Privacy & Cybersecurity Law Blog

On March 21, 2011, the French Data Protection Authority (the “CNIL”) published its decision to fine Google €100,000 for violating the French Data Protection Act.

In 2009, the CNIL inspected Google’s geolocation service (“Street View”), which revealed that Google had collected huge quantities of undeclared personal data (e.g., navigation data, email content, logins and passwords) through Wi-Fi connections accessed by its Street View cars.  Google responded that the personal data had been collected by mistake, and promised to stop the Wi-Fi data collection.

In May 2010, the CNIL ordered Google to cease the breach within a specified time limit.  In particular, the CNIL asked Google to register all of its data processing activities (including Google Latitude) with the CNIL, to cease covert and unlawful collections of all personal data by Street View vehicles, and to disclose to the CNIL a copy of all personal data the vehicles had collected via Wi-Fi connections.

On March 17, 2011, the CNIL’s sanction committee imposed a €100,000 fine on Google on the grounds that the company had failed to comply with these conditions and had therefore violated the French Data Protection Act.  In particular, the CNIL ruled that Google continued to collect personal data via smartphones connected to Latitude, without the users’ knowledge.  The CNIL also ruled that Google Latitude is subject to French law since Google uses equipment (e.g., Google Street View cars, end user terminals, Wi-Fi connections) on French territory, and this activity must therefore be registered with the CNIL.

This decision constitutes a record fine against a data controller and sends a clear signal that the CNIL intends to toughen controls over data processing activities taking place on French soil.

The CNIL’s decision is available on the CNIL’s website.