IAPP-GDPR Web Banners-300x250-FINAL

By Andrea Ward and Paul Van den Bulck

The data protection laws in all 27 European member states derive from one directive—the European Data Protection Directive 95/46/EC—which is implemented in each country by its own national legislation and enforced by national or, as in Germany, regional data protection authorities (DPAs). Since the directive leaves a margin of freedom to the member state concerning its implementation, there are obvious disparities in the DPAs’ approach, and this is particularly evident when it comes to enforcement.

In certain countries, for example, France and the UK, the DPA may itself impose fines; in others, the DPA may conduct the inquiry and then transmit the matter to the prosecutor's office who will decide whether to submit the case to court, for example, Belgium.

The same or similar facts may involve multiple jurisdictions. Indeed, when the data controller, for purposes of processing personal data, makes use of equipment situated in the territory of a member state, the national law of said member state is applicable whatever the seat of the data controller. It is also possible that a data controller makes use of equipment situated in a different member state. In this case, the data controller must ensure that it complies with country-specific requirements in each member state. This said, the same or similar facts, due to the use of such equipment, may lead to different interpretations of the facts and levels of fine imposed, depending on the national DPA concerned. The Google Street View case is a good example.

Google Street View Cases in Europe

Google, Inc., has faced a number of data protection cases over the last few years due to its collection of personal data in different member states for its Google Street View service. Indeed, from 2008 untill 2010, Google not only took pictures via its Google cars—the equipment situated on the territory of the different member state—for its Google Street View services, but at the same time collected unencrypted Wi-Fi connections as well as other personal data, for example, data relating to the identification of Wi-Fi networks and addresses of Wi-Fi routers.


The most recent fine against Google was imposed in April 2013 by the Hamburg DPA (Hamburgische Beauftrage für Datenschutz und Informationsfreiheit). The fine of €145,000 follows the finding that Google had “negligently and without authorisation” captured and stored personal data transmitted by unsecured Wi-Fi networks within range of the Google cars. Hamburg Data Protection Commissioner Johannes Caspar called the case “one of the most serious cases of violation of data protection regulations that have come to light so far,” and although Google had never intended to store the data—and even stated that it “never wanted this data, and didn’t use it or even look at it”—the fact that this happened over such an extensive period of time, from 2008 to 2010, and to such a wide extent geographically, allowed the commissioner only one conclusion—that Google’s internal control mechanisms had seriously failed.

In Germany, the Federal Data Protection Act, which is enforced by the German regional DPAs, permits fines of up to €150,000 for negligent breaches and €300,000 for intentional breaches—which this was not. The fine imposed on Google by the Hamburg DPA is, however, not the highest fine imposed to date by this DPA. The highest was a €200,000 fine imposed against Hamburger Sparkasse, a bank, for having granted external agents access to the account information of its clients without having obtained their consent.

Belgium and France

The Hamburg DPA’s decision follows other similar proceedings against Google in Belgium and France. The Belgian prosecutor, after a report from the Belgian DPA (Commission de la Protection de la Vie Privée), settled the matter for €150,000. The French DPA (Commission Nationale de l'Informatique et des Libertés) imposed a fine of €100,000 and the publication of the decision on its website. Since Google's bad faith was not established, the French DPA did not, however, order the publication of the decision via the press.

In Belgium, the processing of personal data in breach of the regulation may constitute a criminal offence, and fines may reach a maximum of €550,000. The Google case is the highest settlement case in Belgium, and it appears that Google has accepted this settlement in the fear of a higher fine imposed by the court. Thanks to this settlement, Google has also avoided all the publicity that would have accompanied a criminal trial.

In France, the DPA may impose penalties of up to €150,000 for a first infringement and €300,000 in the case of a second breach. The Google case was the highest fine imposed to date by the French DPA.

United Kingdom

In the UK, there was a different story. When the problems associated with the Street View data collection first came to light in July 2010 following a complaint by Privacy International, the ICO issued a statement acknowledging the intrusion and “pay-load” data, which Google had inadvertently collected, but finding no cause for concern. At that time, the ICO felt it unlikely that Google would have captured significant amounts of personal data but confirmed it would remain vigilant and would review relevant findings and evidence from other European data protection authorities, as their investigations continued.

However, the ICO reopened its investigation into Street View after it became apparent that other European regulators had found data protection infringements as part of their investigations. In November 2010, the ICO concluded that there was a “significant breach” of the DPA 1998, as the collection of data was not fair or lawful, breaching the first data protection principle. Rather than issue a fine against Google, of up to £500,000, it was announced that Google would be required to sign an undertaking to improve its data protection practices over a period of nine months and to delete the pay-load data which had been collected. The undertaking also included promises that Google would provide better staff training and improve awareness of data protection issues. It also required Google to permit the ICO to audit its internal privacy structure, training programs and product reviews.

The ICO’s decision not to impose a monetary penalty in 2010 was the result of its assessment that it was more important to address the failings, through education and improved practices, rather than impose fines, which would be limited, inadequate and not have any real impact on the business.

Having signed an undertaking with the ICO, Google should have destroyed the pay-load data it collected as part of the Street View operation. Correspondence between Google and the ICO from July 2012 is available on the ICO website and reveals that Google apologised and confirmed that, when reviewing its handling of the data, it found that it still had some payload data from the UK and other countries and would be notifying the relevant authorities. Google stated that it wanted to delete the remaining UK data, but asked the ICO for instructions on how to proceed—whether it wanted to view the data first, or whether Google could simply destroy it. The ICO replied that it did want to examine the contents of the remaining UK data and asked Google to store it securely until then. Viewed from other member states, the British outcome—even though rather pedagogic toward Google—appears very lenient, especially when taking in account the heavy fines usually imposed on data controllers from the public sector.

What About the Google Street View Case from the Other Side of the Atlantic?

In March 2013, Google entered into an “Assurance of Voluntary Compliance,” with the attorneys general of 39 U.S. states, which, in addition to measures aimed at improving its privacy practices, also requires Google to pay $7 million to those 39 states. This “Assurance of Voluntary Compliance” combines thus both education and fines.

To comply with its assurances to the attorneys general, Google must implement a privacy program, delivered over six months, that includes regular employee training, CIPP qualifications, an annual Privacy Week and updated policies and procedures.

These requirements are all good practice recommendations, that any data controller can learn from and should seek to implement, as far as possible, within the limits of its size and resources. However, from an EU perspective, the above requirements, even though they constitute good practice, are not sufficient for Google to be compliant in Europe.


The matter of enforcement and monetary penalties will continue to be a hot topic until such time as the new European Data Protection Regulation comes into force. Fines of €145,000 will look even smaller when the potential fine limit is raised to two percent of a company’s global annual turnover.

Paul Van den Bulck of McGuireWoods LLP focuses on legal issues concerning technology law, data privacy and security, intellectual property, media and entertainment, and fair trade practices. Paul also counsels clients on day-to-day IP and IT issues, provides strategic advice and manages IP and IT due diligence. He also manages large IP portfolios.

Andrea Ward is a senior associate in McGuireWoods' London, UK, office, where she advises clients on a wide variety of labor and employment matters with a specific focus on data protection and security. Ward focuses much of her practice examining the challenges for employers associated with social media and IT use in the workplace, including the boundaries of employee monitoring and privacy rights.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»