Out-Law News | 23 Apr 2013 | 12:35 pm | 3 min. read
The Hamburg Commissioner for Data Protection and Freedom of Information, Johannes Caspar, imposed the penalty on the internet giant after it was revealed that Google's Street View cars captured personal data including emails and passwords from open WiFi networks in the vicinity of the vehicles from 2008 until 2010.
The data protection authority said Google had "negligently and without authorisation, captured and stored personal data" but that the company had now deleted the information it had collected.
"In my estimation this is one of the most serious cases of violation of data protection regulations that have come to light so far. Google did cooperate in the clarification thereof and publicly admitted having behaved incorrectly," Caspar said in a statement issued by his office. "It had never been the intention to store personal data, Google said. But the fact that this nevertheless happened over such a long period of time and to the wide extent established by us allows only one conclusion: that the company internal control mechanisms failed seriously."
Caspar said, though, that the ability to deter multinational companies from breaching data protection laws was hampered by "totally inadequate" sanctions available to regulators.
"As long as violations of data protection laws are punishable by discount rates, the enforcement of data protection laws in a digital world with its high potential for abuse will be all but impossible," Caspar said. "The regulation currently being discussed in the context of the future European General Data Protection Regulation, whereby a maximum fine of 2% of a company’s annual turnover is provided for, would, on the other hand, enable violations of data protection laws to be punished in a manner that would be felt economically."
The European Commission published plans for a new General Data Protection Regulation last year, and the proposals have since been the subject of widespread scrutiny and attention across the trading bloc. The Regulation, if introduced as drafted, would allow regulators to impose fines at levels linked to the infringing firms' turnover.
In the UK, the Information Commissioner – who is himself currently investigating the Google Street View case in the context of UK data protection laws – has the power to impose a maximum penalty of £500,000 against firms that are guilty of a serious breach of the Data Protection Act.
Munich-based data protection law expert Stephan Appt of Pinsent Masons, the law firm behind Out-Law.com, said that data protection laws in Germany provide for a general cap of €300,000 for serious breaches of the German Data Protection Act, but that there are circumstances where heavier penalties could be levied.
"Caspar complains about having insufficient means of enforcement due to the fact that the German Data Protection Act (GDPA) provides for sanctions that seem too low in order to be dissuasive to multinationals," Appt said. "The truth is that the GDPA actually gives the authorities the power to impose even higher sanctions than the relative maximum amount of €300k in cases where the infringer’s benefit from the privacy breach is higher than this maximum amount."
"In cases like with Google, however, this might have been a problem as it probably could not be established that Google actually used the data let alone obtained any economic gain from the incriminated data breach," he said.
Appt said it was "understandable" that Caspar would look forward to the possibility of more 'effective ... and dissuasive' sanctions being available under a new EU Data Protection Regulation. However, he said that data protection authorities (DPAs) across the trading bloc could face "challenges" in issuing sanctions over data breaches under the framework as currently proposed.
"One example: the draft Regulation provides for a sanction of up to 2% of the annual worldwide turnover in cases where a data controller fails to observe the principles of 'privacy by design' and 'privacy by default' when engineering products or services," Appt said. "The underlying provisions in the Regulation, however, seem to be extremely abstract and imprecise which in the individual case might make it very difficult for DPAs to establish that there has been a failure to comply with those requirements and, thus, actually inhibit its ability to impose fines."