How to Change the World in 23 Words: ACCC v Google
By Ravi Nayyar
A particular judgement from His Honour Justice Thawley of the Federal Court of Australia is absolutely marvellous. Let me explain why.
What Was the Case about?
The case was brought by the Australian Competition and Consumer Commission (‘ACCC’) against Google LLC and Google Australia Pty Ltd. Google LLC, incorporated in the USA, is a subsidiary of Alphabet. Google Australia Pty Ltd is a subsidiary of Google LLC. For convenience, I will refer to both respondents as ‘Google’.
The ACCC alleged that Google had breached sections 18, 29 and 33 or 34 of the Australian Consumer Law (contained in Schedule 2 of the Competition and Consumer Act 2010 (Cth); ‘ACL’). Broadly speaking, these provisions prohibit misleading or deceptive conduct or representations in commercial activities, whether generally or related to particular goods or services.
The breaches were said to have arisen out of what Google conveyed to users of Android phones about how the company would manage their personal location data, namely such data collected between January 2017 and December 2018 (per the ACCC’s press release).
The ACCC based its case on screens that related to the phones’ ‘Web & App Activity’ and ‘Location History’ settings. The default settings — with Web & App Activity turned on, and Location History off — enabled Google to ‘obtain, retain and use personal location data when a user was using various apps’ (at [2] of the judgement). These screens were argued to be misleading or likely misleading because they conveyed the impression that ‘with Location History “off”, Google… would not obtain, retain and use personal data about a user’s location, and that this was not relevantly changed by the fact that Web & App Activity was “on”’ (at [2]).
The ACCC focused on users in three scenarios that covered certain time periods:
- Scenario 1 users, between 30 April 2018 and 19 December 2018, utilised the Android operating system on their phones to set up their Google Accounts and, ‘when viewing the Privacy and Terms screen…, chose to click on “More Options”’ (at [141], emphasis added);
- Scenario 2 users ‘had previously turned Location History “on” and wished to turn it “off”’ (at [229], emphasis added); and
- Scenario 3 users were ‘considering whether to turn Web & App Activity “off”’ (at [303], emphasis added).
At [33], Google was found to have collected and stored personal location data from an Android phone if:
- the user was signed into their Google Account on that device and the device had Google Mobile Services installed on it (Google Mobile Services comprised certain Google apps and Android device APIs);
- the device’s ‘Use Location’ or ‘Location’ setting (or equivalent, depending on the model) was enabled; and
- Web & App Activity was turned on and the user had utilised certain Google services; and/or
- Location History was turned on.
Both Google and the ACCC relied on expert evidence from behavioural economics experts as part of their arguments on how users would respond to the specific screens at the heart of the case.
What Was Held?
At [17]-[18], Thawley J held that:
the ACCC’s case under s 18 of the ACL is partially made out in respect of each of the three scenarios. Google’s conduct would not have misled all reasonable users in the classes identified; but Google’s conduct misled or was likely to mislead some reasonable users within the particular classes identified… The ACCC’s case under ss 29(1)(g) and 34 of the ACL is partially made out in respect of each scenario. (Emphasis added)
As above, the rulings concerned Google’s statements and representations, via the screens on users’ Android devices, about whether and/or how it would collect, use and/or retain their personal location data based on users’ Web & App Activity and Location History settings.
In relation to Scenario 1 users, Google was held to have breached ACL ss 18, 29(1)(g), 34.
In relation to Scenario 2 users, Thawley J divided His Honour’s conclusions per the three categories of screens that those users would have seen. For the first category, Google was held to have breached ACL ss 18, 29(1)(g), 34. For the second and third categories, the ACCC’s case was unsuccessful.
In relation to Scenario 3 users, Thawley J examined two representations alleged by the ACCC to have been made by Google across a few types of Web & App Activity Landing Pages. His Honour held that Google breached ACL ss 18, 29(1)(g), 34 by making the first representation (via the Type 1 and Type 2 Landing Pages). Google was held to have not made the second alleged representation. But (in obiter) His Honour considered that, if it had been made, that alleged representation ‘would have been misleading in the limited sense that it is conceivable that Google could use personal data for a purpose which could be seen to benefit only Google and not the user’ (at [328]).
The ruling solely concerned the merits of the ACCC’s case and Thawley J did not impose a penalty, rather leaving Google and the regulator to figure out the way forward and present it to the Court for approval. In its press release, the ACCC stated its pursuit of declarations, pecuniary penalties, publications orders and compliance orders against Google. This includes an order of the Court which compels Google to ‘publish a notice to Australian consumers to better explain Google’s location data settings in the future’, and thus help Australians make more informed choices about Google’s collection of their personal location data. Google is weighing its options, including an appeal.
Why Should We Care?
As highlighted by the Chair of the ACCC, Mr Rod Sims, this case is the first of its kind across the globe in using consumer protection/trade practices law to check a digital platform’s (mis)management of users’ personal location information. In that vein, Mr Sims pointed out that this was the first in the ACCC’s series of cases against digital platforms.
The need to better tackle risk to consumer welfare stemming from digital platforms has been a refrain of sorts from the ACCC in recent years. In a 2019 speech, for instance, Mr Sims warned digital platforms that ‘with greater market power comes greater responsibility, and with it, greater scrutiny’.
That speech relayed findings contained in the regulator’s Digital Platforms Inquiry final report (released in June 2019; ‘the Report’). Defining digital platforms as ‘applications that serve multiple groups of users at once, providing value to each group based on the presence of other users’, the Report was focused on Google and Facebook, given, for instance, their being ‘the two largest digital platforms in Australia’.
In the Report, the regulator highlighted the business models of digital platforms to generally depend on ‘collecting and harnessing user data and capturing user attention’. The nature of user data as ‘an asset for digital platforms that can be sold, licensed, disclosed or exchanged with third parties’ is a critical point to grasp. And the amount of data handled by digital platforms and their supply chains is growing exponentially, potentially increasing the consumer harm that can result from its misuse. In the aforementioned speech, Mr Sims cut right to the chase by quoting a Google insider’s tweet:
Data is not the new gold, data is the new uranium. Sometimes you can make money from it, but it can be radioactive, it's dangerous to store, has military uses, you generally don't want to concentrate it too much, and it's regulated. (Emphasis added)
That radioactivity, that potential for harm to consumers — which is resultant of the improper collection, use and retention of user data — can be seen as writ large in the case of personal location data. Echoing the present case against Google, the Report hones in on the collection of personal location data as a ‘data practice… of particular concern‘. Highly prized by digital platforms and their advertiser clients, the collection and analysis of this data can enable intrusive tracking of consumers. The issue was reinforced by the US Supreme Court when it held that the Fourth Amendment of the US Constitution regulates the tracking of cell site location information (telephone location metadata) by US law enforcement agencies. The Court found such tracking to represent ‘tireless and absolute surveillance’ because ‘a cell phone… tracks nearly exactly the movements of its owner’. The US Federal Communications Commission arguably echoed such concerns in 2020 when it proposed over $200 million in fines against the four largest mobile carriers in the country ‘for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information’. (The March 2020 episode of A Techno-Legal Update explored this proposal.)
Investigations by Motherboard have also unearthed a series of shocking revelations about the location data broking industry, particularly the ease with which brokers (and, by extension, their government customers) can track individuals via location data harvested from their phones without their informed consent (or a court-ordered warrant). The Global Initiative against Transnational Organised Crime labelled data brokerage in general as ‘ripe for an illicit economy [fuelled by people’s personal data] to build around the opaque legal one’, sitting on a ‘gold mine for the purposes of corruption, coercion and extortion’. WIRED went as far as defining data brokers as the ‘middlemen of surveillance capitalism’ and a ‘threat to democracy’.
The ACCC’s finding that ‘few consumers are fully informed of, nor can effectively control, how their data is collected, used and shared by digital platforms when they sign up for or use their services’ thus seems quite live, doesn’t it?
Given the harm to consumers which can result from suboptimal data governance, concrete protections for privacy — combined with their effective enforcement — are necessary. The Report stresses this by highlighting how the protection of privacy, competition and consumers intersect in the digital platforms context:
Privacy and data protection laws can build trust in online markets. They can increase consumer protections by addressing sources of market inefficiencies such as information asymmetries and bargaining power imbalances. Strengthened privacy and data protection laws can also empower consumers to make more informed choices about how their data is processed. This, in turn, is likely to increase competition between digital platforms regarding the privacy dimension of their services. (Emphasis added)
The ACCC’s litigation against Google is thus a step in the right direction. Mr Sims arguably referenced the leveraging of said intersection when describing the case as:
an important victory for consumers, especially anyone concerned about their privacy online, …[which] sends a strong message to Google and others that big businesses must not mislead their customers. (Emphasis added)
The ACCC successfully undertook a privacy protection suit which was formally presented as a trade practices/consumer protection case. The result reinforces the role of consumer protection/trade practices law in vindicating privacy rights.
I applaud the ACCC for seizing the initiative and refusing to settle — quite literally — unlike the FTC which did so with Facebook in 2019. The sheer number of consumers likely affected by Google’s conduct, as found by Thawley J, reminds us of how high the stakes are: ‘Around 6.3 million Australian users set-up a new Google Account on devices using the Android OS between January 2017 and August 2019’ (at [23], emphasis added). Almost a quarter of the Australian population.
This enforcement action by the Australian regulator comes after a decade of privacy scandals in Silicon Valley, which demonstrated the need for accountability of digital platforms in relation to their collection, use and retention of our personal data.
Privacy is a human right, after all.
If regulators can use consumer protection/trade practices law to help protect it, well, that’s absolutely marvellous.
One of my favourite Professors put it best regarding section 18 of the ACL:
Changing the world in 23 words!
