Privacy Advisor

FRANCE—Services found non-compliant with French data protection law

May 1, 2011

By Pascale Gelly, CIPP/E, and Caroline Doulcet

A March 17 CNIL decision sentenced Google Inc. to a penalty of 100,000 euros for having implemented its Google Maps, Street View and Latitude services on the French Territory in violation of French data protection law. Here is a summary of the CNIL decision:

In 2008, Google Inc. launched the Street View service in France. Street View offers panoramic views of streets obtained from photographs taken by Google cars. This service, which is associated with Google Maps, enables the company to offer online photographs of geographic areas, and it associated in 2009 to Latitude to enable users of smartphones to display their location and see the location of their close friends and family members.

In 2009 and 2010, the CNIL contacted Google France and conducted a few onsite investigations. As a result of the investigations, it found that Google, in the course of implementation of these services, had collected various types of personal data from WiFi networks in France via the Google cars or via the smartphones of users. This activity led to the decision at stake, which provides very interesting conclusions on the key legal issues of applicable law in a global world, the definition of personal data in the e-communications environment and notice obligations when individuals are unknown.

Although the Latitude service is provided by Google Inc., which is located in the United States, the CNIL held that French data protection law was applicable on the grounds that the collection of personal data from WiFi networks was carried out, “at least partially,” by means located on the French territory, including not only Google cars but also GPS and radio signals, cell phone GPS chips and cell phone antennas. Moreover, the authority stressed that before the data collection, the user must download an application on its terminal equipment, which then sends the collected data to the Google database in the U.S., which in turn sends the localization map back to the user in France. This is how the authority justified the case for application of French data protection law.

Analyzing the collected data, the CNIL determined that the SSID (Service Set identifier, or number identifying a wireless network) is personal data, since very often this identifier includes the name of the network owner. The MAC address (Media Access Control, or the unique number of card networks identification) alone is not personal data. However, it can be linked to identifying information during Internet navigation, in which case it becomes personal data. The CNIL held that these data, linked with localization data, are personal data. As echoed by the media, Google cars also absorbed WiFi content data including e-mail addresses and messages; passwords, and Internet sites visited, which were also characterized as personal data, even in a non-readable format.

In the end, the CNIL decided to sanction Google Inc. for the following non-compliances with the French data protection law:

  • The company failed to notify the CNIL about the data processing related to the Latitude service. The company notified the CNIL about Street View, then updated its notification to add the WiFi data collected;
  • Although the company committed to stop collecting content data, it will continue to collect MAC addresses and SSIDs. The CNIL considers this unfair, as WiFi users are not informed about such data collection. Google Inc. claims that providing notice to unknown individuals triggers disproportionate efforts, referring to a French law exception; however the CNIL is of the opinion that Google was able to provide general information in French newspapers or on the Internet, as it did to inform the public about the collection of photographs by Google cars;
  • The company’s answers to the various requests for information made by the CNIL were not satisfactory.

The 100,000-euro fine is the highest sanction ever issued by the CNIL. The authority has the power to order sanctions up to 150,000 euros. The CNIL not only took into account the seriousness of the violations of French data protection law to determine the amount of the pecuniary penalty but also took into account the economic benefits of Google Inc. resulting from such violation and, in particular, the competitive advantage derived from the unlawful processing.

The CNIL decided to post its decision on the Internet on the grounds of the seriousness of the violations, which is rather unusual.


Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly can be reached at
pg@pascalegelly.com.

Caroline Doulcet  of the French law firm Cabinet Gelly can be reached at cd@pascalegelly.com.