While using its vehicles to film streets for its Street View service, Google also covertly (and accidentally, it says) harvested WiFi information. “As was admitted by Google in response to an inquiry from the Commissioner for Data Protection, content data of unencrypted Wifi connections had also been recorded in the course of this activity”, says the statement.
An initial criminal investigation by Hamburg’s department of public prosecutions was dropped in November 2012 because of a lack of evidence for any specific criminal activity. The regulator “thereupon took up the matter once again in the context of regulatory offense proceedings. These proceedings have now been brought to a conclusion with the legally binding decision that Google Inc. had, negligently and without authorization, captured and stored personal data.”
The maximum possible fine could have been €300,000 had the regulator decided that it had been an intentional breech. He seems to have accepted Google’s claim of ‘accidental’, and levied a fine close to the maximum possible €150,000 for ‘negligence.’
Nevertheless, his statement concludes with a strong endorsement for the proposed new EU General Data Protection Regulation: “For multi-national companies, fines of up to 150,000 Euros for negligent and of up to 300,000 Euros for intentional breaches are unlikely, as a general rule, to have a deterring effect. Regulator Johannes Caspar said, ‘As long as violations of data protection laws are punishable by discount rates, the enforcement of data protection laws in a digital world with its high potential for abuse will be all but impossible. The regulation currently being discussed in the context of the future European General Data Protection Regulation, whereby a maximum fine of 2% of a company’s annual turnover is provided for, would, on the other hand, enable violations of data protection laws to be punished in a manner that would be felt economically’.”
This is in stark contrast to the view from the UK, where the information commissioner levied no fine for the same offense, merely instructing Google to delete all gathered information, and not collect any more. Moreover, the UK is pressing for the Regulation to be issued as a Directive (the former must be implemented as is, while the latter can be implemented by each member state in spirit rather than word). The UK believes that individual countries should be allowed to levy fines they set themselves, rather than be forced into a European standard.