Wednesday 3 November 2010

The ICO‘s “regulatory action” against Google

The Information Commissioner has today written to Google to outline the regulatory action it intends to take because Google’s Streetview vehicles scooped up more than they bargained for when harvesting geographical information about the location of various Wi-Fi networks.

Let’s first look at the evidence the Commissioner has – as of course we are all in favour of evidence-based regulation.

The ICO's initial assessment, earlier in May of this year, following a visit by some of its officials to Google’s offices, was that, from the sample of payload date available for inspection, “the data was fragmentary and was unlikely to constitute personal data.” It’s now read new evidence, provided by Alan Eustace, Senior VP, Engineering and Research. On the 22nd October 2010 Alan posted new information about the collection of payload data on the Official Google Blog, following a detailed examination of the payload data on the discs: “Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that whilst most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.”

Perhaps the fragmentary data was obtained while the vehicles were on the move, and the larger packets were gobbled up when heavier traffic slowed their pace.

But this admission has been enough for the Commissioner to assume that since the British Streetview vehicles were being driven in the same way, using the same software as those whose discs which were inspected by the foreign regulators then, “in some instances it is possible that entire emails and URLs were captured, as well as passwords. It is my view that the collection of this information is a serious breach of the first data protection principle.”

So, no proof of a breach of the UK Data Protection Act exists, because the UK evidence has not been comprehensively examined. But, Google has been invited to sign an undertaking that it will do a lot of things it has already announced that it would do. Perhaps Google made those announcements as it suspected what actions the Commissioner's Office was likely to ask it to do anyway.

It seems like a good outcome for all concerned to me.

This is what Google has been asked to do:

• To continue and update orientation programs designed to provide Google employees with training on Google’s privacy principles and the requirements of UK data protection law;
• To institute a policy that requires Google employees to be trained on Google’s code of conduct, which includes sections on privacy and the protection of user data and the legal requirements applying to the protection of personal data in the UK;
• To enhance the core training for engineers and other important groups with a particular focus on the responsible collection, use and handling of data;
• To institute a security awareness program for Google employees, which will include clear guidance on both security and privacy;
• To institute a policy that requires engineering project leaders to maintain a privacy design document for each initiative they are working on, and a policy that such document should (a) record how user data is handled and (b) be reviewed regularly by managers; and
• To delete the UK payload data it collected, to the extent that Google has no other outstanding legal obligation to retain such data.

The only new undertaking, I think, is this one:

• Within nine months from the date of the undertakings to facilitate a consensual audit by the ICO of the above internal privacy and security practices.

I wonder how furious the provisional wing of the privacy mob are going to be if they conclude that Google’s been let off too lightly? But, as I’ve previously opined, it’s really hard to conclude that Google deliberately set out to do bad stuff, so they don’t deserve to be pilloried anyway.

Today’s letter to Google from the Information Commissioner can be found at: