Stern Words, and a Pea-Size Punishment, for Google
By Claire Miller, The New York Times
SAN FRANCISCO — Regulators in Germany, one of the most privacy-sensitive countries in the world, unleashed their wrath on Google on Monday for scooping up sensitive personal information in the Street View mapping project, and imposed the largest fine ever assessed by European regulators over a privacy violation.
The penalty? $189,225.
Put another way, that’s how much Google made every two minutes last year, or roughly 0.002 percent of its $10.7 billion in net profit.
It is the latest example of regulators’ meager arsenal of fines and punishments for corporations in the wrong. Academics, activists and even regulators themselves say fines that are pocket change for companies do little to deter them from misbehaving again, and are merely baked into the cost of doing business.
Johannes Caspar, the data protection supervisor in Hamburg, Germany, who led the investigation into the Street View project, said the fine, which was close to the maximum of 150,000 euros, or $195,000, that he could legally impose, was woefully inadequate to stop the data collection practices of companies as large as Google. He called on lawmakers to significantly raise such fines.
“As long as violations of data protection law are penalized with such insignificant sums, the ability of existing laws to protect personal privacy in the digital world, with its high potential for abuse, is barely possible,” Mr. Caspar said.
In Europe, lawmakers are considering revisions to the main data protection law to allow for fines of up to 2 percent of a company’s annual sales. In Google’s case, based on last year’s revenue, that would have been up to $1 billion.
For several years, while Google took photos for its Street View maps, it also collected data like e-mail messages and photos over unencrypted Wi-Fi networks, outraging consumers and privacy advocates and prompting investigations in at least a dozen countries.
Peter Fleischer, Google’s global privacy counsel, said the company collected the data inadvertently, did not use it and cooperated with investigators in Hamburg.
For Silicon Valley companies, such middling fines are common. For the Street View violation, Google last year paid a $25,000 fine for obstructing the federal investigation, and last month agreed to pay $7 million to settle a lawsuit brought by 38 states. France fined Google 100,000 euros in 2011; Ireland and Britain did not impose fines after Google agreed to delete data collected illegally in their countries.
For another privacy violation, related to the Safari browser, the Federal Trade Commission last year settled with Google for $22.5 million, the largest civil penalty it had ever levied, though Google did not admit any wrongdoing. The commission similarly filed eight complaints against Facebook for “unfair and deceptive” practices related to privacy, with no fine or admission of guilt. In antitrust investigations, Google escaped a fine in the United States and is close to doing the same in Europe.
“Especially in these areas like privacy or online access to information, existing law hasn’t really dealt with these issues before because as technology changes, the law needs to play catch-up,” said Martin H. Pritikin, a professor at Whittier Law School who co-writes the blog the Collection Gap, about regulatory enforcement failure.
Still, the problem stretches far beyond the tech industry. After the 2008 financial crisis, for instance, lawmakers and even some judges questioned whether government fines amounted to a rounding error for the nation’s biggest banks.
Jed S. Rakoff, a federal judge in New York, called the Securities and Exchange Commission’s $150 million settlement with Bank of America over lax public disclosures “half-baked justice at best,” and its $285 million settlement with Citigroup “pocket change.” Even when Goldman Sachs paid a record $550 million fine to the agency in 2010, it amounted to less than 10 percent of the bank’s profit that year.
On Wall Street, the public hand-wringing also stemmed from a lack of criminal charges. When the authorities leveled a record $1.9 billion penalty against HSBC in a money-laundering case, they stopped short of indicting the British bank, saying that such a move could jeopardize the financial system. The decision raised concerns that Wall Street was not only too big to fail, but also too big to indict.
That reflects a broader attitude against fining companies too severely, Mr. Pritikin said. If a fine is too big, the argument goes, it hurts shareholders if the stock price suffers, and consumers if the company has to raise prices to pay the fine.
But when John H. Nugent, a management professor at Texas Woman’s University, studied the topic, he said he was surprised to find that the opposite was true, and that even large fines had little long-term effect on companies’ stock prices.
“Management will often choose to take actions they may know are improper because they realize the long-term consequences will not affect them,” Mr. Nugent said.
Still, even a trivial fine has some consequences, said James M. Anderson, who studies the role of law in regulating business at RAND Corporation.
“There may be some good that is accomplished even if the amount in question is all but nominal, in expressing some notion that as a society, we have collectively said this is a problem,” he said.
And the public relations fallout of any regulatory penalty can be significant for companies like Google, which is extremely sensitive about its reputation in the eyes of consumers, said Chris Hoofnagle, a lecturer on privacy law at the University of California, Berkeley, School of Law.
But Ezra Ross, a professor at the University of California, Irvine, School of Law and a co-writer of the Collection Gap blog, said the German fine had the opposite effect.
“They can say, ‘Look at the amount of the fine. Even the government obviously didn’t think this was a very big deal,’ ” he said.
He suggested that regulators find creative ways to punish companies, like preventing Google from using and profiting from the legitimate Street View data it collected while it was inappropriately collecting personal data.
Another solution, Mr. Pritikin said, is to punish individuals with fines or jail time, though that is also complicated because companies have insurance to cover such fines and it is often difficult to single out one person responsible for a decision.
Enforcement is at a turning point, Mr. Hoofnagle said, and fines could blossom, especially if a tech company’s privacy violation caused serious harm.
“We’re still working out as a society what the harms are for privacy violations, and we’re not likely to see hundreds of millions of dollars in fines unless blood is spilled,” he said. “But you can see how that could happen.”¶ 4/22/2013