ICO takes further action on Google’s collection of Wi-Fi data

The ICO has taken further action against Google over the collection of Wi-Fi data by its Street View cars, but has stopped short of a monetary penalty

The Information Commissioner’s Office (ICO) has taken further action against Google over the collection of Wi-Fi data by its Street View cars, but has stopped short of a monetary penalty.

Instead, the ICO has issued an enforcement notice that requires Google to delete the remaining payload data identified last year within 35 days.

Google is also required to inform the ICO immediately if any further disks are found.

“Today’s enforcement notice strengthens the action already taken by our office,” said Stephen Eckersley, head of enforcement at the ICO.

Failure to abide by the notice will be considered as contempt of court, which is a criminal offence, he said.

The decision followed the publication of a report by the US Federal Communications Commission (FCC), which raised concerns around the actions of the engineer who developed the software previously used by the cars, and his managers.

The ICO’s investigation found that the collection of payload data by the company was the result of procedural failings and a serious lack of management oversight including checks on the code.

But the investigation also found there was insufficient evidence to show that Google intended, on a corporate level, to collect personal data.

The ICO has concluded that the rationale for its original decision in 2010 to issue Google with an undertaking and carry out a consensual audit remain the same.

But the ICO has also warned Google that it will be taking a keen interest in its operations and will not hesitate to take action if further serious compliance issues come to its attention.

When reaching the latest decision, the ICO also considered the discovery of additional disks containing payload data, which were located by Google while the reopened ICO investigation was in progress.

Google has provided assurances that the data has not been accessed and, like the other payload data collected, has not entered the public domain.

Based on a detailed investigation, including an analysis of the data Google has recorded, the ICO has concluded that the harm caused to individuals by this breach fails to meet the level required to issue a monetary penalty.

“The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information,” said Eckersley.

“The punishment for this breach would have been far worse, if this payload data had not been contained,” he said.

The ICO’s investigation into whether Google’s privacy policy complies with the Data Protection Act is on-going.

This investigation is part of coordinated action by data protection regulators across Europe, to assess whether Google’s latest privacy policy clearly explains how individuals’ personal information is being used across the company’s products and services.

Data protection authorities in France and Spain have already charged Google with breaches of their privacy laws and called for revision of Google’s privacy policies.

The ICO said it will write to Google shortly to confirm its preliminary findings.

Read more on Privacy and data protection