Peter A Clarke

In a very significant decision of Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 the Federal Court, per Thawley J, has found that Google breached sections 18, 29 and 34 of the Australian Consumer Law (the “ACL”).  At 341 paragraphs it is a significant and detailed judgment.

Privacy policies and settings remain problematical in terms of practical, as opposed to theoretical, compliance with the Privacy Act 1988 and in providing consumers with a clear understanding of what the settings actually mean for them.  It does not help that settings are changed regularly and often without notice, with Facebook being particularly notorious in this regard.

It appears that the ACCC is stepping into the regulatory void that would otherwise be occupied by the Australian Information Commissioner in enforcing privacy protections.  By relying on misleading and deceptive conduct provisions of the ACL the ACCC is following the long established approach taken by the US Federal Trade Commission in bringing proceedings for misleading conduct where companies claim to protect privacy or have proper data security when in fact they do not.  That has led scholars to suggest that the FTC has developed a new common law of privacy. It would be a welcome development if the ACCC used its experience and superior litigation skills to enforce privacy protections in Australia.  The Information Commissioner has thus far had a dismal record in the Federal Court regarding consideration of the Privacy Act 1988.

The proceedings commenced in October 2019. Final orders will not be made for at least 14 days as the parties are to provide orders to reflect the court’s conclusions.  Given the nature of the findings it is reasonable to expect an appeal will be at least seriously contemplated by Google after it has properly analysed the decision.

The primary allegations were that Google misled consumers about the collection of personal location collected through the Android devices between January 2017 and December 2018.

The Australian Competition and Consumer Commission media release provides a very useful summary stating:

The Federal Court has found that Google LLC and Google Australia Pty Ltd (together, Google) misled consumers about personal location data collected through Android mobile devices between January 2017 and December 2018, in a world-first enforcement action brought by the ACCC.

“This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court’s decision sends a strong message to Google and others that big businesses must not mislead their customers,” ACCC Chair Rod Sims said.

“Today’s decision is an important step to make sure digital platforms are up front with consumers about what is happening with their data and what they can do to protect it.”

The Court ruled that when consumers created a new Google Account during the initial set-up process of their Android device, Google misrepresented that the ‘Location History’ setting was the only Google Account setting that affected whether Google collected, kept or used personally identifiable data about their location. In fact, another Google Account setting titled ‘Web & App Activity’ also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.

The Court also found that when consumers later accessed the ‘Location History’ setting on their Android device during the same time period to turn that setting off, they were also misled because Google did not inform them that by leaving the ‘Web & App Activity’ setting switched on, Google would continue to collect, store and use their personally identifiable location data.

Similarly, between 9 March 2017 and 29 November 2018, when consumers later accessed the ‘Web & App Activity’ setting on their Android device, they were misled because Google did not inform them that the setting was relevant to the collection of personal location data.

The Court also found that Google’s conduct was liable to mislead the public.

“We are extremely pleased with the outcome in this world-first case. Between January 2017 and December 2018, consumers were led to believe that ‘Location History’ was the only account setting that affected the collection of their personal location data, when that was simply not true,” Mr Sims said.

“Companies that collect information must explain their settings clearly and transparently so consumers are not misled. Consumers should not be kept in the dark when it comes to the collection of their personal location data.”

The Court dismissed the ACCC’s allegations about certain statements Google made about the methods by which consumers could prevent Google from collecting and using their location data, and the purposes for which personal location data was being used by Google.

The ACCC is seeking declarations, pecuniary penalties, publications orders, and compliance orders. This will be determined at a later date.

“In addition to penalties, we are seeking an order for Google to publish a notice to Australian consumers to better explain Google’s location data settings in the future. This will ensure that consumers can make informed choices about whether certain Google settings that personal collect location data should be enabled,” Mr Sims said.

Background:

Google LLC is a multinational company incorporated in the United States with its headquarters in Mountain View, California. It is a subsidiary of Alphabet Inc. Google Australia Pty Ltd is a subsidiary of Google LLC and conducts certain aspects of Google LLC’s business in Australia, including the distribution of Pixel phones.

The ACCC instituted proceedings against Google LLC and Google Australia Pty Ltd in October 2019.

Note to editors:

If Android phone users want to stop Google collecting personally identifiable location information, they may do so by switching off the ‘Location’ setting in their Google Account as well as the ‘Web & App Activity’ setting. Consumers can delete personal data that Google has already collected about them through their Google Account.

The Federal Court found that a number of representations published by Google LLC to Australian consumers between January 2017 and December 2018 were false or misleading and that Google LLC engaged in misleading or deception conduct, in contravention of the Australian Consumer Law.

The Australian has already provided a reasonably good summary of the decision and factual background with ACCC federal court case shows Google privacy settings are a mess.   The Australian also provides a further story commentary with Google misled potentially millions of Android phone and tablet users over the tech giant’s use of location data.The Age has also reported on the case with Google misled customers about use of location data, court rules. And not surprisingly zdnet has good coverage with Court finds Google misled Australian consumers on how it collected location data and itnews with Google misled Android users about location data collection.

The Australian ACCC Federal Court article provides:

You would expect that if your “location history” in Google settings is turned off, you are not being tracked. You would expect that if you switch off your ‘web & app activity’, your activity using the web and apps won’t be recorded.

The ACCC contended that neither was the case in 2017-2018 on Android phones, the period the commission homed in on, in its federal court action against Google. The judgment says around 6.3 million Australian users set up a new Google account on devices using the Android OS between January 2017 and August 2019.

The court examined in minute detail whether users were given information about the limitation of these services when they clicked “learn more” or “more options” buttons.

Not part of this case, but equally important, is ‘incognito mode’ when browsing in Chrome. It turns out you are not incognito to others on the internet.

The ACCC may have won the day in pointing out these technical transgressions. Google these days does include more information about the limitations of these privacy protections in the fine print.

However the situation is hopeless. Users are mostly not lawyers and don’t read the screeds of legal fine print about software they use. I’m also guilty of pressing the “agree to the terms and conditions button” when I’m anxious to use a much-needed app. I suspect most of us are the same.

It’s not good enough to detail how services are used in the fine print. The options have to reflect what their everyday meaning implies.

If Google offers an option to turn location history off, the option should do exactly that. Those common everyday meanings should also apply to “web & app activity” and “incognito mode”.

Instead we have a hopeless mess with countless qualifications about what services do.

When location history is off, Google now says your settings for other location services on your device, like Google location services and Find My Device, are not changed.

“Some location data may continue to be saved in other settings, like Web & App Activity, as part of your use of other services, like Search and Maps, even after you turn off Location History.”

If you turn off web and app activity, your device will still share information with Google such as how often you use your device and apps, battery levels and system errors. Google says your search and ad results may be customised using search-related activity even if you‘re signed out.

When you select ‘incognito mode’ Google says files you download and bookmarks you create will be kept, and your activity isn’t hidden from websites you visit, your employer or school.

Chrome only goes as far as not saving your browsing history, cookies and site data, or information entered in forms.

Unless you read the fine print, these privacy settings are misleading. Given most people don’t read the fine print, the situation around tweaking these settings is hopeless, despite today’s court judgment.

In addition, the ACCC case didn’t address some of the worst cases of privacy abuse by Google.

In August 2019, The Australian revealed that Android phones were sending a relentless secret fire hose of user data that extended beyond the public flow of data.

The Australian detected this data using software supplied by Oracle that intercepted it and sent it to a server where we could view and analyse it.

The secret data stream from the Android phones included the identification of cellular towers and the identification by ID (Mac address) of every Wi-Fi access point you encounter, constant recordings of barometric pressure — Google seems to want to know which floor of a building you are on — and your state: whether you are on a bicycle, or in a car; your longitude, latitude and speed, and an estimate of data accuracy.

Location data was sent to Google even when Google Maps location history was turned off during the test.

In one 31 minutes period, one of the test phones conducted 39 Wi-Fi scans, 15 location scans, 15 barometric readings, and 24 activity scans, whether I was still or on foot. More than 20 of the Wi-Fi scans each identified more than 20 Wi-Fi access points.

On one occasion, I commuted by train and tram to a conference, then stayed in the city for dinner. The phone sent 529 readings of data to Google. Of that, 158 were activity-related, 222 were barometric readings, 121 were locations, 29 were about changes in rates of data accumulation and 151 were scans of Wi-Fi sources.

This fire hose of data was way beyond the normal, regular collection of data on Android phones.

Google never admitted to this stream of data at the time (they never denied it either), but several months later, we noticed a lot of it stopped.

The judgment includes reference to an “oh shit” meeting of Google employees after publication of an Associated Press article in 2018 about the inaccuracy of Google’s descriptions of its settings.

This judgment is a partial win for the ACCC. It found Google had contravened sections 18, 29 and 34 of Australian Consumer Law. That includes conduct that is misleading or deceptive or is likely to mislead or deceive. It’s a damning finding.

But it also found that more savvy users were less likely to be misled. The judgment gives users credit for thinking through privacy settings screen by screen but I don’t believe most users have the patience and time to do that.

The case didn’t involve the breadth of the data privacy breaches that Google has perpetrated overall.

Users will continue not to read the screen fulls of fine print about smartphone services they use. And who can blame them?

 A detailed analysis of the decision will follow soon.