(Apr. 27, 2011) On April 19, 2011, the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) issued several administrative orders for incremental penalty payments against Google Inc. and Google Netherlands BV, to be applied unless they take certain actions in connection with their collection of wireless Internet data for Street View mapping. Failure to comply with the orders could result in fines of up to €1 million (about US$1.46 million). (Julian Hale, Google WiFi Collection Violated Dutch Law, DPA Says, Fines of Up to €1 Million Possible, 78 PRIVACY LAW WATCH (Apr. 22, 2011), Bureau of National Affairs online subscription database; Press Release [informal English translation], CBP, Dutch DPA Issues Several Administrative Orders Against Google (Apr. 19, 2011).)
According to a CBP investigation, for a period of over two years (March 2008-May 2010), Google “systematically, and without the data subjects' knowledge, collected MAC [media access control] addresses of more than 3,6 million WiFi routers, whether it was encrypted or not, in combination with the calculated location of those routers,” by means of its “Street View cars,” which are photographic image collection vehicles. Those addresses and calculated locations, the CBP states, “qualify, in this context, as personal data, because the collected data provide information about the WiFi router's owners.” In addition, the CBP found, Google used the Street View cars to collect “payload data,” Internet communications content comprising personal data such as e-mail addresses, medical data, and financial transaction information. (Press Release, supra.) Google had revealed in May 2010 that it had collected WiFi location and content data from over 30 countries through the use of its Street View cars. (Hale, supra.)
The CBP stated that Google contravened the Dutch Privacy Act (Wet Bescherming Persoonsgegevens) by collecting the WiFi router location and owner data and the content of messages sent over unsecured WiFi systems. Even though Google has stopped using the Street View cars to collect the WiFi data, “it still collects new data on WiFi routers every day via the users of its geolocation service,” according to the statement. Furthermore, “Google has acted unlawfully by collecting the contents of communication from unencrypted WiFi networks.” According to the CBP, the collected data flow “contained multiple personal data” traceable to individuals and originating from e-mail contents and from Internet surfing and chatting. (Press Release, supra.)
The CBP has given Google three months to inform offline as well as online data subjects about the data collection from WiFi routers by the Street View cars and, within the same timeframe, to offer the subjects an online opportunity to opt-out from the database so that their WiFi router locations will be removed. The CBP gave Google four weeks to destroy the payload data it has collected in the Netherlands. (Id.) Should the CBP take steps to impose the fines, Google would have the right to lodge a court appeal challenging such action.
Although data protection agencies in a number of countries have ordered Google to take remedial actions to protect privacy and data security in connection with its collection of Street View data, most have reportedly not imposed fines. France and Spain are exceptions, however. On March 21, 2011, the French data protection authority “issued its largest privacy enforcement financial penalty to date—€100,000 ($145,851)—… the first financial sanction levied anywhere in the world against Google over its Street View WiFi collection”; its Spanish counterpart has launched enforcement proceedings that could potentially result in financial penalties of more than US$3 million against the Internet giant. (Hale, supra, with links to other relevant PRIVACY LAW WATCH articles; see also Nicole Atwill, France: Google Fined by National Commission on Information Technology and Liberty, GLOBAL LEGAL MONITOR (Mar. 25, 2011).)