Although the ICO acknowledged that progress had been made in its engagement with Google, it also stated that it believed that further action was required. In January 2015, Google provided the ICO with an Undertaking in relation to certain matters, and in return the ICO agreed not to exercise its powers to serve Google with an enforcement notice under the UK’s Data Protection Act 1998.
Google has agreed, from the date of the Undertaking and for a period of two years thereafter, to implement a number of changes, including the following:
- Provide clear, unambiguous and comprehensive information regarding its data processing, including an exhaustive list of the types of data processed by Google and the purposes for which it is used;
- Ensure that there is continued evaluation of the privacy impact of future changes to processing which might not be within the reasonable expectations of service users so that users are provided with prompt and adequate notice of such processing; and
Lessons to be learned