and that this was not relevantly changed by the fact that Web & App Activity was “on””.
While the Court did not agree with all such instances alleged by the ACCC, Justice Thawley was willing to find that this was the case in many scenarios. In one such scenario, for example, Justice Thawley stated:
“In my view, there were users… who would reasonably have understood or thought from Google’s conduct to this point that with Location History turned “off”
- Google LLC would not be able to obtain, retain or use location data; or
- Google LLC would continue to be able to obtain and use location data when the user was using a Google product or service, but Google LLC would not be able to retain data so obtained or later use that data.
Given the factual finding that the Google’s conduct misled or was likely to mislead some reasonable users, the conclusion under the Australian Consumer Law is far from surprising. However, the application of Australian Consumer Law to a privacy matter in this way is a new development, and serves to remind that the obligations of the Privacy Act do not apply in isolation.
In one of the scenarios posed by the ACCC, although the Court found that ‘Google’s conduct would not have misled all reasonable users’, it also found that ‘Google’s conduct misled or was likely to mislead some reasonable users’, which was sufficient to conclude that Google had breached the Australian Consumer Law.
This serves to again emphasise that statements made to consumers can still contravene the Australian Consumer Law even if a proportion of consumers might not be misled. Per the decision, ‘One would not condone misleading conduct directed to the public at large just because 51% of consumers, or an even greater majority, of consumers would not be misled.’ While Courts will disregard consumer ‘reactions that might be regarded as extreme or fanciful’, they do recognise the scope for statements to be received and understood differently by different consumers.
Justice Thawley specifically found in one scenario that:
“If users had read all of the material made available by Google, or read the information on the Privacy and Terms screen with greater care, or had clicked on the “Learn more” link to the Web & App Activity setting on the More Options screen, reasonable users… would probably not have been misled”.
However, this did not absolve Google, as his honour also stated that:
“I accept that such a user would ordinarily be expected to pay some attention to what was written on both the Privacy and Terms screen and the More Options screen. I do not accept that they would have all parsed and analysed the screens in the careful and meticulous way suggested by Google”.
It is not uncommon to have privacy documentation structured with multiple layers of detail – in fact this approach is often encouraged. A collection notice provided to users pursuant to APP 5 might direct users to an organisation’s privacy policy for more detail on particular matters, for example. The Court’s decision here makes clear that, where this progressive disclosure approach is adopted, the summaries provided need to be consistent with the detail. Businesses will need to ensure that the impression garnered by consumers at each level of disclosure is coherent and accurately reflects the organisation’s practices.
Two more major privacy cases remain pending in the Federal Court
The ACCC has similar action pending against Google under the Australian Consumer Law. This further case relates to steps taken by Google to combine user account data with data about individuals’ use of third-party sites and apps not owned by Google, for the purpose of better targeting adverting. Google provided some notice to users regarding this change, but the ACCC alleges that ‘consumers could not have properly understood the changes Google was making nor how their data would be used, and so did not – and could not – give informed consent’.
The OAIC has also brought proceedings in the Federal Court against Facebook, for alleged breaches of the Privacy Act and APPs said to have arisen as part of the Cambridge Analytica scandal. We discussed this case when it was filed March last year. While yet to reach a final decision, the Federal Court has given interlocutory decisions permitting service of the claim on Facebook entities located in the United States and Ireland, finding:
- ‘Facebook Inc and Facebook Ireland are “organisations” for the purposes of the Privacy Act’;
- ‘the material was sufficient to establish a prima facie case that Facebook Ireland and Facebook Inc collected personal information in Australia’; and
- ‘A sufficient prima facie case on the basis articulated by the Commissioner has been shown… to warrant service outside of Australia. ..[T]hat is not to say anything about the strength of the case. Rather, the material demonstrates a genuine argument about contravention, sufficient to justify causing the respondents to be subject to the litigation in Australia where the merit of that argument can be judicially determined.’
Until that matter is substantively decided, the Federal Court’s decision last Friday serves as a timely reminder of the increased scrutiny that Australian regulators are applying to privacy matters. As ACCC chair Rod Sims said following the decision: ‘Data issues are only going to be more important. It’s crucial we get some court rulings in relation to what platforms can and can’t do’.
This article was written by Luke Dale, Partner and Daniel Kiley, Special Counsel.
