Google is coming under increased pressure by the Canadian and Spanish data protection agencies over its apparent contravention of domestic privacy laws by collecting emails and passwords as part of its Street View service.
Until this week, there had been speculation that the UK Information Commissioner’s Office (ICO) might make Google its first scalp by fining it up to £500,000 through its new powers under the Data Protection Act.
Back in May this year, Google admitted inadvertently collecting “payload” Wi-Fi Network data such as SSID (Service Set Identifier) and MAC (Media Access Control) addresses while patrolling the world’s streets (and even arctic tracks) with giant 11-lens cameras. In response to cries of concern by data protection authorities across the world, Google commissioned a report into the software which facilitated the collection of payload data and to what extent this information was stored by Google. This report concluded that while the software did enable the storage of payload date from unencrypted networks, due to the movement of the vehicles and the constant channel hopping by the device, it was likely to be highly fragmented.
In fact, the ICO has poured cold water on suggestions of any fines by issuing not one, but two statements this week. The first statement confirmed it would consider the most appropriate course of action but wouldn’t be pressurised into a knee-jerk reaction. As the ICO points out, so far no country has taken direct enforcement action against Google. The second statement two days later revealed the ICO's decision - fast work! - that Google had breached the Data Protection Act and would have to delete the data. Further, it would have to sign an undertaking that the breaches would not recur and would be subject to an audit of its privacy policies. But there will be no fines.
Of course, not being fined is a huge relief for Google but the damage to its reputation is arguably already punishment enough and even before the ICO intervened it had apologised on its official blog saying it would delete the data as soon as possible would improve its internal privacy policies and procedures.