As a result of this, Google will be required to sign an undertaking to take steps to ensure that breaches of the Act don’t re-occur. Google will then be audited in nine month’s time to confirm that the required policies and training has taken place. Finally, once any legal obstacles have been cleared, Google will have to delete the personal data from the UK.
Currently, the Information Commissioner does not intend to fine Google, but will take further action if necessary
What’s interesting about this is that the Information Commissioner’s Office (ICO) had previously decided not to take action against Google because the sample data shown to the ICO was considered to be fragmentary and therefore unlikely to constitute personal data.
However, Google’s Alan Eustace admitted on Google’s own blog that, “A number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that whilst most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.”
The Commissioner then infers that because this happened in other countries, it happened in the UK, even if most of the data was fragmentary. You can read the Commissioner’s letter to Google Inc here.
Personally, I’m pleased that Google is being held to account. Far too often it seems that big business gets away with abusing our personal information.