Google Inc. (GOOG) faces a fine from Norway’s data-protection regulator of 250,000 kroner ($42,260) after unlawfully collecting and failing to delete personal data gathered through its Street View mapping service.
In a notice sent to Google this week, the agency said the company will be subject to the fine, called a violation charge, for collecting data in Norway without people’s consent. Google has four weeks to convince the regulator to reconsider.
Collecting the data “violated the privacy rights,” it was processed without consent and wasn’t deleted as the agency requested, the regulator said in the Aug. 7 notice to the operator of the world’s largest Internet search engine.
“This is one of the biggest fines we have imposed,” Bjorn Erik Thon, Norway’s data-protection commissioner, said in a phone interview today. “We have to come up with a reaction when such a huge company like Google is behaving like this.”
The Norwegian agency received a letter from Google, which had revenue of $12.2 billion for the second quarter, on July 27 alerting it to the undeleted data and asking the agency what it should do. The regulator said Google has to delete it by Oct. 1.
Google sent a similar letter to the U.K. Information Commissioner’s Office, also on July 27, saying it still had some data collected via Street View that should have been deleted in December 2010. The U.K. agency asked Google to provide the data “immediately” for analysis and a French regulator made a similar request on July 31.
Peter Fleischer, Google’s global privacy counsel, said today that the company apologized for the Norway matter.
“Google has recently confirmed that it still has in its possession a portion of payload data collected by our Street View vehicles,” Fleischer said in an e-mailed statement. Google will delete the remaining data, he said.
“The amount of the fine is trivial for Google, but the fact of the fine and related privacy penalties around the world are increasingly damaging to Google’s image and reputation with consumers and governments,” said Greg Sterling, an analyst at Opus Research.
While Google received “the benefit of the doubt” over Street View data collection at first, it “will be met with skepticism and doubt in similar situations in the future,” Sterling said in an e-mail.
Google was fined $25,000 by the U.S. Federal Communications Commission this year for impeding its probe of improper data gathering. In an agreement ending the U.K. inquiry into Street View in November 2010, Mountain View, California-based Google agreed to further U.K. audits of its privacy practices.
“This data can be sensitive, it’s passwords, it’s e-mails, it’s Wi-Fi information,” said Norway’s Thon, and as long as Google “have no legal basis to collect and to store this data, it’s extremely important that it is deleted.”
Google confirmed in June 2011 that so-called payload data gathered in Norway was deleted. The maximum penalty the Norwegian agency can impose is 850,000 kroner.
In setting the amount of the fine, the Norwegian regulator took into consideration that Google voluntarily notified it of the data issue.
Without the company’s letter, “it wouldn’t have been possible for us to find out about this,” Thon said. Google “will have to come up with a really good explanation” to avoid the fine, Thon said.
Data protection is currently policed by separate regulators across the 27-nation EU, and the region wants to simplify the system so companies deal with only one regulator in the bloc. While Norway isn’t part of the EU, it belongs to the European Economic Area.
To contact the reporter on this story: Stephanie Bodoni in Luxembourg at firstname.lastname@example.org
To contact the editor responsible for this story: Anthony Aarons at email@example.com