Google location-data probes show breadth of options for regulating Big Tech
13 November 2019, by Vesela Gladicheva
Google’s tangle with Australia’s consumer regulator over its use of location data — something dealt with by privacy regulators in most other jurisdictions — shows that when it comes to regulating tech giants, many paths can lead to the same destination.
Concerns about the reach and behavior of tech giants such as Google, Facebook and Amazon.com touch on questions of antitrust, data privacy and consumer rights. How these complaints are pursued appears to depend as much on the balance of power between regulators in a given country, as on the substance of the alleged abuse.
Google’s use of location data is a case in point. The company is facing complaints around the world that are similar in substance, but being pursued through different avenues. In Australia and Brazil, the consumer regulators are leading the charge. Elsewhere — in the EU, the US and South Korea — the investigations come under privacy law.
The most obvious reason for the differing approaches is the balance of regulatory power. Australia has punchy consumer laws but relatively weak privacy laws. The EU, by contrast, has rather weak consumer laws but stringent privacy legislation — the General Data Protection Regulation. In both cases, the regulator wielding the biggest stick has gone after Google.
The central claim is the same in each case: that Google misled users of its Android mobile operating system in the way it configured its “Location History” and “Web & App Activity” settings to collect data about their location.
The Australian Competition & Consumer Commission announced a lawsuit on Oct. 29, alleging that Google had breached the Australian Consumer Law since at least January 2017. The first case-management hearing will take place on Thursday in Sydney.
Information provided on Android users’ screens “misled consumers about the location data Google collected or used when certain Google Account settings were enabled or disabled,” the regulator said.
A recent revamp of Australia’s consumer laws means that judges can hand offenders fines of up to A$10 million (US$6.8 million), or three times the value of the benefit received, or 10 percent of the company’s Australian annual turnover — whichever is highest. That marks a significant increase from the previous cap of A$1.1 million.
The Office of the Australian Information Commissioner, the privacy watchdog, has taken a back seat, with its relatively weak enforcement powers under 1988 privacy rules still largely untested — though the consumer-law action doesn’t preclude a privacy action in the future.
The ACCC will need to demonstrate that Google's alleged privacy violation is the by-product of a consumer-law violation, rather than the central concern. The statement announcing its lawsuit barely mentions the terms “privacy” or “data protection.”
This approach reflects a similar route taken this year by Brazil, whose consumer-protection agency Senacon started investigating Google in August over a “possible improper capture of user data about geolocation.”
As in Australia, Brazil’s consumer law is stronger than its privacy law — at least until August next year, when new data-protection rules are due to take effect.
Elsewhere in the world, action over Google’s gathering of location data has been spearheaded by privacy watchdogs and has focused on alleged violations of data-protection laws.
In Europe, Google was originally investigated by Sweden's data-protection regulator earlier this year for potential breaches of the GDPR. That followed simultaneous, identical complaints from consumer organizations to several national privacy watchdogs in the EU.
In August, the Swedish watchdog transferred its case to the Irish Data Protection Commission, which is responsible for regulating cross-border cases involving Google under the GDPR's one-stop-shop mechanism. The Irish watchdog hasn't yet opened an investigation into Google.
As part of its analysis, the Irish DPC is considering the Swedish probe and the changes Google has made since January, the regulator told MLex. “This is being carried out with a view to helping the DPC to identify the most appropriate regulatory approach to take in order to bring this matter to a conclusion,” it said.
Elsewhere in Europe, Google is also facing a lawsuit in a Berlin court from the Federation of German Consumer Organizations for alleged breaches of the GDPR. They accuse Google of failing to obtain informed and specific consent from users on location services, as well as of lack of information about the extent of the intended use of location services.
Action against Google in the US is also under privacy laws.
The most prominent case is in California, where a private class-action lawsuit was filed at a federal court in August 2018.
The plaintiffs claim that, by continuing to collect location data even when consumers changed their settings, Google violated the California Invasion of Privacy Act, the state’s constitutional right to privacy, and consumers’ general expectation of privacy.
A hearing on Google’s motion to dismiss is scheduled for Nov. 21. If US District Judge Edward Davila denies Google’s motion, it would allow the case to move forward and put pressure on Google to settle the case or risk going to trial.
Google also faces an investigation in Arizona, where state Attorney General Mark Brnovich is looking into similar allegations. There has not yet been any litigation in that case.
In South Korea, too, the allegations against Google have found their home with the country’s privacy regulator. In November 2017, the Korea Communications Commission started examining claims that Google tracked the location of users of Android phones without their consent.
The case against Google there has moved slowly, and the regulator might drop the investigation if it fails to make progress. For now, MLex understands that the case is on hold but could be resurrected.