The Australian Competition and Consumer Commission (ACCC) filed a suit recently alleging that Google breached the Australian Consumer law (ACL) through its collection of users’ location data. The ACCC alleges devices running Google’s Android operating system misled consumers about the steps required to disable the collection and use of user location data. Google uses this location data to deliver customised advertising to users and the ACCC claims that, as a result, users were not able to make an informed choice about Google’s use of their location data. Google has indicated it will defend the action.

Digital Platforms Inquiry

This comes just 3 months after the ACCC released its final report on its Digital Platforms Inquiry (DPI) which focussed on the data practices and market power of global tech giants, particularly Facebook and Google. The Commonwealth government subsequently noted that “the ACCC’s overriding conclusion that there is a need for reform - to better protect consumers, improve transparency, recognise power imbalances and ensure that substantial market power is not used to lessen competition in media and advertising services markets”.

A key recommendation of the report was the introduction of measures to better inform consumers and improve their bargaining power when dealing with digital platform providers, particularly in relation to how personal information and data is handled by platforms. As such, the current suit against Google is expected to be the first of multiple enforcement actions by the ACCC looking at data collection and use practices of businesses.

Why it matters: a new frontier for privacy regulation and enforcement

The ACCC’s action under section 18 of the ACL for ‘misleading and deceptive conduct’ opens an avenue not previously used by the ACCC to hold companies to account for their privacy practices. Until now, the regulation of personal information collection by businesses has been pursued under the Privacy Act 1988 (Cth) (Privacy Act) by the Office of the Australian Information Commissioner (OAIC).

Before these proceedings and the DPI, the only scrutiny Google might have anticipated in relation to its information collection practices would have been from the OAIC. For example, in relation to managing personal information in an open and transparent way, possibly breaching APP1. Instead we are seeing a different regulator taking action under consumer protection laws. To which, Rod Sims’ would likely respond, rightly so – as demonstrated in his comments on the recommendations contained in the DPI: “Action on consumer law and privacy issues, as well as on competition law and policy, will all be vital in dealing with the problems associated with digital platforms’ market power and the accumulation of consumers’ data”.

One significance of this is the contrasting penalties available to each of the ACCC and the OAIC respectively. Under the Privacy Act, currently a maximum civil penalty of $2.1 million can be imposed. Under the ACL, however, the penalties have recently been raised from $1.1 million to the greater of:

• $10 million
• three times the value of the benefit received; or
• 10 per cent of annual turnover in the preceding 12 months (where the benefit cannot be calculated).

This being said, prior to this year’s election, the Federal Government flagged increases to the penalties, and a general strengthening of the enforcement regime, under the Privacy Act which would bring them in line with those available under the ACL (together with increased funding for the OAIC). We discuss the proposed regime here.

The conduct alleged by the ACCC appears to have straddled both the old and new penalty regimes, meaning Google may be subject, at least partly, to the increased penalties under the ACL.

Practical takeaways for businesses

As a more active and better resourced regulator than the OAIC (despite the OAIC’s increased funding), enforcement action by the ACCC in the privacy space dramatically increases the scrutiny businesses may face in relation to the way they collect and use personal information. Now more than ever, businesses should review their privacy practices but with a dual focus of ensuring compliance with the Privacy Act, as well as under a broader consumer protection lens of ensuring those practices and conduct as a whole are not misleading and deceptive - or indeed, if the recommendation for a new prohibition against unfair trading practices (recommendation 21 in the DPI) finds ground, generally and even more broadly, unfair.

Authors: Melissa Fai, Mark Ferguson and Alexander Ryan.