Google StreetView Sweeps Broke U.K. Data Law, Regulator Says

Google Inc. violated Britain’s data- protection law when its Street View mapping unit inadvertently gathered personal e-mails and passwords from unsecured wireless networks, the U.K.’s privacy regulator said today.

Google disclosed the security breach in May and said in an Oct. 22 blog post that while the data it collected was mostly fragmentary it included entire e-mails and URLs. The error was a “significant breach” of the U.K.’s Data Protection Act, the Information Commissioner’s Office said today in a statement.

“The collection of this information was not fair or lawful,” Information Commissioner Christopher Graham said in the statement. The watchdog needs “written legal assurance from Google that this will not happen again.”

European countries including Germany, France, Spain and Italy began probes after Mountain View, California-based Google said that its Street View cars had collected the so-called payload data while photographing roadsides. The U.S. Federal Trade Commission last month ended its probe when Google said it would improve privacy safeguards.

“We are profoundly sorry for mistakenly collecting payload data in the U.K. from unencrypted wireless networks,” Google’s privacy lawyer, Peter Fleischer, said today in a statement. “We have cooperated closely with the ICO and worked to improve our internal controls.”

Delete Data

Google, owner of the world’s most popular Internet search engine, agreed to delete the data as soon as it confirms there are no outstanding legal obligations to hold onto it, Fleischer said. Google also agreed to update certain policies, including creating a security awareness program for employees, according to the ICO statement.

Google’s U.K. unit will be audited and required to sign a so-called undertaking to ensure data protection breaches don’t happen again, the ICO said. The company faces enforcement action if fails to do so.

The Cheshire, England-based regulator can fine companies as much as 500,000 pounds ($805,300) for serious violations of privacy law.

Phil James, a media and technology lawyer with Lewis Silkin LLP in London, who isn’t involved in the matter, said the U.K. should consider issuing fines that are proportionate to a company’s revenue.

“The rewards for multinationals creating new technologies are rightly vast, but it is only fair that the penalties for inadvertently or directly breaching data liabilities are sufficiently restraining,” James said.

To contact the reporter on this story: Erik Larson in New York at elarson4@bloomberg.net

To contact the editor responsible for this story: Anthony Aarons at aaarons@bloomberg.net

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.