Google escapes fine from ICO over Street View data collection and retention failings

Out-Law News | 21 Jun 2013 | 2:42 pm | 2 min. read

Google has avoided a fine from the Information Commissioner's Office (ICO) over its failure to delete all the personal data it collected from open Wi-Fi networks in the UK.

The watchdog said that Google had breached the Data Protection Act, but that it had decided to issue an enforcement notice (7-page / 139KB PDF) to the company rather than impose a monetary penalty.

In May 2010 it emerged that the cars Google used to photograph towns and cities for its Street View service had also been scanning the airwaves to identify and map Wi-Fi networks. This process resulted in the gathering and storage of data snippets as they passed through the networks.

The ICO initially found that it was "unlikely" that Google had collected much personal data, but undertook a second investigation in 2010 after Canada's Privacy Commissioner determined that entire emails, highly sensitive personal information and even passwords were collected by Google Street View cars. Following its second assessment the ICO determined that Google had been a "significant breach of the Data Protection Act" and required the company to commit to a number of undertakings, including to delete the information it unlawfully collected in the UK and to open itself up to a data protection audit.

However, last year the ICO launched a third investigation into the case after a US regulator concluded that a single engineer working for the company had intentionally written software code to allow Street View cars to collect payload data "for possible use in other Google projects" and that managers at the company were told about it.

Google then wrote to the ICO to admit that not all of the UK payload data had been deleted. It said a "small portion" of the information was still erroneously "in its possession".

The ICO has now deemed that Google's retention of the payload data breached the part of the DPA that requires data controllers to ensure that personal data is "not ... kept for longer than is necessary" for the purpose or purposes for which it is to be processed.

The watchdog has required Google to "securely destroy" the UK-collected personal data the company discovered stored on "vehicle discs" with 35 days, unless it is legally obliged to retain the information, and "promptly inform" it of any subsequent discoveries of more personal data Google collected from its Street View operation in the UK.

"Failure to abide by the notice will be considered as contempt of court, which is a criminal offence," Stephen Eckersley, the ICO's head of enforcement, said in a statement.

The ICO said that "procedural failings and a serious lack of management oversight" had resulted in the unauthorised collection of personal data through the Street View operation. However, it said there was "insufficient evidence" to show Google had, "on a corporate level", intended to collect such data. It warned Google that it "will not hesitate to take action if further serious compliance issues come to its attention".

"The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information," Eckersley said. "The punishment for this breach would have been far worse, if this payload data had not been contained."

Earlier this year Hamburg Commissioner for Data Protection and Freedom of Information, Johannes Caspar imposed a €145,000 fine on Google as a result of the unauthorised collection of personal data via the company's Street View project.

Caspar imposed the fine despite deeming that Google had never intended to store personal data in its Street View operation, but he said that because the company had done so widely and over a long period of time, he determined that Google's "internal control mechanisms failed seriously".