Google has been massively collecting for several years technical data on Wi-Fi networks, in order to provide for location-based services (including the services Google Maps, Street View and Latitude). CNIL conducted a series of on-site inspections to examine the conformity of these processing operations with the French data protection law. These inspections revealed various breaches such as collecting Wi-Fi data without the knowledge of the data subjects and the recording of data relating to content (IDs, passwords, login details, email exchanges). CNIL formally noticed GOOGLE in May 2010, to rectify its situation. Considering that it had not responded to its requests in a timely manner, CNIL sanction committee issued against the company, on 17 March 2011, a fine of € 100,000.
Since 2007, GOOGLE has deployed worldwide vehicles called “Google cars”. These vehicles record panoramic views of places, in order to offer its service Street View to Internet users.
Inspections carried out by CNIL in late 2009 and early 2010 demonstrated that vehicles deployed on the French territory collected and recorded not only photographs but also data transmitted by individuals’ wireless Wi-Fi networks, without their knowledge. It turns out that the collection of tens of thousands of Wi-Fi access points via “Google cars" allowed the company to develop a database of geolocation extremely competitive, and thus to acquire a dominant position in the field of location based services.
In April 2010, GOOGLE declared in the international press that it did not collect any data relating to the content of communications during the operation of its vehicles. Going back on its initial statements, the company acknowledged two weeks later in the press that it had actually recorded such data.
Given the seriousness of the facts and the risk to the privacy of the users of the Wi-Fi networks concerned, CNIL formally noticed the company, on 26 May 2010, to cease all collection of data without people knowing and to provide a copy of all the data relating to content collected within the national territory. GOOGLE communicated the data related to content, CNIL has thus been the first authority in the world to analyse them.
The analysis of these data by CNIL demonstrated that Google had registered, in addition to technical data (SIID identifiers and MAC addresses of Wi-Fi access points), numerous data about individuals, identified or identifiable (data connection to websites, passwords, email, email addresses, including e-mail exchanges revealing sensitive information about sexual orientation or health).
In its decision of 17 March 2011, CNIL sanction committee noted that GOOGLE undertook to stop collecting Wi-Fi data through its "Google cars" and to delete the data relating to content which, according to the company, were collected by mistake. However, it finds that the company has not refrained from using the data identifying individuals’ Wi-Fi access points without them knowing. Indeed, this collection is not longer carried out by "Google cars" but is taking place directly through the users’ mobiles terminals connecting to the service of geolocation Latitude (smartphones, etc..), and without users knowing. As for the "Google cars", CNIL considers that this lack of information constitutes an unfair collection under the law.
The sanction committee further believes that the answers given by GOOGLE following the formal notice are not sufficient, given that the latter has not yet provided CNIL with the elements of the computer program that led to the collection of Wi-Fi data, contrary to its request.
Finally, it criticises GOOGLE for challenging the application of French law to the service Latitude, and for refusing to declare it to CNIL despite two requests to do so.
In these circumstances, given the breaches noted and their seriousness, as well as the economic benefits gained by GOOGLE from these breaches, CNIL sanction committee decided to sentence the company to a penalty of € 100 000.