Privacy erosion by design: why the Federal Court should throw the book at Google over location data tracking – The Conversation AU

The Australian Competition and Consumer Commission has had a significant win against Google. The Federal Court found Google misled some Android users about how to disable personal location tracking.

Will this decision actually change the behaviour of the big tech companies? The answer will depend on the size of the penalty awarded in response to the misconduct.

In theory, the penalty is A$1.1 million per contravention. There is a contravention each time a reasonable person in the relevant class is misled. So the total award could, in theory, amount to many millions of dollars.

But the actual penalty will depend on how the court characterises the misconduct. We believe Googles behaviour should not be treated as a simple accident, and the Federal Court should issue a heavy fine to deter Google and other companies from behaving this way in future.

The case arose from the representations made by Google to users of Android phones in 2018 about how it obtained personal location data.

The Federal Court held Google had misled some consumers by representing that having Web & App Activity turned on would not allow Google to obtain, retain and use personal data about the users location.

In other words, some consumers were misled into thinking they could control Googles location data collection practices by switching off Location History, whereas Web & App Activity also needed to be disabled to provide this protection.

Read more: The ACCC is suing Google for misleading millions. But calling it out is easier than fixing it

The ACCC also argued consumers reading Googles privacy statement would be misled into thinking personal data was collected for their own benefit rather than Googles. However, the court dismissed this argument on the grounds that reasonable users wanting to turn the Location History off

would have assumed that Google was obtaining as much commercial advantage as it could from use of the users personal location data.

This is surprising and might deserve further attention from regulators concerned to protect consumers from corporations data harvesting for profit.

The penalty and other enforcement orders against Google will be made at a later date.

The aim of the penalty is to deter Google specifically, and other firms like Google, from engaging in misleading conduct again. If penalties are too low they may be treated by wrongdoing firms as merely a cost of doing business.

However, in circumstances where there is a high degree of corporate culpability, the Federal Court has shown willingness to award higher amounts than in the past. This has occurred even where the regulator has not sought higher penalties. In the recent Volkswagen Aktiengesellschaft v ACCC judgement, the full Federal Court confirmed an award of A$125 million against Volkswagen for making false representations about compliance with Australian diesel emissions standards.

In setting Googles penalty, a court will consider factors such as the nature and extent of the misleading conduct and any loss to consumers. The court will also take into account whether the wrongdoer was involved in deliberate, covert or reckless conduct, as opposed to negligence or carelessness.

At this point, Google may well argue that only some consumers were misled, that it was possible for consumers to be informed if they read more about Googles privacy policies, that it was only one slip-up, and that its contravention of the law was unintentional. These might seem to reduce the seriousness or at least the moral culpability of the offence.

But we argue they should not unduly cap the penalty awarded. Googles conduct may not appear as egregious and deliberately deceptive as the Volkswagen case.

But equally Google is a massively profitable company that makes its money precisely from obtaining, sorting and using its users personal data. We think therefore the court should look at the number of Android users potentially affected by the misleading conduct and Googles responsibility for its own choice architecture, and work from there.

The Federal Court acknowledged not all consumers would be misled by Googles representations. The court accepted many consumers would simply accept the privacy terms without reviewing them, an outcome consistent with the so-called privacy paradox. Others would review the terms and click through to more information about the options for limiting Googles use of personal data to discover the scope of what was collected under the Web & App Activity default.

Read more: The privacy paradox: we claim we care about our data, so why don't our actions match?

This might sound like the court was condoning consumers carelessness. In fact the court made use of insights from economists about the behavioural biases of consumers in making decisions.

Consumers have limited time to read legal terms and limited ability to understand the future risks arising from those terms. Thus, if consumers are concerned about privacy they might try to limit data collection by selecting various options, but are unlikely to be able to read and understand privacy legalese like a trained lawyer or with the background understanding of a data scientist.

If one option is labelled Location History, it is entirely rational for everyday consumers to assume turning it off limits location data collection by Google.

The number of consumers misled by Googles representations will be difficult to assess. But even if a small proportion of Android users were misled, that will be a very large number of people.

There was evidence before the Federal Court that, after press reports of the tracking problem, the number of consumers switching off the Web option increased by 500%. Moreover, Google makes considerable profit from the large amounts of personal data it gathers and retains, and profit is important when it comes deterrence.

It has also been revealed that some employees at Google were not aware of the problem until an expos in the press. An urgent meeting was held, referred to internally as the Oh Shit meeting.

The individual Google employees at the Oh Shit meeting may not have been aware of the details of the system. But that is not the point.

It is the company fault that is the question. And a companys culpability is not just determined by what some executive or senior employee knew or didnt know about its processes. Googles corporate mindset is manifested or revealed in the systems it designs and puts in place.

Read more: Inducing choice paralysis: how retailers bury customers in an avalanche of options

Google designed the information system that faced consumers trying to manage their privacy settings. This kind of system design is sometimes referred to as choice architecture.

Here the choices offered to consumers steered them away from opting out of Google collecting, retaining and using personal location data.

The Other Options (for privacy) information failed to refer to the fact that location tracking was carried out via other processes beyond the one labelled Location History. Plus, the default option for Web & App Activity (which included location tracking) was set as on.

This privacy eroding system arose via the design of the choice architecture. It therefore warrants a serious penalty.

Read the original here:

Privacy erosion by design: why the Federal Court should throw the book at Google over location data tracking - The Conversation AU