Blog Post

Hamburg threatens Google with €1M fine if it doesn’t give users more control over profiling data

The data protection authorities of the German city of Hamburg are the latest to order Google to clean up its act on privacy.

Hamburg privacy regulator Johannes Caspar said Tuesday that, last week, he ordered [company]Google[/company] to “take the necessary technical and organisational measures to guarantee that their users can decide on their own if and to what extend their data is used for profiling.” Google said in a statement that it is “now studying their order to determine next steps.”

Google’s unified privacy policy lets the firm share users’ personal information across services from Gmail to YouTube, in order to profile users in more detail so Google can make more money off ads. EU data protection law states that users must consciously opt into such sharing in an informed way, based on clear information about what data goes where. Obviously Google doesn’t give users this level of control or plainly-expressed information, because that could introduce friction and turn some users off — and it would make Google’s profiling less detailed and therefore less lucrative.

Here’s what a clearly frustrated Caspar said in his statement:

In various meetings with Google we could achieve some improvements concerning the information of users. Nevertheless on the substantial issue of combining user data across services Google has not been willing to abide to the legally binding rules and refused to substantially improve the user’s controls. So we had to compel Google to do so by an administrative order. Our requirements aim at a fair balance between the concerns of the company and its users. The issue is up to Google now. The company must treat the data of its millions of users in a way that respects their privacy adequately while they use the various services of the company.

If the company ignores the demand – as it effectively has with every other such order elsewhere in Europe – it may be liable for a €1 million ($1.26 million) fine, which is pocket change for the firm. Caspar’s department has already fined Google over the Street View Wi-Fi-sniffing scandal, while grumbling at the low limit on the fine they could levy.

This is pretty much the same deal as in Italy and Spain and France. National privacy regulators are working together to coordinate their efforts to enforce this law but, while Google does “engage fully” with them, it invariably ends up changing little to nothing. Google’s deep pockets mean it can break the law and laugh it off each and every time, and this will not change until new laws allow for much higher fines.