European Regulators May Reopen Street View Inquiries

Share with others:

Print Email Read Later

BERLIN -- Privacy regulators in Britain, Germany and France said Wednesday that they may reopen or expand their investigations into Google's illegal collection of Internet data for its Street View service following revelations that the programmer who designed the software had informed coworkers of its capabilities as early as 2007.

Google's disclosure in 2010 that it had illegally collected 600 gigabytes of personal data -- including e-mails, photos, Web histories and passwords -- from Wi-Fi routers around the world was first uncovered in Germany and sparked a series of inquiries by privacy regulators in Europe and around the world.

All of those reviews except two in Germany -- one regulatory, one criminal -- were settled after Google apologized and blamed the incident on an error by the programmer.

But last week, a new report on the incident by the U.S. Federal Communications Commission showed that the programmer, a Google engineer who lives in Palo Alto, California, had informed his colleagues in 2007 and 2008 that his software program would also collect Internet "payload" data from unencrypted Wi-Fi routers as Google's Street View recording vehicles passed by.

In Germany, where reviews by a privacy regulator and the Hamburg state prosecutor's office are still ongoing, the new information will influence the course of both inquiries, said Johannes Caspar, the data protection commissioner for Hamburg, whose investigation first brought Google's illegal collection of Internet data to light.

"Of course this will have a big impact," Mr. Caspar said. "This is apparently a totally different situation that what we thought initially. We had been told that it was a simple mistake, as the company had told us. But now, we are learning that this wasn't a mistake and that people within the company knew this information was being collected. That puts it in a totally different light."

The German federal commissioner for data protection and freedom of information, Peter Schaar, is also following the latest developments in the case with interest, a spokeswoman said.

A Google spokesman in Hamburg, Kay Oberbeck, said the company would have no comment to add to remarks made last week, when the F.C.C. said in its report that it had found no wrongdoing.

"While we disagree with some of the statements made in the document," Mr. Oberbeck said, referring to the report, "we agree with the F.C.C.'s conclusion that we did not break the law. We hope that we can now put this matter behind us."

The French privacy regulator, the Commission Nationale de l'Informatique et des Libertés, said Wednesday that it would also review the F.C.C. document and weigh their options.

C.N.I.L., as the French regulator is known, is leading a European review of Google new global data privacy policy, announced in January, which combines data collected from several Google services. C.N.I.L. is currently analyzing Google's responses to 69 questions the French regulator had sent the company this year.

A person with knowledge of the review said it was likely that the French agency would include new questions about Google's collection of Wi-Fi data.

Greg Jones, a spokesman for the Information Commissioner's Office in Britain, said his agency would review the F.C.C. report to determine if further action was warranted in Britain. The British regulator in 2010 accepted Google's apology and asked the company to destroy the data collected in Britain.

"We will study the Federal Communications Commission's report and consider what further action, if any, needs to be taken," Mr. Jones said.

The European Union's top privacy panel, the Article 29 Group, which advises the European Commission, will discuss Google's illegal collection of data as part of Street View -- a technology featured in Google Maps and Google Earth that give users a view of the streets they are navigating -- and what response if any to take.

Jacob Kohnstamm, the chairman of the European privacy panel and the chairman of the Dutch Data Protection Authority, said that European officials were disappointed by the revelations. Many regulators, Mr. Kohnstamm said, feel misled by Google, whose executives in 2010 had reassured European lawmakers, often in personal appearances, that the illegal data collection was unintentional.

Mr. Kohnstamm said the new disclosures would be a topic of discussion among European regulators attending a three-day spring convention that begins Wednesday in Luxembourg.

"We will certainly discuss the matter," Mr. Kohnstamm said in an interview. "My first reaction is: 'This is a bloody shame."'

Google's global privacy counsel, Peter Fleischer, had spoken at a hearing in the Netherlands in 2010 on the Wi-Fi taping incident, Mr. Kohnstamm said.

"At this hearing, Peter Fleischer made it pretty clear in his oral statement and in writing that it was the mistake of one single guy working at Google who had made a stupid mistake," Mr. Kohnstamm said. "But apparently, it wasn't a mistake at all."

Mr. Kohnstamm said the European regulators would explore what legal options they have to make Google accountable for its actions, but their options were limited. In the case of the Netherlands, Google destroyed the Dutch data it had collected, as requested, and regulators there will not reopen the case, Mr. Kohnstamm said.

"I am not quite sure yet what we do legally," Mr. Kohnstamm said. "That depends on what the individual data protection authorities decide to do. But I think it is time for data protection authorities around the world to work together to hold the company accountable."

Mr. Kohnstamm added that "Having told data protection authorities around the globe that the taping was a mistake, and now apparently that it was a deliberate action, is disappointing. In a political sense, that would be considered contempt of Parliament and would mean the end of the career for the person responsible."

The unauthorized collection of Internet payload data, which the F.C.C. determined was not illegal in the United States, is a violation of European law, Mr. Kohnstamm said.

Enforcement of privacy law in Europe is done on a national level, although a proposed revision to the European Data Protection Directive, which won't be completed until 2013 at the earliest, would give national regulators the power to sanction violators up to 2 percent of annual sales. Based on Google's 2011 results, such a fine would amount to $758 million.

Under existing law, European privacy regulators can only levy limited fines on global technology companies, even in egregious cases. The French regulator, C.N.I.L., fined Google €100,000, or $132,000, for its Wi-Fi data collection in France. German law empowers the Hamburg regulator to levy fines of up to €500,000 in cases where there is willful intent to violate the law, or €50,000 in cases of negligence.

The British regulator has the power to levy a fine of up to £500,000, or $810,000, in cases where violations of British data protection law by a company or individual cause "substantial" damage and distress. But the agency must prove that those responsible knew they were breaking British law.

Many European regulators that have already settled with Google will have a hard time legally reopening their cases, Mr. Caspar, the Hamburg regulator, said.

Even the German criminal investigation could be thwarted by jurisdictional obstacles.

The engineer at the center of the controversy resides in the United States, which could complicate efforts by German prosecutors to question him. According to the F.C.C. report, the engineer invoked his Fifth Amendment right against self-incrimination in refusing to speak with U.S. officials.


This article originally appeared in The New York Times.


You have 2 remaining free articles this month

Try unlimited digital access

If you are an existing subscriber,
link your account for free access. Start here

You’ve reached the limit of free articles this month.

To continue unlimited reading

If you are an existing subscriber,
link your account for free access. Start here