Google Fined for Unlawfully Collecting Australian Consumer Data

Google and the Australian Competition & Consumer Commission’s (ACCC’s) long running battle over the unlawful collection of data has been settled with the tech giant agreeing to pay $60 million. 

In April 2021, the Federal Court found that Google had breached consumer laws by misleading some Australian consumers with regard to the collection of their personal data. It affected users who had switched location data to ‘off’ although their web activity was ‘on’ or data was collected via apps in use. 

Breach of consumer law 

Google was also found to be in breach of two other consumer laws concerning conduct liable to mislead the public and making misleading representations about a service’s performance characteristics.

Of course, as most commentators have already pointed out, $60 million is small change for Google – effectively the fine represents a slap on the wrist for what is considered to be a serious  breach of Australian consumer law. 

And while the consumer laws are in place to protect us, the case also highlights the fact that many of us don’t read terms and conditions of websites or apps etc, or if we do, it’s likely that we don’t really understand the jargon and legalese written in them. 

As UK comedian Michael McIntyre once famously joked, he’s worried that one day Apple might just walk in and remind him that long ago he ticked a box and signed over his house. 

At the time of the Federal Court judgment last year the ACCC said it sent a clear message to digital platforms to be upfront with consumers about what is happening with their data.

The big tech companies collect data in all sorts of ways – when we post pictures, when we join online groups, search for information on the internet, when we use apps, when we like a friend’s social media post. And they have all been under scrutiny for some time, because after all, data is the currency f the technology age and laws – privacy laws in particular – need to keep pace with rapid changes in the industry. 

Personal information and privacy 

All of us who use the internet or a smartphone have given away personal information, just  how much is not necessarily quantifiable, and the Google case raises important questions about how we can check on our ‘digital footprint’ – that is, on what information companies hold, whether we can have it edited, or deleted, and also what happens to this personal information if we die. Of course, because technology operates globally, then what exactly are our rights across international borders? 

All apps and websites have features where you can elect to switch off tracking and location services as well as edit the information you provide. And sites such as DuckDuckGo – an internet search engine that emphasises protecting user privacy are becoming increasingly popular as we become more concerned about just how much information the big tech companies hold about us, 

Sure, it’s convenient to be recommended other sites and services – but what about the cost to privacy? 

What does the law say? 

Australian Privacy Laws 

Under Australian Privacy law, you have the right to ask any organisation what personal information they hold on you, and you have a right to correct the information the company holds, if it is:

• Inaccurate,
• out of date,
• incomplete,
• irrelevant, and/or
• misleading.

Freedom of Information Act 

You also have rights under the Freedom of Information Act 1982 to access government records, and to ask an agency or minister to change or annotate a record of your personal information – this includes information that police hold about you. 

An organisation or entity is not able to charge you any fees for a check your personal records, although they can refuse a request if they have god reasons for doing so. The back stop is the 

The Office of the Australian Information Commissioner (OAIC) – which is the body you can take any complaints too, to have it dealt with. 

The problem here is that there are numerous ‘grey areas’ within the law.  

The notifiable data breaches scheme also commenced in Australia in 2018, which requires Australian companies and entities to notify any Australians affected by ‘eligible data breaches’ (a breach that is likely to result in serious harm to any of the individuals to whom the information relates) and to also notify the The Office of the Australian Information Commissioner (OAIC) as soon as practicable. 

This came into force because many companies use cloud storage, and while security is improving, hackers will always find a way. In recent years a number of Austrralian government websites have been affected by cyber attacks. In 2020 NSW Transport discovered that about 50,000 NSW drivers license holders had been affected by a data breach – their information was left unprotected in a cloud folder. 

This is a serious concern because it means that your personal data could, potentially, end up in the wrong hands. Identity fraud is very difficult to recover from but there are other cyber crimes that can be committed with your personal information too. 

New privacy laws

In 2021, The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Bill) was drafted to strengthen the Privacy Act 1988. 

Significantly, it introduces a binding online privacy code for social media and certain other online platforms, and increases penalties and enforcement measures.

The Online Privacy Bill is intended to give effect to the Australian Government’s commitment to strengthen the Privacy Act 1988 (Cth) (Privacy Act). Specifically, the Bill will introduce a binding online code for social media and certain other online platforms, as well as increase penalties and enforcement measures.

It also proposes that organisations and entities ensure that their privacy policies clearly and simply explain the purposes for which they collect, hold, use and disclose personal information and that when seeking consent from individuals, consent must be voluntary, informed, unambiguous, specific and current. 

Under the proposal, organisations and entities must seek renewed consent periodically or when circumstances change when collecting “sensitive information” and must stop using or disclosing personal information upon request. 

There are also additional protections for children and vulnerable groups.