Dutch DPA issues several administrative orders against Google

INFORMAL TRANSLATION press release 19 April 2011

Today, the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) has issued several administrative orders against Google for incremental penalty payments. Investigations by the CBP show that Google has, for a period of two years, systematically, and without the data subjects’ knowledge, collected MAC addresses of more than 3,6 million WiFi routers, in combination with the calculated location of those routers. This was done by using the so called ‘Street View cars’. MAC addresses in combination with their calculated locations, qualify, in this context, as personal data, because the collected data provide information about the WiFi router’s owners. The Dutch DPA also concludes that Google, using the same Street View cars, collected so called payload data, the contents of internet communication. This information contains personal data such as e-mail addresses, medical data and information concerning financial transactions.
Google has been ordered to, within three months, inform the data subjects – off line as well as on line – about the collection of data originating from WiFi routers by the Street View cars. Within the same period of three months, Google must also offer an on line possibility to opt-out from the database in order to enable people to object to the processing of the data concerning their WiFi routers. In case Google does not comply with the administrative order within the time period granted, the penalty amount can increase to a maximum of one million euros. Furthermore, Google is obliged to destroy the payload data it has collected in the Netherlands within four weeks.


Read the Dutch press release and the relevant documents (only in Dutch)

Between 4 March 2008 and 6 May 2010 Google has collected data about 3,6 million different WiFi routers, regardless whether the communication was encrypted or not. The company has also calculated a location for every WiFi router. In doing so Google has contravened the Dutch privacy act (Wet Bescherming Persoonsgegevens). MAC addresses combined with a calculated location constitute personal data because the data could provide information about the user of the WiFi router. By now, Google has stopped collecting WiFi data with Street View cars, but it still collects new data on WiFi routers every day via the users of its geolocation service.

In addition, Google has acted unlawfully by collecting the contents of communication from unencrypted WiFi networks. The CBP has analysed the data flow which was collected by Google and found it contained multiple personal data. These are data which can be traced to individuals and which originated from the contents of e-mails and from surfing and chatting.

A WiFi router enables computers to connect mutually within a network and with the internet. Each WiFi router has a unique number, a MAC address, which has been registered in the computer’s hardware by the manufacturer.

Against the incremental penalty payments Google may object and appeal in court.