Yesterday the Data Protection Agency in Hamburg, leading the charge for all German privacy enforcers, fined Google €145,000 just short of the maximum fine of €150,000 for illegally capturing and storing personal data. Google collected often sensitive personal information through its so-called Google-cars which drove around the streets of Europe and elsewhere to take pictures for its StreetView service. The head of the Hamburg agency Dr. Johannes Caspar, who at the time was the first to make the practice public, called the case “one of the most serious cases of violation of data protection regulations that have come to light so far.” In doing so he echoed similar comments made by the Dutch privacy enforcers on the same case.
Google can now add this latest fine to the increasing number they have faced after a series of privacy breaches. The real trouble is that the fines seem to have no effect on the company’s behaviour, because with over 90% of the European market share Google knows that without competition web users and therefore advertisers (Google’s real customers) will continue using their services. For Google the fines they have received are merely the cost of doing business and worth it to maintain their monopoly grip.
But Google still doesn’t seem to get it. Perhaps most concerning in this regard is the explanation Google continues to put forward, echoed by Eric Schmidt to the BBC only yesterday, that this was the result of the “actions of a single individual” and the matter was dealt with immediately. An FCC report in April 2012 already made it clear that the harvesting of data was neither an accident nor the work of a single member of staff, rather the privacy concerns flagged to project supervisors were simple shrugged off or, worse, willingly ignored. Furthermore, it was only when German authorities approached Google about the collection of data that the company admitted what had taken place and sought to take (limited) action.
Both Caspar and the Dutch agency also rejected Google’s claims. ”The fact that this happened over such a long period of time and to the wide extent established by us allows only one conclusion: that the company’s internal control mechanisms failed seriously,” said Johannes Caspar.
In his statement today Dr. Caspar admitted that the level of fines in Germany is “totally inadequate for the punishment of such serious breaches of data protection.” But privacy enforcers can and should do more to protect the privacy of Europe’s citizens than simply impose such meaningless fines. Existing law gives them the power to tell Google to stop collecting and using personal data as long as its practices are not in line with EU rules. EU citizens deserve that meaningful steps are taken to protect their privacy. It is high time that enforcers use all the tools that are available to them to stop this repeat violator from continuing to invade their privacy only to satisfy its insatiable hunger for advertising dollars.