The UK’s Information Commissioner today confirmed that Google breached UK’s Data Protection Act when the Street View cars captured personal data while collecting wi-fi network information.
As a result of this, Google will be required to sign an undertaking to take steps to ensure that breaches of the Act don’t re-occur. Google will then be audited in nine month’s time to confirm that the required policies and training has taken place. Finally, once any legal obstacles have been cleared, Google will have to delete the personal data from the UK.
Currently, the Information Commissioner does not intend to fine Google, but will take further action if necessary
The Commissioner, Christopher Graham said, “It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act. The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit.”
What’s interesting about this is that the Information Commissioner’s Office (ICO) had previously decided not to take action against Google because the sample data shown to the ICO was considered to be fragmentary and therefore unlikely to constitute personal data.
However, Google’s Alan Eustace admitted on Google’s own blog that, “A number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that whilst most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.”
The Commissioner then infers that because this happened in other countries, it happened in the UK, even if most of the data was fragmentary. You can read the Commissioner’s letter to Google Inc here.
Personally, I’m pleased that Google is being held to account. Far too often it seems that big business gets away with abusing our personal information.