In a 32-page-long decision adopted on March 17, 2011, the French Data Protection Authority (CNIL) determined that Google Inc.’s collection of data in the course of its Street View application and Latitude service breached the French Data Protection Act No. 78-17. (The CNIL’s English summary of its action is here). Making use of its enforcement and sanction powers, CNIL decided to issue a record fine of €100,000. Google Inc. has now two months to lodge an appeal against this decision before the State Council (Conseil d’Etat), the French highest administrative Court.
Google Street View allows users to explore places around the world through 360-degree street-level imagery based on the panoramic views recorded by the vehicles deployed by Google Inc. known as “Google cars”. Latitude is a service offered by Google Inc. that informs users of their position (and of their friends’ position) on a map via their mobile device. The Latitude service is provided partly based on information collected by the Google cars.
CNIL’s investigations of Google Street View and Latitude started more than two years ago after Google Inc. announced the launch of the Latitude service and took the view that this service was not subject to French law and, thus, did not require any prior filings with CNIL. This investigation led CNIL to conduct no less than seven on-site audits between November 2009 and August 2010 and to issue in May 2010 a formal notice seeking compliance with the French Data Protection Act.
In substance, CNIL and Google Inc. had diverging views as to whether Google Inc. was actually collecting personal data and, if so, if it was making use of processing means in France. This issue was key to determine whether Google Inc. was at all subject to French law:
- In its March 17 decision, CNIL reached the conclusion that Google Inc. was processing personal information. First, CNIL considered that the SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) allowed to identify individuals if used in combination with other location data collected by the Google cars (in particular the GPS position of the car itself). Second, CNIL considered that the transit data, known as payload data (e.g. URLs, emails and passwords), that Google Inc. had inadvertently collected as it publicly admitted in October 2010 also allowed to identify individuals. CNIL dismissed Google Inc.’s argument that the payload information was very fragmented and in a binary format, thus unreadable by a human being.
- CNIL further reached the conclusion that Google Inc. was making use of processing means in France. According to CNIL, Google Inc. would make use of two different processing means, i.e. via the Google cars deployed in France and through the users’ mobile devices. With respect to the latter, CNIL held that the offering of the Latitude service required the use of the GPS or GSM functionalities embarked on the mobile devices and the downloading of Google Inc.’s application.
Based on the conclusion that French law was applicable, CNIL held that Google Inc. had breached the French Data Protection Act by failing to make the prior filings with CNIL for the Latitude service and by failing to provide adequate information to the individuals whose data were being processed, even by way of a general information notice. CNIL however determined that there was no breach of individual freedom and privacy given the fact that Google Inc. had effectively ceased collecting the payload data which were the ones that could have revealed information pertaining to the private sphere.
This decision confirms that CNIL takes a broad view when it comes to assessing whether a non-EU entity is subject to French law. Non EU-entities should think twice before disregarding the application of French law whenever (a) they have an establishment in France, whatever its form, (b) they have servers or other equipment in France used for the processing, or (c) their processing is based, in whole or in part, on processing capacities specific to any equipment or device located in France, irrespective of who owns the equipment or device. This decision also confirms that the fullest cooperation possible with CNIL is key during the investigation process to avoid being sanctioned.