INSIGHT

Federal Court makes landmark decision on data transparency

By Jacqueline Downes, Felicity McMahon, Valeska Bloch, Isabelle Guyot, Deniz Kayis, Beata Szabo, Yueh-Shin Chen, Melissa Camp
ACCC Cybersecurity & Privacy Telecommunications

Send me your location, [but] let's focus on communicating 8 min read

As put by singer Khalid, when you ask someone to 'send me your location', you might now need to 'focus on communicating'. This is clearly a message the ACCC expects market participants in Australia to be down with.

The Federal Court of Australia has found that Google LLC (Google) engaged in misleading conduct and made false representations to some of its users because of the way it presented its collection, storage and use of users' personal location data in its privacy statements.

The Australian Competition and Consumer Commission (ACCC) case was the first in the world to probe Google's approach to the collection of users' location data – and was followed by the ACCC's second misleading conduct case against Google in relation to the 2016 changes to Google's privacy policies regarding its decision to combine DoubleClick data with other data held about users by Google. That second case is listed for hearing at the end of 2021.

The court's finding makes clear to businesses that representations made in their privacy policies and privacy settings could lead to liability under the Australian Consumer Law (ACL). Moreover, in practice the decision sets a high bar for avoiding allegations of misleading and deceptive conduct where information is provided to consumers in a 'layered' way; that is, on multiple and/or click-through screens.

Key takeaways

  • Organisations should not assume that users will read all information made available to them.
  • Organisations should carefully consider whether the language used in privacy statements and collection notices is likely to be understood by Australian users.
  • The form and presentation of privacy statements, collection notices and privacy settings can be as important as the content.
  • Organisations should be cautious when making representations to large groups of consumers. The court may find a contravention even if only some reasonable consumers are misled or likely to be misled.

Summary of the ACCC's case

As discussed in more depth in our previous Insight, at the centre of the case were two Google Account settings: 'Location History' and 'Web & App Activity'. The default setting when setting up a Google Account in 2017–18 was for Location History to be 'off' and Web & App Activity to be 'on'. This allowed Google to collect, retain and use the personal location data of users. In order for a user to prevent the collection of their location data, both settings needed to be switched off.

The ACCC alleged that from January 2017 to late 2018, Google did not properly disclose this. The ACCC's case was that there were users who would have been misled into thinking that their location data would not be collected if they turned just Location History 'off'.

The ACCC identified three relevant classes of users likely to be misled by Google's conduct.

  • Scenario 1: Users who – when viewing the Privacy and Terms screen as they set up their Google Account – chose to read 'More Options'.
  • Scenario 2: Users who chose to turn Location History 'on' for a time and then later decided to turn it 'off'.
  • Scenario 3: Users who – after having set up their Android and Google Account – were considering whether or not to turn Web & App Activity 'off'. The screen explaining the Web & App Activity setting did not contain any reference to location data.

Reasonable members of a class of user, or a single hypothetical user?

Google submitted that the court should identify a single hypothetical person within the relevant class of users to test whether members of that entire class would have been misled. This submission assumed that the single hypothetical person would only be capable of one response. For example, they would either choose to turn Web & App Activity on or off; the court ought not be able to consider both options.

The court did not agree, holding that while a single hypothetical user may be suited to certain contexts (such as defamation), it is not suited to assessing contraventions of the ACL. The court emphasised that the ACL's purpose is the protection of ordinary consumers. Even if 51% of consumers or more are not misled by conduct, this does not mean the conduct was not misleading or deceptive under the ACL.1

This is an important reminder for businesses to be cautious when making representations to consumers. So long as a 'not insignificant number' of reasonable members of the relevant class of consumers would be (or would be likely to be) misled, that may satisfy the requirements of the ACL.

Likely or definitely misleading?

The court found that Google's conduct breached three provisions of the ACL:

  • Section 18, which prohibits engaging in conduct that is misleading or deceptive, or is likely to mislead or deceive;
  • Section 29(1)(g), which prohibits making a false or misleading representation; and
  • Section 34, which prohibits conduct liable to mislead the public about the nature, characteristics or suitability for purpose of services.

The court clarified that ss18 and 29(1)(g) involve different tests. To contravene s18, conduct must only be likely to mislead or deceive. Section 29 imposes a higher standard: the representation must actually be false or misleading.

Contraventions of s29 can have a much greater impact on businesses than contraventions of s18. Unlike s18, s29 attracts the maximum penalties available under the Competition and Consumer Act 2010 (Cth). For a company, this is whichever is greater of $10 million, three times the value of the benefit received, or 10% of the company's annual turnover.

There is no need for the ACCC to adduce evidence that a particular person was misled. The court can draw that inference from the surrounding circumstances, including whether there was a 'real or not remote chance or possibility' that a reasonable person in the relevant class was in fact (not just likely) misled.2

Penalties

Penalties will be determined at a later stage.

His Honour made comments which may be indicative of the approach to penalties the court may take in this case, noting that:

  • users who read all of the available material probably would not have been misled;
  • users who chose not to read all of the available material knew this extra material existed;
  • the conduct affected a narrow class of users; and
  • Google did not make an express representation that it would not obtain, retain or use personal location data when Location History was turned 'off'.

It seems the court recognises the difficulties involved in ensuring consumers properly read privacy statements. But those difficulties do not absolve conduct or representations that mislead or are likely to mislead.

What this means for businesses in Australia

  • It is not enough to simply embed or hyperlink to part or all of the critical information about how a user's data will be handled. As put by the court, 'the lack of desire [to plumb the depths for further information] increases with each link'.3 Rather, critical information should be disclosed to consumers upfront. This also means that if an upfront statement is corrected or adjusted in an embedded or hyperlinked layer, there is a risk the ACCC will find the upfront statement to be misleading or deceptive.
  • Organisations should also carefully consider whether the language used is likely to be understood by Australian users. For example, the court indicated that an Australian user would not necessarily interpret a reference to processing data (which is the terminology used in the GDPR, but not the Australian Privacy Act) as also involving the retention and later use of data (which are commonly used and understood concepts in Australia). This is particularly important for global organisations seeking to align terminology and notices across their international base.
  • When communicating to consumers, the form and presentation of privacy statements, collection notices and privacy settings can be as important as the content. For example:
    • Headings draw attention to particular topics. Where important data handling information is not adequately signposted – either because the heading does not accurately reflect the content, or because the relevant content is spread across multiple headings, some of which may not obviously match the relevant content – there is a risk that organisations could contravene sections 18, 29(1)(g), 33 and/or 34 of the ACL.
    • The structure, location and description of privacy settings also has the potential to mislead users. Organisations should be specific about how the privacy settings that a user selects will affect the treatment of their data. For example, if a user elects to turn 'Location History' off, it should be clearly communicated to the user upon selecting that option whether their location data may still be collected and used. General statements about how the choice may affect the functionality of products may not be sufficient to satisfy this obligation.

Please contact us if you would like to further understand the implications of this case for your business.

Footnotes

  1. Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367, [96]-[98].

  2. Ibid, [120].

  3. Ibid, [210].