The Lessons of the "Street View" Imbroglio: Know What Data You Collect and Don't Collect Data You Don't Need
The unintended capture of personal data by Google Street View has resulted in a German Data Commissioner imposing a $189,000 fine on Google this Monday. As anyone who has used Google Maps at the street view level knows, Google Street View is a valuable service that captures roads, landscapes, landmarks, buildings—and other activity that happens to be taking place when the Google vehicle collecting the data takes its pictures. But privacy regulators were not happy with the fact that, from 2008 to 2010, the street view vehicles also picked up personal data, such as email addresses and passwords, sent over unsecured Wi-Fi networks as they traversed throughout the globe.
In Germany, after state prosecutors in Hamburg decided not to press charges against Google in November 2012 on this issue, the Hamburg Commissioner for Data Protection and Freedom of Information picked up the case and on Monday handed down a fine of $189,000 (€ 145,000). Google maintains that it did not look at or intend to collect the data, and that the company has taken steps against the occurrence of this kind of collection in the future. Accepting Google’s assertion that any violation was unintentional, the fine imposed was less than the maximum amount permitted for negligence-based violations, which is $195,000 (€ 150,000). However, it is notable that a proposal in the draft EU data protection regulation would give regulators the power to impose higher fines for violations of data protection law —up to 2 percent of a company’s annual sales—if enacted.
The Hamburg authorities were the first to raise the issue of the collection of the payload data collected by Google’s vehicles, which was then picked up in other jurisdictions. Last month, Google entered into an agreement with attorneys general from 38 U.S. states and the District of Columbia, agreeing to pay $7 million and launch a data-security education program both internally within the company and externally to the public in resolution of the joint investigation. As announced by the Connecticut Attorney General in connection with that agreement, Google stated that the collection was limited to fragmented data, that it has since removed the software from its Street View vehicles, and agreed not to collect any additional data by means of those vehicles without notice and consent.
Google’s proactive approach in working with regulators to resolve their concerns has created an outcome that preserves its Street View service, with minimum negative impact on the company, and a positive working relationship with regulators going forward. But the potential availability of enhanced fines for negligent data protection law violations means that in the future companies may pay a higher price for unintended data protection law violations.
All companies should take the following lessons from the Street View experience – know what data you are collecting and don’t collect more than you need, or you may be creating unnecessary exposure under data collection laws.