By Claire Miller, The New York Times
SAN FRANCISCO — Regulators in Germany, one of the most privacy-sensitive countries in the world, unleashed their wrath on Google
on Monday for scooping up sensitive personal information in the Street
View mapping project, and imposed the largest fine ever assessed by
European regulators over a privacy violation.
The penalty? $189,225.
Put another way, that’s how much Google made every two minutes last
year, or roughly 0.002 percent of its $10.7 billion in net profit.
It is the latest example of regulators’ meager arsenal of fines and
punishments for corporations in the wrong. Academics, activists and even
regulators themselves say fines that are pocket change for companies do
little to deter them from misbehaving again, and are merely baked into
the cost of doing business.
Johannes Caspar, the data protection supervisor in Hamburg, Germany, who
led the investigation into the Street View project, said the fine,
which was close to the maximum of 150,000 euros, or $195,000, that he
could legally impose, was woefully inadequate to stop the data
collection practices of companies as large as Google. He called on
lawmakers to significantly raise such fines.
“As long as violations of data protection law are penalized with such
insignificant sums, the ability of existing laws to protect personal
privacy in the digital world, with its high potential for abuse, is
barely possible,” Mr. Caspar said.
In Europe, lawmakers are considering revisions
to the main data protection law to allow for fines of up to 2 percent
of a company’s annual sales. In Google’s case, based on last year’s
revenue, that would have been up to $1 billion.
For several years, while Google took photos for its Street View maps, it also collected data
like e-mail messages and photos over unencrypted Wi-Fi networks,
outraging consumers and privacy advocates and prompting investigations
in at least a dozen countries.
Peter Fleischer, Google’s global privacy counsel, said the company
collected the data inadvertently, did not use it and cooperated with
investigators in Hamburg.
For Silicon Valley companies, such middling fines are common. For the Street View violation, Google last year paid a $25,000 fine for obstructing the federal investigation, and last month agreed to pay $7 million
to settle a lawsuit brought by 38 states. France fined Google 100,000
euros in 2011; Ireland and Britain did not impose fines after Google
agreed to delete data collected illegally in their countries.
For another privacy violation, related to the Safari browser, the
Federal Trade Commission last year settled with Google for $22.5
million, the largest civil penalty it had ever levied, though Google did
not admit any wrongdoing. The commission similarly filed eight
complaints against Facebook for “unfair and deceptive” practices related
to privacy, with no fine or admission of guilt. In antitrust investigations, Google escaped a fine in the United States and is close to doing the same in Europe.
“Especially in these areas like privacy or online access to information,
existing law hasn’t really dealt with these issues before because as
technology changes, the law needs to play catch-up,” said Martin H.
Pritikin, a professor at Whittier Law School who co-writes the blog the Collection Gap, about regulatory enforcement failure.
Still, the problem stretches far beyond the tech industry. After the
2008 financial crisis, for instance, lawmakers and even some judges
questioned whether government fines amounted to a rounding error for the
nation’s biggest banks.
Jed S. Rakoff, a federal judge in New York, called the Securities and
Exchange Commission’s $150 million settlement with Bank of America over
lax public disclosures “half-baked justice at best,” and its $285
million settlement with Citigroup “pocket change.” Even when Goldman
Sachs paid a record $550 million fine to the agency in 2010, it amounted
to less than 10 percent of the bank’s profit that year.
On Wall Street, the public hand-wringing also stemmed from a lack of
criminal charges. When the authorities leveled a record $1.9 billion
penalty against HSBC in a money-laundering case, they stopped short of
indicting the British bank, saying that such a move could jeopardize the
financial system. The decision raised concerns that Wall Street was not
only too big to fail, but also too big to indict.
That reflects a broader attitude against fining companies too severely,
Mr. Pritikin said. If a fine is too big, the argument goes, it hurts
shareholders if the stock price suffers, and consumers if the company
has to raise prices to pay the fine.
But when John H. Nugent, a management professor at Texas Woman’s University, studied the topic,
he said he was surprised to find that the opposite was true, and that
even large fines had little long-term effect on companies’ stock prices.
“Management will often choose to take actions they may know are improper
because they realize the long-term consequences will not affect them,”
Mr. Nugent said.
Still, even a trivial fine has some consequences, said James M.
Anderson, who studies the role of law in regulating business at RAND
Corporation.
“There may be some good that is accomplished even if the amount in
question is all but nominal, in expressing some notion that as a
society, we have collectively said this is a problem,” he said.
And the public relations fallout of any regulatory penalty can be
significant for companies like Google, which is extremely sensitive
about its reputation in the eyes of consumers, said Chris Hoofnagle, a
lecturer on privacy law at the University of California, Berkeley,
School of Law.
But Ezra Ross, a professor at the University of California, Irvine,
School of Law and a co-writer of the Collection Gap blog, said the
German fine had the opposite effect.
“They can say, ‘Look at the amount of the fine. Even the government
obviously didn’t think this was a very big deal,’ ” he said.
He suggested that regulators find creative ways to punish companies,
like preventing Google from using and profiting from the legitimate
Street View data it collected while it was inappropriately collecting
personal data.
Another solution, Mr. Pritikin said, is to punish individuals with fines
or jail time, though that is also complicated because companies have
insurance to cover such fines and it is often difficult to single out
one person responsible for a decision.
Enforcement is at a turning point, Mr. Hoofnagle said, and fines could
blossom, especially if a tech company’s privacy violation caused serious
harm.
“We’re still working out as a society what the harms
are for privacy violations, and we’re not likely to see hundreds of
millions of dollars in fines unless blood is spilled,” he said. “But you can see how that could happen.”