Just to remind us that even the world’s biggest and wealthiest tech companies are not immune to privacy breaches, Google made worldwide headlines recently after a glitch that sent thousands of users’ private videos backed up on Google Photos to complete strangers.
Google Takeout is a service that allows Google Photo users to backup their personal data or use it with other apps. Google mixed up user-data and sent many Take-out users’ personal videos to random people.
While the issue lasted several days, Google says it only affected 0.01% of users – but with the number of users in excess of 1 billion, the number is believed to run into the thousands.
The way big tech companies like Google and Facebook collect, store and share user-data has come under scrutiny in recent years.
The ACCC has taken legal action against Google
Last year, the Australian consumer watchdog, the Australian Competition and Consumer Commission (ACCC) filed legal proceedings against Google, accusing it of misleading smartphone users about how it collects and uses personal location data.
It’s the ACCC’s first lawsuit against a global tech giant, but one which the Commission hopes will send a clear message that tech companies are legally required to inform users of how their data is collected, and how users can stop it from being collected.
Other countries are said to be watching the proceedings closely, as they too consider how to keep tech companies accountable.
In a nutshell, the ACCC alleges that Google breached the Australian Consumer Law (ACL) by misleading its users during the years 2017 and 2018 by:
- not properly disclosing that two different settings need to be switched off if consumers do not want Google to collect, keep and use their location data, and
- not disclosing to consumers on which pages personal location data can be used for a purposes unrelated to the consumer’s use of Google services.
Some of the alleged breaches carry penalties of up to A$10 million or 10% of annual turnover.
According to the ACCC, Google’s account settings on Android phones and tablets have led consumers to believe that changing a setting on the “Location History” page stops the company from collecting, storing and using their location data. It alleges that Google failed to make clear to consumers that they would actually need to change their choices on a separate setting titled “Web & App Activity” to prevent this from occurring.
It is well known that Google collects and uses consumers’ personal location data for purposes other than providing Google services to consumers, although users are often surprised to realise just how much information these tech giants have and profit from.
For example, Google uses location data for its navigation platforms, using the data to work out demographic information for the sole purposes of selling targeted advertising. And, as it has become increasingly clear, digital platforms have the ability to track consumers when they are both online and offline to create highly detailed personal profiles.
These profiles are then used to sell products and services, but companies like the ACCC believe the way the information is gathered is misleading or deceptive, and could also breach privacy laws.
No ‘blanket’ protection for users globally
The closest thing to a cross-jurisdiction set of rules regarding privacy rights is the General Data Protection Regulation (EU) 2016/679 (GDPR), which were introduced in 2018 and govern data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
The regulation also addresses the transfer of personal data outside the EU and EEA areas. The instrument aims to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the rules within the EU.
Not all companies and organisations have adopted the GDPR. Rather, only those with offices in an EU country or that collect, process or store the personal data of anyone located within an EU country are required to comply with the rules.
But because many businesses have an international focus and reach, many Australian businesses have adopted the regulations and given consumers some assurances regarding privacy.
And the GDPR laws do have teeth. In January, a French regulator fined Google 50 million euros (about AUD$82 million) for breaches of privacy laws. And Ireland’s Data Protection Commissioner is currently investigating Google over contravening the privacy rules.
Facebook is also under fire for privacy breaches as well as for misuse of data. Last year, it was fined a record-breaking $5 billion in the United States over the misuse of data and inadequate vetting of misinformation campaigns, which were used together to help sway the 2016 presidential election in favour of Donald Trump.
Beware of posting or uploading information
In the meantime, the ACCC has not yet specified the nature and scope of the corrective notices and other orders it is seeking against Google.
However, the regulator has sent warnings to all technology users to be vigilant in updating their privacy settings and being aware the information they provide when setting up devices and apps can be used and, indeed, profited from by tech companies.