Google escapes fine over Street View breach

Google's Street View service has escaped a financial penalty despite being found to breach the Data Protection Act 1998 (DPA).

Google Street View allows users to explore and navigate neighbourhoods through panoramic street level photographs.

In touring the UK's roads to create a virtual visual map, the Information Commissioner has reported that antennae on Google's Street View vehicles tapped into unsecured Wi-Fi networks and collected personal data from internet users, including passwords, emails, URLs and health records.

The Information Commioneer Christopher Graham said that Google committed a significant breach of first principle of the DPA which requires that personal data is "processed fairly and lawfully", but declined to use new powers which came into force on 6 April 2010 which allows it to fine up to £500,000 for serious breaches of the DPA. The Information Commissioner said that "The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit.”

The full press release announcing the outcome of Google Street View investigation can be found here.

The Information Commissioner has reported that Google has signed an undertaking to improve data handling to ensure that breaches like the collection of Wi-Fi payload data by Google Street View cars do not occur again. The undertaking commits Google to put in place improved training measures on security awareness and data protection issues for all employees. See here for the full undertaking.

Google also faces an audit by the ICO of its internal privacy structure, privacy training programmes and a system of privacy reviews of new products within nine months of the undertaking being signed.

In taking steps to avoid the same mistakes happening again, Google announced in its official policy blog a number of changes aimed at improving privacy controls.  These include: the appointment of a director of privacy across both engineering and product management; enhancing core training for engineers and other important groups with a particular focus on the responsible collection, use and handling of data; and improving internal compliance procedure to require a privacy design document for each project an engineering project leader works on.

Senior Vice President of Engineering and Research, Alan Eustice added "we’ll be constantly on the lookout for additional improvements to our procedures as Google grows".

See here for the full statement posted to Google's official policy blog on its changes to create stronger privacy controls.

The decision not to fine Google has been criticised by privacy campaigners.  Alex Deane of Big Brother Watch said that the ICO's failure to take action was "disgraceful". He went on to say that "Ruling that Google has broken the law, but then taking no action against it, shows the commissioner to be a paper tiger. The commissioner is an apologist for the worst offender in his sphere of responsibility, not a policeman of it. If Google can harvest the personal information of thousands of people and get off scot-free, then the ICO plainly has a contempt for privacy."

Google was recently ordered to pay damages in the US, following a lawsuit filed by Aaron and Christine Boring after representatives of Google Street View photographed their property. However, the damages awarded against Google did not relate to an invasion of privacy claim, which had been dismissed by the Court, but a trespass claim.  Google settled the trespass claim but this was a Pyrrhic victory for the Borings, as the sum Google paid was $1.

See further section 4.3.4 of the Privacy Law Handbook.

(Originally blogged by Tamar Shafran)