ICO Says No Fine For Google Street View Data Slurping

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Despite saying it was likely people were caused distress by Google’s actions, the ICO chooses not to fine

Even though a host of regulators slapped Google with fines for slurping up people’s data from Wi-Fi connections during its cars’ Street View rounds, the UK’s privacy watchdog has, for a second time, chosen not to hit the tech titan with a penalty.

In its enforcement notice today, the Information Commissioner’s Office gave Google 35 days to delete the remaining data, or face criminal charges for contempt of court.

It was supposed to have deleted all the data it hoovered up in the UK in 2010 after it emerged the company had swallowed up information from people’s unprotected Wi-Fi networks, breaking numerous laws across the globe. But last year, during the ICO’s second investigation into the illegal activity, Google admitted it had found more disks containing data related to UK citizens.

google-streetview-car-largeNo fine for Google in the UK

The decision not to fine came despite deputy commissioner David Smith saying the likelihood of distress caused by Google was “self-evident”. “Individuals whose personal data has been collected by the data controller [Google] are likely to suffer worry and anxiety on account of the fact that other discs holding payload data may not have been destroyed.”

One of the core criteria needed to hand out a fine is that a breach would cause distress. Substantial damage is also one of the core criteria, but an ICO spokesperson told TechWeekEurope Google did not fulfil both, so had not received a fine.

Stephen Eckersley, ICO head of enforcement, said the punishment would have been “far worse” if the payload data had not been “contained”.

The ICO said the disks containing UK data had been contained in quarantined cages, at least according to Google. “They gave us assurances,” a spokesperson told TechWeek. He could not confirm whether an ICO employee had seen proof of the “cages” or their quality.

The ICO said its investigation found there was insufficient evidence to show Google intended, “on a corporate level”, to collect personal data. It said the breach of the law was a result of  “procedural failings and a serious lack of management oversight”.

Google Street View slurping saga

After its initial investigation, the ICO said it did not fine Google as the data was taken before it was handed fining powers by the government. The watchdog later decided it would be able to fine the company once it emerged, from other nations’ investigations, that a Google employee had written the code for taking the Wi-Fi data and informed other employees about it.

It also emerged that plenty of sensitive personal data was taken, including medical listings, visits to pornographic sites and data contained in video and audio files.

Google now has 35 days to delete the data or it will be in contempt of court, a criminal offence.

The tech giant has already been slapped with heavy penalties elsewhere. It was claimed the company settled with the US government for $7 million, having already been fined $25,000 by the US Federal Communications Commission.

France hit Google with a €100,000 penalty, whilst the Germans issued a €145,000 fine.

Google took a contrite tone in its response to today’s action, saying its Street View leaders did not use the information taken from Wi-Fi networks.

“We work hard to get privacy right at Google. But in this case we didn’t, which is why we quickly tightened up our systems to address the issue. The project leaders never wanted this data, and didn’t use it or even look at it,” a spokesperson said.

“We cooperated fully with the ICO throughout its investigation, and having received its order this morning we are proceeding with our plan to delete the data.”

Are you a privacy buff? Try our quiz!