At a glance:
In this article, we explore the insurance implications to tech companies following the ACCC's action against Google.
The potential consequences for organisations that misuse their customer data.
The importance of a tailored insurance program for data led organisations.
Data utilisation and risk impacts
Google's $60m fine resulting from action bought by the ACCC (Australia’s competition and consumer watchdog) is an important lesson for the Tech Sector in the collection and use of customer data, and the consequences if not collected lawfully.
What happened?
The issue began in January 2017 when Google continued tracking some of its users' Android phones even though they had disabled "Location History" in the device's settings.
While customers were misled into thinking that setting would disable location tracking, another account setting turned on by default and named "Web & App Activity" enabled the company "to collect, store and use personally identifiable location data."
This continued until Google “fixed” the tracking it through a software update to its Android operating system in December 2018.
The Federal Court Decision
The ACCC estimated that some 1.3 million users in Australia may have been impacted, and as such Goggle were found by the Federal Court to have breached consumer law.
The Federal Court ordered Google to pay a $60m penalty for collecting Android location data without user consent, following court action brought by the ACCC, in one of the largest ever penalties in corporate Australian history.
ACCC Chair Gina Cass-Gottlieb commented “Personal location data is sensitive and important to some consumers, and some of the users who saw the representations may have made different choices about the collection, storage and use of their location data if the misleading representations had not been made by Google,”
Implications of the decision
Paraphrasing the ACCC chair, broadly speaking, the significant penalty sends a strong message to digital platforms and the Tech Sector.
From an insurance standpoint, the case highlights two areas:
Appropriately implemented Professional Indemnity, Statutory Liability, D&O and Cyber cover can assist in defending regulatory matters, like matters from the ACCC. It is important however these policies are aligned to cover off regulatory exposures and ensure there are no gaps in a program where an investigation or proceeding could “fall through”.
The insurability of fines and penalties, and associated legal costs remains contentious. Insurance policies that broadly provide cover for fines and penalties have been available in Australia for some time. However, to the extent those policies extend to pecuniary or criminal penalties, and the legality of these policies has always been uncertain with a view that a policy that provides an indemnity for a pecuniary/criminal penalty is void and unenforceable for being against public policy.
However, there have been no specific cases addressing this, so these policies have been able to exist as they have been offered by insurers and not challenged by the beneficiaries of the policy.
Regulator focus
This is the first public enforcement outcome arising out of the ACCC’s Digital Platforms Inquiry. The ACCC has clearly stated that Tech Sector organisations large and small, that they must not mislead consumers about how data is being collected and used.
The sector can expect continued and increased focus from the ACCC (and other regulators) in this space. In delivering innovative solutions and meeting business/consumer needs the sector must always be conscious about crossing legal and moral lines.
Key takeaways
2022 re-affirmed an ongoing and increased want by consumers and business to utilise technology for convenience and efficiencies. This want and reliance on Technology however should not be taken advantage of, and should always be measured in respecting consumer/customer rights
In delivering products and services – especially those that are data driven – an appropriately tailored insurance program can provide protection to organisations facing regulatory action, covering (often significant) legal costs and potentially fines and penalties.
Understanding of these risks, the services/products delivered and the construction of an appropriate insurance program requires advice from a Technology specialist. Lockton's Cyber & Technology Practice specialises in risk management advice and insurance placements specific to the Tech Sector.