Google, Street View and the heavy hand of the ICO
Street View again.
On 29 July 2010, the UK Information Commissioner’s Office stated:
The information we saw does not include meaningful personal details that could be linked to an identifiable person… The Information Commissioner is taking a responsible and proportionate approach to this case…
Basically, the ICO asked Google if it had been naughty, accepted Google’s word that it had only been a little bit inadvertently naughty, and decided to do nothing.
But other data protection jurisdictions are not so compliant. And in particular, the Canadian Privacy Commissioner, Jennifer Stoddart, seems to take her title seriously. She looked a little closer; and on October 22, Google’s senior VP Alan Eustace blogged
I would like to take this opportunity to update one point in my May blog post. When I wrote it, no one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained. Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.
Let me repeat that. Entire emails, URLs and passwords. Obviously this leaves the UK ICO with serious egg on its face. It is supposed to protect our personal data. It didn’t. It didn’t even look very hard to find our whether our data had been compromised at all. And it only found out that probably it had been compromised because of someone else doing her job more professionally. Nevertheless, the ICO now leapt into action, declaring on 1 November:
…we understand that Google has accepted that in some instances entire URLs and emails and passwords have been captured. We have already made enquiries to see whether this admission relates to the data inadvertently captured in the UK, and we are now deciding on the necessary course of action, including a consideration of the need to use our enforcement powers.
But warning that
…we will not be panicked into a knee jerk response to an alarmist agenda.
Ooh, that doesn’t sound right to me. Concerned public, demanding that their privacy guardian should guard their privacy being dismissed as some sort of hysterical mob? Never mind. The ICO has said it will be considering enforcement against Google. And, wait for it, yes er no er well Google is being forced to say it won’t do it again.
Three days later, 3 November, the ICO delivers this
…has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again… The Commissioner has rejected calls for a monetary penalty to be imposed…
Doncha feel safe with these people looking after our privacy?