Google Inc. violated Britain’s data- protection law when its Street View mapping unit inadvertently gathered personal e-mails and passwords from unsecured wireless networks, the U.K.’s privacy regulator said today.
Google disclosed the security breach in May and said in an Oct. 22 blog post that while the data it collected was mostly fragmentary it included entire e-mails and URLs. The error was a “significant breach” of the U.K.’s Data Protection Act, the Information Commissioner’s Office said today in a statement.
“The collection of this information was not fair or lawful,” Information Commissioner Christopher Graham said in the statement. The watchdog needs “written legal assurance from Google that this will not happen again.”
European countries including Germany, France, Spain and Italy began probes after Mountain View, California-based Google said that its Street View cars had collected the so-called payload data while photographing roadsides. The U.S. Federal Trade Commission last month ended its probe when Google said it would improve privacy safeguards.
“We are profoundly sorry for mistakenly collecting payload data in the U.K. from unencrypted wireless networks,” Google’s privacy lawyer, Peter Fleischer, said today in a statement. “We have cooperated closely with the ICO and worked to improve our internal controls.”
Google, owner of the world’s most popular Internet search engine, agreed to delete the data as soon as it confirms there are no outstanding legal obligations to hold onto it, Fleischer said. Google also agreed to update certain policies, including creating a security awareness program for employees, according to the ICO statement.
Google’s U.K. unit will be audited and required to sign a so-called undertaking to ensure data protection breaches don’t happen again, the ICO said. The company faces enforcement action if fails to do so.
The Cheshire, England-based regulator can fine companies as much as 500,000 pounds ($805,300) for serious violations of privacy law.
Phil James, a media and technology lawyer with Lewis Silkin LLP in London, who isn’t involved in the matter, said the U.K. should consider issuing fines that are proportionate to a company’s revenue.
“The rewards for multinationals creating new technologies are rightly vast, but it is only fair that the penalties for inadvertently or directly breaching data liabilities are sufficiently restraining,” James said.
To contact the editor responsible for this story: Anthony Aarons at firstname.lastname@example.org