[JURIST] The UK Information Commissioner’s Office (ICO) [official website] announced Wednesday that Google UK [corporate website; JURIST news archive] has committed a “significant breach” [press release, ashx] of the Data Protection Act [text] through its data collection practices for its Street View maps [website]. During the investigation, authorities found that when Google Street View cars gathered data over WiFi networks they also collected pieces of personal information including e-mails, complete URLs and passwords. Information Commissioner Christopher Graham is requiring Google to delete the data as soon as it is legally possible, saying:
It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act. The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit.
The ICO has required Google to implement [letter, ashx] company policies and employee training on privacy principles, security awareness and the requirements of the Data Protection Law. The ICO will undertake an audit on Google’s collection practices nine months from the implementation of the new privacy policies to ensure that no future data protection breaches occur. The ICO has not imposed any monetary penalties on Google, but will commence enforcement action if Google fails to comply with data protection regulations in the future. The UK Metropolitan Police [official website] have indicated that they are not pursuing a further investigation after launching a probe [JURIST report] in June to determine whether Google violated privacy laws while mapping for Street View. The probe was initiated in response to a complaint filed [JURIST report] by Privacy International (PI) [advocacy website], which claimed that the information gathered in an independent audit [text, PDF] published by Google earlier that month proves that company’s interception of unencrypted data was not inadvertent [JURIST report].
Several additional investigations have recently been launched into Google’s unencrypted data collections to determine whether the Internet giant’s practices have violated privacy laws. Last week, the US Federal Trade Commission (FTC) [official website] announced that it had ended an inquiry [JURIST report] into Google’s internal policies and procedures that led to the company inadvertently collecting data on unsecured wireless networks. In October, Canadian Privacy Commissioner Jennifer Stoddart announced that Google was in violation [JURIST report] of the country’s Personal Information Protection and Electronic Documents Act [text, PDF] (PIPEDA). In August, the South Korean National Police Agency (SKNPA) [official website, in Korean] raided the Google South Korean headquarters in Seoul in connection with accusations that the company has been illegally acquiring user data [JURIST report]. In July, Australian authorities completed an investigation [JURIST report] into the search giant’s collection and storage of private data [JURIST news archive] over unsecured wireless networks, determining that the company violated the Australia Privacy Act [government backgrounder]. In June, Connecticut Attorney General Richard Blumenthal [official profile] announced that he will lead a multi-state investigation [JURIST report] against Google and requested additional detailed information from the company on its data harvesting procedures.