Dutch Data Protection Authority maintains decision to impose a penalty on Google

Press Release, 11 August 2011

The Dutch Data Protection Authority ( College Bescherming Persoonsgegevens, Dutch DPA) has reacted on Google’s objections against the imposition of incremental penalty payments.  In a so-called ‘beslissing op bezwaar’ (decision in reaction to a complaint by Google), the Dutch DPA largely maintains its initial decision to impose incremental penalty payments.
The Dutch DPA sticks to its ruling on the following three points:
- that a MAC address in combination with the calculated location of the WiFi router is personal data;
- that Google has to erase permanently the collected SSIDs (network names) of WiFi routers;
- that Google is obliged to offer users the option to opt-out, so they can effectively object to the processing of data on their WiFi routers at all times and free of charge.

In reaction to the Dutch DPA’s first decision to impose penalty payments, Google has proposed a technical solution by which the possibility to opt out is offered off line. The Dutch DPA judges that this is an acceptable method.  Consequently, it has removed the word ‘on line’ from its initial decision of  19 April.

Google has complied with one of the four counts of the incremental penalty. Because of that, the total of the possible remaining sum which could be forfeited now amounts to € 750.000.

Read the Final Findings (10,7 MB)

The possibility to opt out off line which Google has proposed is to have the owner of the WiFi router change the SSID, so that it starts for instance with the letters ‘no map’. In that case, no data related to that WiFi router are filed. If this opt out possibility is adopted, SSIDs may be consulted, but may not be filed.

Following research, the Dutch DPA imposed incremental penalty payments on Google concerning the collected data on WiFi networks. Since, Google has complied with the notification requirement for the processing of data. Apart from providing an opt out  Google is also obliged to inform – off line as well as on line - data subjects about the collection by Google of data on WiFi routers by means of Street View cars, for the purpose of its geolocation service. In addition Google is obliged to irrevocably erase the SSIDs.

Google has collected data on roughly 3,6 million WiFi routers in the Netherlands, secured as well as unsecured, using the Street View cars between 4 March 2008 and 6 May 2010. For each router, the company has calculated a location. In doing so Google has violated the Dutch Data Protection Act. In this context, MAC addresses combined with a calculated location are personal data because the data can provide information about the WiFi router’s owner.

Google can lodge an appeal against the decision of the Dutch DPA in court.

z2010-00582