The court found the company Google had misled privacy-conscious Australians into thinking it wasn’t collecting personal data about their location.
Friday’s ruling has been described as a world first by the chairman of the Australian Competition and Consumer Commission, which sued the search and advertising giant.
“We think today’s result sends a very clear message to the digital platforms that they have to be upfront with consumers about what is actually happening with their data, how it is being used and how consumers can protect their data,” ACCC chair Rod Sims told reporters.
“These are fundamental issues for Australians going forward in this future digital economy.”
Google says it has improved its privacy controls and there was no allegation it had breached the Australian privacy act.
“The court rejected many of the ACCC’s broad claims,” a spokesman said.
“We disagree with the remaining findings and are currently reviewing our options, including a possible appeal.”
Google had argued it made it clear to users setting up a Google account that the company would still collect and use location data when location history was “off”, Web & App Activity was “on” and one of its apps was used.
Users asked to agree or disagree to “Privacy and Terms” about the use and storage of their data were offered a third option for “More Options”.
That option allowed them to toggle on and off location history, web and app activity and other data collection.
But Federal Court Justice Thomas Thawley said the warnings shown with the toggles weren’t as clear as Google would have it.
Some users would have reached the correct conclusion but others, even after going beyond default warnings, would have concluded the tech giant wasn’t using their location data when location history was off.
“True it is that, after a careful examination of the content of both screens, the conclusions Google urged might be reached,” the judge said.
“That is not the issue. The screens were read by users setting up the device.
“Such users, even ones with heightened privacy concerns, would not re-read screens with the kind of careful attention that has been necessary in considering the various arguments put by the parties.”
Justice Thawley said many reasonable, privacy-conscious users would have concluded Google still obtained location data when location history was off and a user was using an app such as Maps.
But those users would have reasonably thought the location data was being obtained on a “once-off” basis and not being retained or subsequently used, he found.
Google’s conduct was found to have misled or likely misled some reasonable users.
The number of such users did not matter for the purposes of establishing the breaches, the judge said.
Google faces a maximum fine of $1.1 million per breach.
But what constituted a breach and how many breaches occurred is yet to be determined.
“(The fine) can be large, it certainly will be in the many millions, but quite how big it is something we have to think about and convince the court of,” Sims said.
The court last year heard senior Google employees held an urgent meeting in 2018 – dubbed internally as the “Oh S***” meeting – after Associated Press published an article explaining Google’s collection of location data through the web and app activity option.
The article also led rank-and-file employees to raise concerns they’d not been aware of the connection, and a 500-per-cent increase in users disabling both location history and web and app activity.
But Thawley placed no reliance on the evidence, saying it wasn’t clear the settings referenced in the article and the internal documents were the same as those in the Australian case.