In December, the Richmond company was fined 900,000 euros by the Spanish privacy watchdog who said that its consolidation of over seventy privacy policies into one broke the nation's laws.
The fine levied by CNIL was much smaller at just 150,000 euros, the largest penalty that the independent commission is allowed to apply. Reding commented:
In Spain, Google was fined the maximum amount of EUR 900,000, while in France – whose data protection authority is one of the most respected and feared in Europe – the fine levied was EUR 150,000, also the highest possible sum. Taking Google's 2012 performance figures, the fine in France represents 0.0003% of its global turnover. Pocket money.
Reding questioned whether such a small fine actually served as a deterrent:
Two years ago Reding put forward new data protection plans that have yet to be adopted by the Commission.
In the original draft of the legislation an offender could have been hit with a fine equal to two percent of its annual turnover a proposal that would, in the Google case, have led to a financial penalty of around 731 million euros ($1 billion).
More recently, the European Parliament considered going even further after voting in favour of fines of up to 5% of a company's global revenue.
But the proposals are unlikely to be realised any time soon. Reding's own reforms have been amended over 4,000 times so far and Germany has raised concerns that a single European data protection authority may compromise its own existing data protection legislation. Reding commented:
Member States, however, have been stalling. Even after the shocking revelations of mass spying and surveillance which continue to dominate the headlines, they have so far mainly reacted with words. EU Heads of State and Government have committed to a "timely" adoption of the new framework. But in real terms there has been little action.