The Federal Court on Friday agreed to impose penalties on Google totalling $60 million, after last year finding that it had engaged in misleading or deceptive conduct by virtue of statements made to users about collection of location data.
Users of mobile phones running Google’s Android operating system were given separate options as to whether to allow Google to collect ‘Location History’ and ‘Web & App Activity’ in connection with their Google user account. However, even if ‘Location History’ was disabled, Google would continue to collect, store and use personally identifiable location data if ‘Web & App Activity’ was enabled. Per the summary given by Justice Thawley in last year’s decision:
At the core of the ACCC’s case was the contention that there were users who were misled or likely to have been misled by what was, and what was not, stated or shown on various relevant screens on the users’ devices; there were users who, acting reasonably, would have been led into thinking that, with Location History “off”, Google LLC would not obtain, retain and use personal data about a user’s location, and that this was not relevantly changed by the fact that Web & App Activity was “on”.
Ultimately, the Court found three categories of contraventions of the Australian Consumer Law made by Google, described in last week’s damages judgement as:
- the ‘Setup Contraventions‘, involving representations about the ‘Location History’ setting made to some Australian users when setting up their Android mobile device;
- the ‘LH Contraventions‘, involving representations made to some Australian users when they turned Location History ‘off’ on their Android mobile device; and
- the ‘WAA Contraventions‘, involving representations made to some Australian users when they browsed options in respect of the Web & App Activity setting, which impliedly represented that having the WAA setting turned ‘on’ would not allow Google to obtain, retain or use personal data about the user’s location.
Estimates before the Court were that users of 1.3 million Google Accounts in Australia may have viewed a screen that was the subject of the Contraventions. The ACCC estimated the following total number of each Contravention:
- Setup Contraventions: 76,000;
- LH Contraventions: 57,000; and
- WAA Contraventions: 1,300,000.
While the penalty for each individual contravention could potentially be $1.1 million or more, the parties and the Court all agreed that ‘the arithmetic maximum penalty attaching to Google’s conduct would be so disproportionately large as to make precise calculation unnecessary and unhelpful‘.
Instead, the ACCC and Google jointly proposed the following penalties were appropriate:
- in respect of the Setup Contraventions: $10 million;
- in respect of the LH Contraventions: $10 million; and
- in respect of the WAA Contraventions: $40 million.
The Court was required to consider whether these amounts represented ‘an appropriate penalty in the sense that it falls within an appropriate range’. In deciding that this was the case, Justice Thawley noted that they appeared to ‘achieve the necessary specific and general deterrent objective of the imposition of the penalty‘.
Google was also ordered to undertake certain compliance activities, and meet some of the ACCC’s costs of the proceedings.
As we noted previously, this matter was slightly unusual in that, although it was largely a matter about personal information and privacy, the enforcement action was brought by the ACCC under the Australian Consumer Law, rather than the Office of the Australian Information Commissioner (OAIC) under the Privacy Act.
A decision remains pending in another set of similar proceedings by the ACCC against Google under the Australian Consumer Law. This further case relates to steps taken by Google to combine user account data with data about individuals’ use of third-party sites and apps not owned by Google, for the purpose of better targeting adverting. It was heard by the Federal Court in November and December last year, and we are now awaiting a decision.
The OAIC has also brought proceedings in the Federal Court against Facebook, for alleged breaches of the Privacy Act and APPs said to have arisen as part of the Cambridge Analytica scandal. We discussed this case in:
- March 2020, when the OAIC filed proceedings;
- April 2021, after the Federal Court found at least an arguable case to answer for both Facebook Inc in the US and Facebook Ireland Limited, and allowed service of the claim outside of Australia; and
- February this year, when the Full Court of the Federal Court rejected an appeal which sought to have Facebook Inc excluded from the matter, leaving the claim only against Facebook Ireland, with the Court deciding that Facebook Inc appeared to be carrying on a business in Australia which involved the collection of personal information.
On that basis, the complaint remains against both Facebook entities. The substance of the case is yet to be decided.
This article was written by Daniel Kiley, Partner.