Google admits not all unlawfully-collected Street View data has been deleted

Out-Law News | 27 Jul 2012 | 4:50 pm | 2 min. read

Google did not delete all the information that it unlawfully obtained from open WiFi networks, the company has told the Information Commissioner's Office (ICO).

In a letter (1-page / 217KB PDF) to the ICO the company admitted that a "small portion" of the information that had been collected from its 'Street View' cars when they had toured the UK was still "in its possession".

In response, the ICO said (1-page / 96KB PDF) it would "examine the contents" of the information discovered by Google. The watchdog said that Google may have breached the terms of the undertakings it previously agreed following an investigation into the issue in 2010.

"Earlier today Google contacted the ICO to confirm that it still had in its possession some of the payload data collected by its Street View vehicles prior to May 2010," the watchdog said in a statement. "This data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010."

"In their letter to the ICO today, Google indicated that they wanted to delete the remaining data and asked for the ICO's instructions on how to proceed. Our response, which has already been issued, makes clear that Google must supply the data to the ICO immediately, so that we can subject it to forensic analysis before deciding on the necessary course of action," it said.

"We are also in touch with other data protection authorities in the EU and elsewhere through the Article 29 Working Party and the GPEN network to coordinate the response to this development. The ICO is clear that this information should never have been collected in the first place and the company's failure to secure its deletion as promised is cause for concern," the ICO added.

In May 2010 it emerged that the cars Google used to photograph towns and cities for its Street View service had also been scanning the airwaves to identify and map Wi-Fi networks. This process resulted in the gathering and storage of data snippets as they passed through the networks.

In 2010 the ICO twice investigated whether Google had acted in breach of UK data protection laws. In its initial assessment, based on an inspection of the UK payload data Google provided it, the ICO found that it was "unlikely" that Google had collected much personal data.

Following the ICO's initial assessment of Google's Street View data collection issue in July 2010 the watchdog was minded to reopen its scrutiny of the company's practices in November that year. That decision was prompted by findings by Canada's Privacy Commissioner that determined that entire emails, highly sensitive personal information and even passwords were collected by Google Street View cars.

In its second assessment the ICO determined that Google's Wi-Fi data gathering activities had been a "significant breach of the Data Protection Act" but decided not to fine the company. Instead it sought a number of undertakings committing Google to improving its privacy policies and consenting to the ICO conducting an audit of its practices.

Following the audit last summer the ICO said that Google had offered it "reasonable assurance" that it had made changes to how the company addresses privacy issues.

The ICO reopened its investigation into the Street View case earlier this year after details emerged about the issue in a report by a US regulator. The ICO said that the findings of the US Federal Communications Commission (FCC) meant that it was "likely" that Google had "deliberately captured" the UK 'payload' data, contrary to claims the company had previously made.

In its letter to the ICO, Google's privacy counsel Peter Fleischer apologised for the "error" and explained how the company had made the discovery.

"In recent months, Google has been reviewing its handling of Street View disks and undertaking a comprehensive manual review of our Street View disk inventory," he said. "That review involves the physical inspection and re-scanning of thousands of disks. In conducting that review, we have determined that we continue to have payload data from the UK and other countries. We are in the process of notifying the relevant authorities in those countries."