The Australian Competition and Consumer Commission (The Australian Competition and Consumer Commission (The Australian Competition and Consumer Commission ( ACCC filed a suit recently ACL its collection of users’ location data
Digital Platforms Inquiry
This comes just 3 months after the ACCC released its
A key recommendation of the report
Why it matters: a new frontier for privacy regulation and enforcement
The ACCC’s action under section 18 of the ACL for ‘misleading and deceptive conduct’ opens an avenue not previously used by the ACCC to hold companies to account for their privacy practices. Until now, the regulation of personal information collection by businesses has been pursued under the
Before these proceedings and the DPI, the only scrutiny Google might have anticipated in relation to its information collection practices would have been from the OAIC. For example, in relation to managing personal information in an open and transparent way, possibly breaching APP1. Instead we are seeing a different regulator taking action under consumer protection laws. To which, Rod Sims’ would likely respond, rightly so - as demonstrated in
One significance of this is the contrasting penalties available to each of the ACCC and the OAIC respectively. Under the Privacy Act, currently a maximum civil penalty of $2.1 million can be imposed. Under the ACL, however, the
$10 million
three times the value of the benefit received; or
10 per cent of annual turnover in the preceding 12 months (where the benefit cannot be calculated).
This being said, prior to this year’s election, the Federal Government flagged increases to the penalties, and a general strengthening of the enforcement regime, under the Privacy Act which would bring them in line with those available under the ACL (together with increased funding for the OAIC). We discuss the proposed regime
The conduct alleged by the ACCC appears to have straddled both the old and new penalty regimes, meaning Google may be subject, at least partly, to the increased penalties under the ACL.
Practical takeaways for businesses
As a more active and better resourced regulator than the OAIC (despite the OAIC’s increased funding), enforcement action by the ACCC in the privacy space dramatically increases the scrutiny businesses may face in relation to the way they collect and use personal information. Now more than ever, businesses should review their privacy practices but with a dual focus of ensuring compliance with the Privacy Act, as well as under a broader consumer protection lens of ensuring those practices and conduct as a whole are not misleading and deceptive - or indeed, if the recommendation for a new prohibition against unfair trading practices (recommendation 21 in the DPI) finds ground, generally and even more broadly, unfair.
Authors: Melissa Fai, Mark Ferguson and Alexander Ryan.