As spring blooms here in Canberra, it is a busy time in the privacy, data and information law space. We are very active in assisting our Australian Government clients successfully manage the transfer of responsibility for the storage and use of data following the machinery of government (MOG) changes, considering the application of the Data Availability and Transparency Act 2022 (Cth) for new data sharing projects. We have also been helping our clients ensure that privacy issues are properly considered during the preparation of new policy proposals and initiatives.

In addition, we are making sure to keep on top of some of the interesting developments that have been happening in this area of law. In this article, we discuss:

• a recent settlement between the Australian Competition and Consumer Commission (ACCC) and Google LLC (Google) following Google’s breach of the Australian Consumer Law for misleading consumers about the handling of their personal information;

• the Office of the Australian Information Commissioner’s (OAIC’s) investigation of TikTok’s information handling practices; and

• a recent Victorian Civil and Administrative Tribunal (VCAT) decision about whether an IP address is ‘personal information’ about an individual.

Settlement between the ACCC and Google

Key takeaways:

• In Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 (ACCC v Google), the Federal Court found that Google had breached the Australian Consumer Law by misleading consumers into believing that if the ‘Location History’ setting on their Android device was ‘turned off’, their location data would not be collected and used by Google, noting that the reality was that even if the setting was ‘turned off’, Google could collect and use location data collected through the ‘Web & App Activity’ setting. In other words, the Federal Court found that Google had misled consumers about the collection and use of their personal information.

• The Federal Court has now ordered that Google must pay $60 million in penalties for making misleading representations to consumers about the collection and use of their personal information. The penalty is considerable and it has been reported that the parties agreed that the amount is ‘fair and reasonable’. Importantly, this is the first public enforcement outcome arising out of the ACCC’s Digital Platforms Inquiry.

• ACCC v Google is an important reminder about the need for entities to ensure that they are clearly and unambiguously advising individuals about how their personal information will be handled. This can be achieved by entities undertaking a privacy impact assessment (PIA) to ensure that they understand how personal information will be collected, used and disclosed, and ensuring that guidance provided to individuals (e.g. privacy policies, collection notices and terms and conditions of use) accurately and unambiguously reflects how personal information is handled.

Please contact us if you would like to discuss conducting a PIA process, or if you would otherwise like assistance with ensuring that your guidance material is accurate and unambiguous.

The OAIC's investigation of TikTok

Key takeaways:

• A Canberra-based tech company, Internet 2.0, recently released a report that sets out a technical analysis of the source code of TikTok mobile applications (Report). The Report has concluded that ‘the TikTok mobile application does not prioritise privacy. Permissions and device information collection are overly intrusive and not necessary for the application to function’.

• The Report states that TikTok, amongst other things:
  • checks the device location of at least once per hour;
  • has persistent access to the calendar of a device;
  • has access to contacts on a device and, if the user denies access, it continuously requests access until such access is given; and
  • collects a range of device information.

• It has been reported that Home Affairs Minister Clare O'Neil has ordered her department to investigate the harvesting of data by TikTok.

• The OAIC is also investigating the matter, noting that it has stated ‘We are considering privacy concerns raised in the Internet 2.0 report in line with our regular action policy. The OAIC has also noted that ‘in regards to consent, individuals need to be provided with genuine choices around how their personal information will be handled, and those choices need to be inherently fair. Members of the public should also review their privacy settings regularly’.

• The OAIC’s investigation into TikTok is a timely reminder for entities to ensure that they are obtaining informed, voluntary, current and specific consent from individuals that have the capacity to understand and communicate their consent. It also serves as a reminder for entities to ensure that they understand how their digital products function, and the types of personal information that can be collected via such products.

Please contact us if you would like to discuss conducting a PIA process to ensure that you understand how your agency is handling, or is proposing to handle, personal information, or if you would otherwise like assistance with ensuring that your agency is obtaining appropriate consent from individuals for the collection and subsequent handling of personal information.

VCAT decision about whether IP addresses are 'personal information'

Key takeaways:

• Section 3 of the Privacy and Data Protection Act 2014 (VIC) (Victorian Privacy Act) defines ‘personal information’, as follows:

'personal information means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 applies’

• In the recent case of GMW v Victoria Legal Aid (Human Rights) [2022] VCAT 922 (GMV), VCAT has considered whether an IP address constitutes personal information for the purposes of the Victorian Privacy Act.

• In GMV, Member A Smith held that:

‘an IP address, in these circumstances, does not constitute personal information about GMW but information about his ISP or possibly (but unlikely) his device. I do not consider that the IP address recorded by the chat Service and included in the FOI version of the transcript could constitute personal information. It is, instead, information about an ISP or a device’ (at [42])

• Member A Smith reflected that this decision had been reached on the basis that:

• an IP address attaches to a device, or an Internet Service Provider (ISP), rather than the user – therefore, an IP address is not ‘about an individual’; and
• ‘the fact that in very specific circumstances and with forensic matching and sophisticated algorithms a device belonging to an individual or an ISP can be located using an IP address does not make the process or information ‘reasonably ascertainable’ such as to qualify that information as personal information’ (at [39]).
• GMV is a thought-provoking matter, particularly in light of the current review of the Privacy Act 1998 (Cth) (Privacy Act). This is because, as noted in the Privacy Act Review Discussion Paper (October 2021), a key recommendation arising out of the ACCC’s Digital Platform Inquiry (see Recommendation 16(a) of the Digital Platforms Inquiry Final Report (June 2019)) is that the definition of ‘personal information’ in section 6 of the Privacy Act be updated to ‘clarify that it captures technical data such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual’
  
  
• In light of the Privacy Act review, it is important for entities to be considering their collection of technical data such as IP addresses, and determining whether this information can or should be collected going forward.

Please contact us if you would like to discuss the potential reforms to the Privacy Act, or steps that you can take to ‘future-proof’ your agency’s collection and handling of IP addresses and other technical data.