Whilst there is no doubt that Google’s ability to create new innovative tools appeals to its ever-growing fan-base, questions are sometimes raised about these great tools.
In this particular case, the French data protection authority, the CNIL, thoroughly looked into the “Google Latitude” geolocation service, which is linked with “Google Maps” and “Google Street View”. It led to the issue by the CNIL of a record fine of €100,000.
The “Google Street View” service, which offers Internet users a 360° panoramic view of city streets, had already been subject to intervention by the CNIL. The CNIL required Google (i) to blur out faces and car registration plates from the photos; (ii) to limit the time for which it retained the originals of the photos; and (iii) to add the option to “report a problem”, allowing users to exercise their right to anonymity. Other European countries, including Belgium and Germany, have expressed similar concerns.
This time, the CNIL decision, dated 17 March 2011, concerns data collected for the implementation of the “Google Latitude” service, which enables geolocation of users that have a Google account and a “smartphone”.
In order to implement this service, the company used the same vehicles used for “Google Street View” – the “Google Cars”, equipped with 360° cameras and sensors to enable different types of data to be collected. This data is not only panoramic views of the areas covered by the service, but also technical data, combining radio signals (GSM and Wi-Fi) with GPS positions of the “Google cars”, in particular the SSIDs (Service Set Identifier, a name that identifies an wireless LAN) and the MAC addresses (Meadi Access Control address, or unique identifier assigned to network interfaces) obtained from Wi-Fi access points. Today, this database is enhanced by the collection of data captured and transmitted by users’ mobile phones (i.e. MAC and SSID addresses in their vicinity).
It emerges from the decision that from the very announcement of the launch of the service in February 2009, the CNIL conducted a thorough investigation. The procedure has lasted a little more than two years, punctuated with some unexpected twists and turns. This intricate process involved meetings, large volumes of correspondence and no fewer than seven on-site inspections between December 2009 and August 2010. In spite of this, the CNIL learnt certain information from press releases alone.
This process led to the issue of a formal notice on 26 May 2010, followed by a sanction on 17 March 2011.
1. Large-scale and unintentional collection of “content/payload data”
Following a source code programming error in its data-collection software, Google carried out a large-scale, although unintentional, collection of actual payload data from Wi-Fi spots using its “Google Cars”. This data contained information on the websites visited by the affected people, the content of messages sent and received, and their usernames and passwords for websites. In some cases, the data even contained sensitive information about the person’s sexual orientation or health.
This situation arose in a number of countries, and Google made it public on 14 May 2010 in a press release, before resolving the problem.
In light of the seriousness of the situation and the number of people affected, the CNIL gave notice on 26 May 2010 to remedy and/or provide clarification on a number of issues.
Although this data collection was carried out in breach of French data protection law and threatens the right to privacy, confidential correspondence and freedom of expression, it did not result in a sanction. Indeed, the CNIL concluded that the breach had been rectified and that since the collection was not intentional, it could not be classified as unfair or illicit.
2. Classification of the collection of technical data as “personal data processing”
MAC addresses of routers are not, per se, personal data. Neither are SSIDs, unless they contain the surname and/or forename of the network manager.
However, so far as the CNIL is concerned, in light of the purpose for which the data is collected, i.e. identifying a person’s location, the combined collection of SSIDs and MAC addresses, together with geolocation data, classifies this as the processing of personal data.
3. Breach of filing requirement
As Google’s actions involved the processing of personal data, a prior filing should have been made with the CNIL before technical data could be collected, whether via the “Google Cars” or users’ mobile phones.
(i) “Google Street View”
Google had filed the processing made for the purpose of “Google Street View” with the CNIL, but had not specified that it would be also be collecting technical data. After the issue of the formal notice by the CNIL, Google amended is existing filing, and so the CNIL did not use this infringement as the basis for sanction.
(ii) “Google Latitude” and the issue of using means of processing located in France
Google did not make any filing in relation to “Google Latitude” with the CNIL. It argued that this complies witharticle 5-I-2° of the French data protection law, under which personal data processing carried out by a data controller based outside France is not subject to French law unless the data controller “uses means of processing located on French territory”. Google claimed that since it was based in the US and did not use any processing means located in France, French law would not apply.
The CNIL held that:
• Google has a subsidiary established in France, Google France SARL; and furthermore
• the processing means have been and are used in French territory, i.e.:
– The “Google Cars” used to set up the initial database; and
– The users’ phones themselves since they are used for the purposes of geolocation.
Therefore, the CNIL sanctionned Google for breach of its obligation to file its personal data processing for “Google Latitude”.
4. Failure to carry out the data processing fairly and lawfully
The CNIL held that since it was carried out without the knowledge of the data subjects, the collection of data using the “Google Cars” or the mobile phones of “Google Latitude” users was carried out unfairly and therefore in breach of article 6.1° of the French data protection law.
Google tried to defend itself based on article 32.III of the French data protection law, which provides an exception to the requirement to inform the data subejcts where such notification proves impossible or would involve disproportionate efforts compared with the interest of the processing itself. Individual notifications to MAC address-holders and Wi-Fi users would be impossible to carry out, since the company had no direct link with these people.
However, the CNIL held that, if it was effectively impossible to make individual notifications, Google should have made information available more globally, whether in the local press or by putting information online on a “.fr” website, so that the public would have the opportunity to object to the use of their personal data. As a result, Google was in breach of the law.
5. Failure to provide information to the CNIL
Giving a wide interpretation to its right to have access to “any document necessary in order to fulfil its task, in whatever medium”, the CNIL has sanctionned Google’s failure to provide it with the source codes of its new data-collection software.
6. Benefits gained from these breaches
The CNIL found that the data collected for “Google Latitude” obtained in breach of the law, gave Google an unquestionable advantage over its competitors, enabling it to offer a high-performance geolocation service. This service, which carries a high level of Internet traffic, could generate significant revenue from advertising, which represents the majority of Google’s turnover.
In its decision of 17 March 2011, the CNIL therefore:
• ordered Google to pay a fine of €100,000; and
• having regard to the seriousness of the breaches and the need to create awareness of the data subjects, ordered that not only the sanction, but also the decision, should be published in their entirety both on the CNIL’s website and on the Légifrance website (the public database of French law). However, since there was no bad faith on Google’s part, the decision was not to be published by the press.
Google has two months to appeal to the Supreme Court (Conseil d’Etat).