Google Data Collection Violated Canadian, UK Law: Privacy Officials

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Google Inc.’s collection of personal information from unsecured wireless networks while gathering WiFi data for use in the “Street View” feature of its online mapping service has violated the privacy laws of both Canada and the United Kingdom, according to officials of both nations.

An investigation by Canada’s Office of the Privacy Commissioner determined that the incident was the result of an engineer’s careless error, as well as a lack of controls to ensure that necessary procedures to protect privacy were followed.

“Our investigation shows that Google did capture personal information—and, in some cases, highly sensitive personal information such as complete e-mails,” said Canadian Privacy Commissioner Jennifer Stoddart. “This incident was a serious violation of Canadians’ privacy rights.”

Technical experts from the Office examined the data collected by Google in an on-site examination at Google’s Mountain View, California headquarters. The experts conducted an automated search for data that appeared to constitute personal information. To protect privacy, they manually examined only a small sample of data flagged by the automated search.

Google asserted that it was unaware of the presence of the payload data collection code when it began using software to collect information on WiFi “hot spots” for its location-based services. Although the code was reviewed before being installed on Street View cars, the review was only to ensure that the code did not interfere with the Street View operations.

“This incident was the result of a careless error—one that could easily have been avoided,” Stoddart said.

Privacy Commissioner’s Recommendations

The Privacy Commissioner recommended that Google adopt controls to ensure that necessary procedures to protect privacy are duly followed before products are launched. She also recommended that Google enhance privacy training of its employees.

Google was urged to delete the Canadian payload data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings.

The Privacy Commissioner will consider the matter resolved upon receiving, by February 1, 2011, confirmation from Google that it has implemented her recommendations.

Text of the October 19 Preliminary Letter of Findings in the Privacy Commissioner’s investigation of Google appears at CCH Privacy Law in Marketing ¶ 60,547.

“Serious Breach” of UK Law

Google’s collection of payload data—including entire e-mails and passwords—without the consent of the data subjects was a serious breach of the United Kingdom’s privacy law, the UK Information Commissioner’s Office (ICO) said in a November 3 letter to Google’s global privacy counsel.

“It is my view that regulatory action is appropriate in this case in order to ensure that effective privacy controls are built into Google products and services, and in order to ensure that an incident such as the collection of payload data by GSV cars is not repeated,” said Information Commissioner Christopher Graham.

“It is my view that as an alternative to the issuance of an Enforcement Notice under section 40 of the Data Protection Act 1998, that the data controller should sign an undertaking,” Graham stated.

The Commissioner said that the undertaking would require Google to institute a policy ensuring that Google employees and engineers are trained on legal requirements regarding data protection in the UK.

Within nine months, Google would be required to facilitate a consensual audit by the ICO of the above internal privacy and security practices. Google also would be required to delete the UK payload data it collected, to the extent that Google has no other outstanding legal obligation to retain such data.

Further information is available here on the ICO’s website.

On October 27, the Federal Trade Commission recently closed its investigation of Google’s data collection practices without assessing a fine or penalty (see November 3 posting on Trade Regulation Talk).