Google escapes fine in Street View data theft

Google has been ordered to get rid of data the company “mistakenly collected” as its Street View cars mapped the United Kingdom – but the Information Commissioner’s Office has let the company off without a fine.

The ICO has promised that it will be paying close attention to Google’s operations and will “not hesitate to take action” if there are more privacy breaches in the future.

In a statement, the ICO claimed that its decision regarding Google’s 2010 data snooping – which saw Street View cars picking up private information relating to personal wi-fi – was correct. The collection of payload data, the ICO found, was as a result of “procedural failings” and a “serious lack of management oversight including checks on the code”.

However, the ICO said there wasn’t enough evidence to prove that, on this occasion, Google intended to collect personal data.

Critics would say data collection is central to the company’s business model.

During initial investigations, further personal information was found – which Google promised to securely destroy. It later emerged that Google had held onto the data.

The ICO’s enforcement notice reads:

(1) Within 35 days of the date of this notice the data controller shall securely destroy any personal data within the meaning of the Data Protection Act 1998 held on vehicle discs and collected in the UK using Street View vehicles (to the extent that the data controller has no other legal obligations to retain such data) and,

(2) If the data controller subsequently discovers a Street View vehicle disk holding personal data and collected in the UK it shall promptly inform the Information Commissioner.”

“The ICO has concluded that the detriment caused to individuals by this breach fails to meet the level required to issue a monetary penalty,” the statement said.

ICO head of enforcement Stephen Eckersley said: “The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information. The punishment for this breach would have been far worse, if this payload data had not been contained”.

At the time, Google pinned the non-consensual gathering of personal data on rogue code and distanced itself from culpability.

Essentially, Google has gotten off lightly. Considering previously imposed financial penalties, if the ICO did issue a fine, it would not have been much more than a slap on the wrist, given Google’s relative size.

But the ICO did acknowledge it is still investigating whether Google’s privacy policy itself complies with the Data Protection Act.

This investigation is running concurrently with others across Europe, and is designed to assess whether Google is clear enough about how it uses personal information.

The Office pledged to approach Google “shortly” to confirm preliminary findings.