The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK. The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”
While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.
The undertaking requires Google to (i) update orientation programs that are designed to train employees on Google’s privacy principles and the Act; (ii) train employees on Google’s code of conduct (which includes guidance on privacy); (iii) enhance training for employees with a particular focus on the collection, use and handling of data; and (iv) require project leaders to maintain a privacy design document for each project, recording how user data is handled and which must be reviewed by managers.
The ICO has allowed Google nine months to implement the various requirements of the undertaking and it will then be subject to an audit by the ICO. Further, the payload data is to be deleted.
The ICO initially ruled that there had been no breach, but reopened the investigation after a Senior Vice President of Engineering and Research at Google posted further information about the incident on the Official Google Blog. In particular, the blog post stated that “a number of external regulators have [now] inspected the data as part of their investigations…It’s clear from those inspections that [while] most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.”
There has been keen interest in the outcome of the ICO’s further investigation. On October 29, 2010, UK Members of Parliament challenged Google’s explanations of the incident, with one Member accusing Google of deliberately collecting the data for commercial use. Google denied this. In response to the debate, the ICO issued a statement on November 1 emphasizing that as a regulator, the ICO’s responsibility is to “remain evidence-based,” rather than becoming “caught up in the emotive arguments” and that “it is of paramount importance that we get our decision right in order to ensure the public can be confident that their long-term privacy interests are being maintained.” In that statement, the ICO also noted that “none of the regulators currently investigating Google Street View have taken direct enforcement action at this stage, with the U.S. investigation led by the U.S. Federal Trade Commission for example ruling out direct action.”
Although the ICO has followed in the footsteps of the U.S. Federal Trade Commission and declined at this stage to take formal enforcement steps, the use of a legally binding undertaking to require changes to Google’s internal procedures in conjunction with an audit in nine months time, is arguably more effective than imposing a monetary penalty.