On 12 August 2022, the Federal Court handed down its judgment ordering Google to pay $60 million in penalties, following the ACCC's successful case that Google had misled consumers in the collection of their location data through Android devices.
The case is significant not only in terms of the quantum of the fine imposed, but as the first public enforcement outcome arising from the ACCC's Digital Platforms Inquiry, the final report of which was issued in 2019.
The Court has previously ruled in favour of the ACCC on 16 April 2021 in Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 (ACCC v Google). For more information about that judgment, see our previous update: The ACCC continues its foray into data privacy in ACCC v Google.
The relevant conduct that breached the Australian Consumer Law (ACL) took place between January 2017 and December 2018. The penalty was imposed on Google's US-based company rather than its Australian subsidiary, as the US company was held to be responsible for the screen found to be misleading.
The relevant conduct
Google was found to have breached the ACL by misleading consumers, in three specific scenarios:
- first, when a user initially set-up the Android device and was presented with the opportunity through the 'more options' link within the Privacy and Terms screen, to enable or disable the Location History or Web App Activity settings (Scenario 1);
- second, where a user had turned the Location History setting to 'on' and then later decided to turn it back off (Scenario 2); and
- third, where a user considered turning off the Web & App Activity setting after initial set-up of their device (Scenario 3).
The ACCC has estimated that 1.3 million Google accounts in Australia may have viewed a screen that was subject to the above contraventions.
Penalties for Google's misleading and deceptive conduct
In respect of each of these breaches, the Court imposed penalties cumulatively totalling $60 million, as follows:
- $10 million for Scenario 1;
- $10 million for Scenario 2; and
- $40 million for Scenario 3.
Until September 2018, the maximum penalty for breaches of the ACL was $1.1 million per breach. From September 2018, the maximum penalty is now the higher of:
- $10 million;
- if ascertainable by the Court, three times the value or benefit obtained and reasonably attributable to the act or omission that breaches the ACL; or
- if the Court cannot determine this value, 10% of the annual turnover of the offending body corporate (the calculation of which excludes any value of supplies not connected with Australia).
The majority of Google’s conduct occurred before the maximum penalty was increased.
The ACCC and Google agreed, and Justice Thawley accepted, that the value or benefit obtained by Google that could be reasonably attributable to the contraventions could not be determined. Following consultation between the parties and consideration of Google's contravening conduct and revenue both globally and within Australia, Google and the ACCC jointly submitted that the penalties set out above were appropriate to strike the right balance between deterrence and oppressive severity. The Court accepted this approach on the basis that, when considered together with the declarations and other orders to be made, including the various compliance measures agreed between the parties, the penalties were appropriate to achieve their necessary specific and general deterrent objective.
What this means for businesses in Australia
Importantly, although it was not suggested that Google's conduct was deliberate or that it engaged in a cynical calculation that the benefits of its conduct were likely to outweigh the costs of being caught, the Court emphasised that Google's status as a company with significant levels of interaction with consumers meant that compliance with Australia's consumer laws should have been front of mind. As outlined in the ACCC's media release, Chair Gina Cass-Gottlieb commented in response to the order of penalties against Google that '[t]his significant penalty imposed by the Court … sends a strong message to digital platforms and other businesses, large and small, that they must not mislead consumers about how their data is being collected and used.'
This case highlights that the ACCC is increasingly willing to take enforcement action against organisations for misleading or deceptive conduct (and other related offences) in the context of privacy and data handling. It also demonstrates the potentially significant monetary consequences organisations may face if found to have contravened the ACL under similar circumstances, regardless of whether or not they do so with deliberate intent.
In light of this changing enforcement landscape, it is important for organisations to regularly review privacy policies, collection notices and other privacy-related documents as well as their digital infrastructure more broadly. This process should involve due consideration of the organisation's compliance with Australian and global privacy regimes, as well as to determine whether the organisation's privacy policies and notices continue to be fit for purpose and accessible. A key factor in the case against Google was that the manner in which Google informed consumers of how their location information would be managed was confusing to the extent that a reasonable consumer was likely to be misled or deceived when engaging with Google's systems.
In order to minimise risk and avoid similar enforcement action, organisations must ensure that the manner in which they inform consumers as to how their personal information is collected, used, stored, disclosed and handled is sufficiently transparent and accurately representative of the organisations’ practices.