8 minute read
Protecting private data: How consumer law can play a role
JOEL LISK, RESEARCH ASSOCIATE – SPACE AND REGULATION, JEFF BLEICH CENTRE FOR THE US ALLIANCE IN DIGITAL TECHNOLOGY, SECURITY AND GOVERNANCE, FLINDERS UNIVERSITY
In July of 2019, the Australian Consumer and Competition Commission (ACCC) delivered its final report following its inquiry into digital platforms such as Google, Facebook and Twitter.1 The Inquiry, constituted in 2017 by thenTreasurer Scott Morrison, was directed at investigating the ‘impact of digital search engines, social media platforms and other digital content aggregation platforms … on the state of competition in media and advertising service markets’ as well as the ‘impact of [the] information asymmetry between platform service providers, advertisers and consumers’.2
Advertisement
The ACCC, as part of both its Final Report and Preliminary Report (issued in July 2019 and December 2018, respectively), examined the relationship between digital platforms and consumers in great detail.3 One of the most prominent findings set out in the Preliminary Report was that privacy policies only provided ‘consumers with an opaque view of privacy and data protections while simultaneously outlining broad discretions for digital platforms to collect, use and disclose consumer data’, suggesting the existence of a significant information and power imbalance between the platform and consumers.4 The ACCC concluded their review digital platforms in their Preliminary Report by publicly stating their intent to investigate whether Australian Consumer Law (‘ACL’) protections can apply to the collection, use and disclosure of personal information, and privacy policies.5 As part of the ACCC’s conclusions in its Final Report, it indicated that it was investigating several digital platforms for potential breaches of the ACL in connection with their data collection and handling practices.6
Traditional approach to data
When considering the regulation of personal information and data, most would think of the Privacy Act 1988 and the Australian Privacy Principles (‘APPs’) therein. The APPs are detailed and cover the lifecycle of personal information held by an organisation.7 Despite being perceived as comprehensive, the APPs and the Privacy Act have limitations. The APPs only apply to ‘personal information’ (information or opinions that are about an individual)8 and, subject to limited exceptions, the APPs only apply to businesses with an annual turnover greater than $3 million.9 The enforcement procedures under the Privacy Act are also somewhat limited, with individuals required to undertake a specific dispute resolution process with no immediate recourse to courts in the case of an alleged breach of the APPs. Many of these limitations were recognised by the previous Federal Government as part of an ongoing review of the Privacy Act.
Across the Pacific
Unlike Australia, the United States does not have nationally consistent laws applicable to all consumer data. Individual statutory regimes apply to certain types of personal information (such as the Health Insurance Portability and Accountability Act’s (commonly known as “HIPAA”) application to health information)10 and many states have their own laws applicable to personal information (such as the Californian Consumer Privacy Act).11 Despite this, the Federal Trade Commission (“FTC”) regularly brings successful actions against large corporations (including Facebook, Google and Uber) for their data and personal information related practices.
How does the FTC bring these actions? Title 15 of the United States Code provides for consumer protection in the United States.12 The FTC is empowered by the United States Code to enforce and police consumer protection and anti-trust legislation.13 One of the FTC’s powers is the ability to bring actions against entities that are engaged in ‘unfair or deceptive acts or practices in or affecting commerce’.14 Since the mid-1990s, the FTC has acted as a privacy and data security enforcement body using this consumer-focused power. There is no express legislation that empowers the FTC to act in respect of data matters, but the United States 3rd Circuit Court of Appeals upheld a decision of a lower court that permitted the FTC to pursue companies for allegedly deceiving consumers in respect of privacy practices.15
As mentioned above, the FTC has pursued (and been successful in doing so) several major technology companies in connection with these data practices. In most instances, FTC matters are resolved prior to court proceedings commencing. In 2018, the FTC brought an action against Uber Technologies Inc (‘Uber’), alleging that Uber had mislead customers as to its data security practices on multiple occasions.16 Uber’s servers were breached on two separate occasions in 2014 and 2016. This saw high volumes of consumer data accessed by unauthorised persons. The data breaches were associated with administrator credentials being found on public forums. Prior to the data breaches taking place, Uber had made public statements testifying to their use of ‘the most up to date technology and services to ensure that’ consumer data is protected, that Uber is ‘extra vigilant in protecting all private and personal information’, and that data is ‘kept secure and encrypted to the highest security standards available.’17 Despite these statements, the FTC alleged that there was no information security program in place, personal information was stored in ‘clear, readable text’ instead of an encrypted form, and a number of common data security practices were not complied with.18
Another notable FTC proceeding saw Facebook pay a fine of US$5 billion for contraventions of a previous FTC order related to deceptive conduct in the use and handling of personal information.
The proceeding and fine arose out of the events involving the use of Facebook data and the now defunct business, Cambridge Analytica.19 The Australian proceedings arising out the same circumstances are still before the Federal Court.20
At the core of these proceedings (and dozens more like them) were allegations that something a businesses did, said or represented in connection with their data handling processes was liable to deceive an individual. It is also worth noting that the FTC also uses its ability to bring actions for ‘unfair conduct’ – a cause of action the ACCC has previously argued for.21
The Consumer Law and Data
Recent events have seen the role of the ACCC with respect to data rapidly expanded. The introduction of the Consumer Data Right (“CDR”) into the Competition and Consumer Act in 2018 saw the ACCC take the role as the lead agency for the regime (supported by the Office of the Australian Information Commissioner and the CSIRO’s Data61) and its introduction to the banking sector (with other sectors to follow in the future).22
Since the conclusion of the Digital Platforms Inquiry, the ACCC has commenced proceedings against both Google and Facebook (now, Meta Platforms) for misleading or deceptive conduct in connection with the representations connected to data collection and handling.
In April 2021, the Federal Court delivered a judgment finding that Google had contravened ss 18, 29 and 34 of the ACL in connection with representations related to the collection of location information on Android phones.23 By way of summary, the Federal Court found that the settings and options presented to users on Android phones misrepresented the extent to which location information was being collected by the phone and ultimately Google. This led to the conclusion that Google had misled consumers as to the extent of the personal information the tech giant was collecting. The Federal Court imposed a $60 million penalty for this conduct earlier this year.24
In 2020, the ACCC also commenced proceeding against Google for allegedly misleading consumers to obtain consent for the collection and aggregation of personal information, and Facebook for allegedly misleading or deceptive conduct associated with how information would be protected on its Onavo application – a VPN service. Both matters are still before the Federal Court.25
In the three instances discussed above, many would typically only consider risks under the Privacy Act and APPs, not the potential application of the ACL and concepts such as misleading or deceptive conduct (despite their somewhat natural application). The recent steps into the realm of data collection and processing by the ACCC, much like how the FTC has acted in this space for some time, appears to be natural and significant. The recent proceedings reflect a need for organisations to take their privacy compliance programs seriously – there is the need for a privacy policy to be in place as required by the Privacy Act, but it is just as important to ensure that the policy accurately and genuinely reflects the business’ practices in connection with handling of information. It appears that when it comes to data, the Privacy Act will continue to govern collection, use, handling, storage and deletion, but consumer law will play a role in ensuring what is said about these steps is correct and reflective of actual practices. B
Endnotes 1 Australian Competition and Consumer
Commission, Digital Platforms Inquiry: Final Report (June 2019) (“Final Report”). 2 Ministerial Direction from Treasurer to Mr
Rod Sims (Chair, ACCC), 4 December 2017 <https://www.accc.gov.au/system/files/
Ministerial%20direction.pdf>. 3 Final Report, see ‘Chapter 7 Digital Platforms and Consumers’; Australian Competition and
Consumer Commission, Digital Platforms Inquiry:
Preliminary Report (December 2018) (“Preliminary
Report”), see ‘Chapter 5: Digital Platforms and
Consumers’. 4 Preliminary Report, 204. 5 Preliminary Report, 239. 6 Final Report, 501. 7 Privacy Act 1988 (Cth) sch 1. 8 See, e.g. Privacy Commissioner v Telstra Corporation
Ltd (2017) 249 FCR 24; Attorney-General’s
Department, Privacy Act Review: Discussion Paper,
Australian Government (October 2021), 21 – 29. 9 Privacy Act 1988 (Cth) ss 6C – 6EA. 10 Health Insurance Portability and Accountability Act of 1996, Pub L No 104-191, 110 Stat 1936. 11 Californian Consumer Privacy Act of 2018, 2018 Cal
Stat ch 55 (A.B. 375). 12 15 USC (2022); Federal Trade Commission, ‘About the FTC’ <https://www.ftc.gov/about-ftc>. 13 15(2) USC §§ 41, 45 (2022). 14 15(2) USC § 45(a) (022). 15 Federal Trade Commission v Wyndham Worldwide
Corporation 799 F 3d 236 (3rd Cir, 2015). 16 In the Matter of Uber Technologies, Inc: Complaint,
FTC Matter 152 3054 (25 October 2018) <https://www.ftc.gov/system/files/documents/ cases/152_3054_c-4662_uber_technologies_ revised_complaint.pdf>. 17 In the Matter of Uber Technologies, Inc: Complaint, [17]. 18 In the Matter of Uber Technologies, Inc: Complaint, [18]; The Australian Information Commissioner reached a decision on the same facts in 2021:
Commissioner Initiated Investigation into Uber
Technologies, Inc. & Uber B.V. (Privacy) [2021]
AICmr 34. 19 Federal Trade Commission, “FTC Imposes $5 Billion Penalty and Sweeping New Privacy
Restrictions on Facebook” (Media Release, 24
July 2019) https://www.ftc.gov/news-events/ news/press-releases/2019/07/ftc-imposes-5billion-penalty-sweeping-new-privacy-restrictionsfacebook. 20 See, Australian Information Commissioner v Facebook
Inc, Federal Court of Australia (NSD246/2020). 21 See, Final Report, 498 – 501. 22 See generally, Competition and Consumer Act 2010 (Cth) pt IVD. 23 Australian Competition and Consumer Commission v
Google LLC (No 2) (2021) 391 ALR 346. 24 Australian Competition and Consumer Commission v
Google LLC (No 4) [2022] FCA 942. 25 See, Australian Information Commissioner v Google
LLC, Federal Court of Australia (NSD816/2020);
Australian Information Commissioner v Meta Platform
Inc., Federal Court of Australia (NSD246/2020).
