Marc Rotenberg: Germany levied small fine on Google for gathering people's private info
Fine was less than $200,000. Google made $10 billion in 2010. Fine has no teeth, he says
Public agencies failing to strengthen laws on companies that threaten privacy, he says
Rotenberg: Proposed Consumer Privacy Bill of Rights a good step toward enforcement
Editor’s Note: Marc Rotenberg is Executive Director of the Electronic Privacy Information Center in Washington, D.C. He teaches information privacy law at Georgetown University Law Center.
Last week Germany levied a fine against Google for one of the biggest wiretapping violations in history. The fine? Less than $200,000. Google’s net profits in 2012? More than $10 billion. Imagine a driver of a fancy car caught for speeding and then asked to pay a nickel. Google got off easier.
Over several years and in countries around the world, Google drove cars with cameras mounted on the roof through communities and residential neighborhoods. Google said that it was gathering images to improve its “Street View” mapping program. But Google was also secretly collecting information about Internet access points in private homes and intercepting personal communications across wi-fi networks.
A privacy official in Germany had suspected that this was happening, but was repeatedly reassured by Google that it wasn’t. When the official actually removed the hard drive from a Google vehicle, the true story came out. Investigations were launched in more than a dozen countries. “Street View” became “Spy-Fi.”
The Canadian privacy commissioner determined that the company had obtained medical records and financial records, private e-mails and passwords. In the United States, a group of attorneys general levied a $7 million fine against the company, after federal agencies in Washington failed to act. Google apologized, stopped collecting the wi-fi data (but not the location data) and promised to improve its privacy practices.
Last week, the German official who triggered the original investigation announced the 145,000-euro fine, almost the largest amount allowed under European law, though insignificant for a company the size of Google. The public official was clearly unhappy about the outcome and told The New York Times, “As long as violations of data protection law are penalized with such insignificant sums, the ability of existing laws to protect personal privacy in the digital world, with its high potential for abuse, is barely possible.”
As the public concern about privacy is increasing, the failure of public agencies to take forceful action is becoming a problem. In the United States, the Federal Trade Commission announced important settlements with Facebook and Google back in 2011, but it has been reluctant to take any meaningful enforcement action since. Even after Google consolidated all of the data from across its 60 plus services last year into one data policy to “rule them all,” the FTC remained silent.
The Federal Communications Commission launched an investigation of Street View but levied only a $25,000 fine, even less than the amount in Germany, and that was for Google’s obstruction during the investigation.
Increasingly, Internet companies are advocating “self-regulation” and weak-willed politicians are telling users, “check your privacy settings, be careful what you post.” In other words, you are on your own. That is terrible advice coming from those who know that users can do little to protect their data. User data is gathered surreptitiously, few users have the ability or time to know how it is collected, and even good privacy policies change quickly.
It was only Mr. Casper’s persistence that made it possible to challenge Google’s data collection practices. It would have been impossible for those whose wi-fi communications were intercepted to know that their data was gathered by Google, let alone enforce privacy rights against the company. That is why it is important for officials to pursue investigations, enforce laws and impose significant penalties when warranted.
The failure to enforce privacy laws is bad not only for Internet users, but also for smaller companies and innovative firms that are developing services that comply with privacy law. The success of “Privacy by Design,” and other new approaches, depends on countries enforcing their laws. If they see their larger competitors get away with cutting corners, the message will be that they, too, can ignore the laws. This will lead to a vicious spiral that governments must avoid.
In Europe, governments recognize the need to update and strengthen privacy laws. Efforts are under way to improve privacy protections. That will help consumers and Internet users all around the world as companies adopt better safeguards for personal data.
In the United States, President Obama has called for a Consumer Privacy Bill of Rights and recommended the adoption of new privacy law. It is a good, forward-looking proposal that builds on existing law and addresses a key concern of Internet users today. Another proposal now in California would give Internet users the right to know the information private firms collect about them. It is a clever approach to privacy that does not restrict data collection; it simply makes companies more accountable to users.
But it is not easy to enact new laws, particularly when large companies have so much influence over the political process. Still, there are many public officials who must share the frustration of Mr. Casper. Privacy protection without enforcement is no protection at all.
Follow @CNNOpinion on Twitter.
Join us at Facebook/CNNOpinion.
The opinions expressed in this commentary are solely those of Marc Rotenberg.