The UK Information Commissioner’s Office announced on 3 November 2010 its finding that Google UK had breached the Data Protection Act when the Google Street View (“GSV”) cars collected payload data as part of their wi-fi mapping exercise in the UK.
Christopher Graham, the Information Commissioner, announced that as a result, Google UK will be subject to an audit and must sign an undertaking to ensure data protection breaches do not occur again – otherwise they will face enforcement action.
Originally, it was believed that the data collected by the GSV cars was fragmentary and was unlikely to constitute personal data.
However, on 22 October 2010 a Senior Vice President at Google posted information about the collection of payload data on the Official Google Blog. Referring back to a previous blog post he had made, he said:
“Finally, I would like to take this opportunity to update one point in my May blog post. When I wrote it no one inside Google had analyzed in detail the data we had collected, so we did not know for sure what the disks contained. Since then a number of external regulators have inspected the data as part of their investigations … It’s clear from those inspections that whilst most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.”
This gave the Information Commissioner clear grounds to assert that the collection of payload data in the UK constituted a “serious breach of the first data protection principle”, which is as follows:
“Personal data shall be processed fairly and lawfully and in particular shall not be processed unless:
- At least one of the conditions in Schedule 2 is met; and
- In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Schedule 2 Conditions for processing.
At least one of the following conditions must be met in the case of all processing of personal data (except where a relevant exemption applies):
- The data subject has given his consent to the processing.
- The processing is necessary:
(a) for the performance of a contract to which the data subject is a party,
(b) for the taking of steps at the request of the data subject with a view to entering into a contract
- The processing is necessary to comply with any legal obligations to which the data controller is subject, other than an obligation imposed by contract.
- The processing is necessary in order to protect the vital interests of the data subject.
The Information Commissioner has now instructed Google UK to sign an undertaking in which Google commits to take specific action to ensure that breaches of this kind cannot happen again. An audit of Google UK’s Data Protection practices will also be undertaken, and Google will be required to delete the UK payload data when it no longer has any outstanding legal obligation to retain any of the data.
Peter Fleischer, Google’s global privacy counsel, said it would delete the data as soon as possible. “We are in the process of confirming that there are no outstanding legal obligations upon us to retain the data, and will then ensure that it is quickly and safely deleted.
“We are profoundly sorry for mistakenly collecting payload data in the UK from unencrypted wireless networks,” he added. “Since we announced our mistake in May we have cooperated closely with the ICO and worked to improve our internal controls. As we have said before, we did not want this data, have never used any of it in our products or services, and have sought to delete it as quickly as possible.”
Some will no doubt see this as Google getting off lightly, since no financial penalty will be imposed – the Information Commissioner considers that there is no entitlement to impose a financial penalty in this case, having regard to when the breach of the Data Protection Act took place (if the same thing happened again, a fine would be possible).