By Andrea Ward and Paul Van den Bulck
The data protection laws in all 27 European member states derive from one directive—the European Data Protection Directive 95/46/EC—which is implemented in each country by its own national legislation and enforced by national or, as in Germany, regional data protection authorities (DPAs). Since the directive leaves a margin of freedom to the member state concerning its implementation, there are obvious disparities in the DPAs’ approach, and this is particularly evident when it comes to enforcement.
In certain countries, for example, France and the UK, the DPA may itself impose fines; in others, the DPA may conduct the inquiry and then transmit the matter to the prosecutor's office who will decide whether to submit the case to court, for example, Belgium.
The same or similar facts may involve multiple jurisdictions. Indeed, when the data controller, for purposes of processing personal data, makes use of equipment situated in the territory of a member state, the national law of said member state is applicable whatever the seat of the data controller. It is also possible that a data controller makes use of equipment situated in a different member state. In this case, the data controller must ensure that it complies with country-specific requirements in each member state. This said, the same or similar facts, due to the use of such equipment, may lead to different interpretations of the facts and levels of fine imposed, depending on the national DPA concerned. The Google Street View case is a good example.
Google Street View Cases in Europe
Google, Inc., has faced a number of data protection cases over the last few years due to its collection of personal data in different member states for its Google Street View service. Indeed, from 2008 untill 2010, Google not only took pictures via its Google cars—the equipment situated on the territory of the different member state—for its Google Street View services, but at the same time collected unencrypted Wi-Fi connections as well as other personal data, for example, data relating to the identification of Wi-Fi networks and addresses of Wi-Fi routers.
The most recent fine against Google was imposed in April 2013 by the Hamburg DPA (Hamburgische Beauftrage für Datenschutz und Informationsfreiheit). The fine of €145,000 follows the finding that Google had “negligently and without authorisation” captured and stored personal data transmitted by unsecured Wi-Fi networks within range of the Google cars. Hamburg Data Protection Commissioner Johannes Caspar called the case “one of the most serious cases of violation of data protection regulations that have come to light so far,” and although Google had never intended to store the data—and even stated that it “never wanted this data, and didn’t use it or even look at it”—the fact that this happened over such an extensive period of time, from 2008 to 2010, and to such a wide extent geographically, allowed the commissioner only one conclusion—that Google’s internal control mechanisms had seriously failed.
In Germany, the Federal Data Protection Act, which is enforced by the German regional DPAs, permits fines of up to €150,000 for negligent breaches and €300,000 for intentional breaches—which this was not. The fine imposed on Google by the Hamburg DPA is, however, not the highest fine imposed to date by this DPA. The highest was a €200,000 fine imposed against Hamburger Sparkasse, a bank, for having granted external agents access to the account information of its clients without having obtained their consent.
Belgium and France
The Hamburg DPA’s decision follows other similar proceedings against Google in Belgium and France. The Belgian prosecutor, after a report from the Belgian DPA (Commission de la Protection de la Vie Privée), settled the matter for €150,000. The French DPA (Commission Nationale de l'Informatique et des Libertés) imposed a fine of €100,000 and the publication of the decision on its website. Since Google's bad faith was not established, the French DPA did not, however, order the publication of the decision via the press.
In Belgium, the processing of personal data in breach of the regulation may constitute a criminal offence, and fines may reach a maximum of €550,000. The Google case is the highest settlement case in Belgium, and it appears that Google has accepted this settlement in the fear of a higher fine imposed by the court. Thanks to this settlement, Google has also avoided all the publicity that would have accompanied a criminal trial.
In France, the DPA may impose penalties of up to €150,000 for a first infringement and €300,000 in the case of a second breach. The Google case was the highest fine imposed to date by the French DPA.
In the UK, there was a different story. When the problems associated with the Street View data collection first came to light in July 2010 following a complaint by Privacy International, the ICO issued a statement acknowledging the intrusion and “pay-load” data, which Google had inadvertently collected, but finding no cause for concern. At that time, the ICO felt it unlikely that Google would have captured significant amounts of personal data but confirmed it would remain vigilant and would review relevant findings and evidence from other European data protection authorities, as their investigations continued.
However, the ICO reopened its investigation into Street View after it became apparent that other European regulators had found data protection infringements as part of their investigations. In November 2010, the ICO concluded that there was a “significant breach” of the DPA 1998, as the collection of data was not fair or lawful, breaching the first data protection principle. Rather than issue a fine against Google, of up to £500,000, it was announced that Google would be required to sign an undertaking to improve its data protection practices over a period of nine months and to delete the pay-load data which had been collected. The undertaking also included promises that Google would provide better staff training and improve awareness of data protection issues. It also required Google to permit the ICO to audit its internal privacy structure, training programs and product reviews.
The ICO’s decision not to impose a monetary penalty in 2010 was the result of its assessment that it was more important to address the failings, through education and improved practices, rather than impose fines, which would be limited, inadequate and not have any real impact on the business.
Having signed an undertaking with the ICO, Google should have destroyed the pay-load data it collected as part of the Street View operation. Correspondence between Google and the ICO from July 2012 is available on the ICO website and reveals that Google apologised and confirmed that, when reviewing its handling of the data, it found that it still had some payload data from the UK and other countries and would be notifying the relevant authorities. Google stated that it wanted to delete the remaining UK data, but asked the ICO for instructions on how to proceed—whether it wanted to view the data first, or whether Google could simply destroy it. The ICO replied that it did want to examine the contents of the remaining UK data and asked Google to store it securely until then. Viewed from other member states, the British outcome—even though rather pedagogic toward Google—appears very lenient, especially when taking in account the heavy fines usually imposed on data controllers from the public sector.
What About the Google Street View Case from the Other Side of the Atlantic?
In March 2013, Google entered into an “Assurance of Voluntary Compliance,” with the attorneys general of 39 U.S. states, which, in addition to measures aimed at improving its privacy practices, also requires Google to pay $7 million to those 39 states. This “Assurance of Voluntary Compliance” combines thus both education and fines.
To comply with its assurances to the attorneys general, Google must implement a privacy program, delivered over six months, that includes regular employee training, CIPP qualifications, an annual Privacy Week and updated policies and procedures.
These requirements are all good practice recommendations, that any data controller can learn from and should seek to implement, as far as possible, within the limits of its size and resources. However, from an EU perspective, the above requirements, even though they constitute good practice, are not sufficient for Google to be compliant in Europe.
The matter of enforcement and monetary penalties will continue to be a hot topic until such time as the new European Data Protection Regulation comes into force. Fines of €145,000 will look even smaller when the potential fine limit is raised to two percent of a company’s global annual turnover.
Paul Van den Bulck of McGuireWoods LLP focuses on legal issues concerning technology law, data privacy and security, intellectual property, media and entertainment, and fair trade practices. Paul also counsels clients on day-to-day IP and IT issues, provides strategic advice and manages IP and IT due diligence. He also manages large IP portfolios.
Andrea Ward is a senior associate in McGuireWoods' London, UK, office, where she advises clients on a wide variety of labor and employment matters with a specific focus on data protection and security. Ward focuses much of her practice examining the challenges for employers associated with social media and IT use in the workplace, including the boundaries of employee monitoring and privacy rights.