Google broke the law when its Street View cars harvested emails and passwords from unsecured Wi-Fi networks, the UK's privacy watchdog has ruled.
Information commissioner Christopher Graham announced the ruling on Wednesday, two days after saying that his office would not be pushed into a "knee-jerk response" on the issue. The first principle of the Data Protection Act specifies that organisations should gain consent before collecting personal information.
"It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act," Graham in a statement. "The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again — and to follow this up with an ICO [Information Commissioner's Office] audit."
The consensual audit should take place within nine months of Google making the promise, the ICO said. The company will face no punishment or fine, it added. The privacy authority was recently given the power to fine businesses up to £500,000 for a breach.
"Monetary penalties can only be served when a strict set of criteria is satisfied, including that the breach was likely to cause substantial harm or substantial distress — this alone would be very hard to prove in this case," an ICO spokewoman told ZDNet UK. "The vast majority of the pay-load data was also collected prior to 6 April, 2010, before our new powers came into force."
The decision marks a U-turn by the ICO as to whether it would take action against Google, for which Street View cars collected emails and other data from Wi-Fi networks while driving around UK cities during 2008 and 2009. In May, the privacy watchdog said that Google should go ahead and delete the data, as there was no reason to keep it for evidential purposes, as it saw no need to take action. In July, it examined the harvested data and ruled soon after that the company had not collected any "meaningful personal details" and again took no action.
The ICO said that Google's admission that it had collected passwords and whole emails and findings from Canadian privacy authorities led to the ruling on Wednesday.
"We have always said that we would await the results of the detailed investigations that were being undertaken by our international counterparts before deciding on what if any action to take," the ICO spokeswoman said. "In the light of the emerging findings from these detailed investigations, the admission by Google that personal data had indeed been collected and the fact that Google used the same technology in the UK, the commissioner has decided that formal action is necessary."
On Thursday, the privacy watchdog's handling of the investigation was described at "lamentable" by MP Robert Halfon, who introduced a parliamentary debate on the issue. The arrival of the ICO's ruling almost a week later was a coincidence, the privacy body said. "The timing of this announcement was fully determined by the ICO," it said.
The watchdog did not undertake an investigation of its own as it would have wasted resources, its spokeswoman said.
"The ICO has established that the same technology that Google Street View used worldwide was used in the UK," she said. "Other national data protection authorities...
...were already conducting in-depth investigations, so it would not have been a sensible use of ICO resource to do the same."
The information commissioner is now calling for Google to delete the data as soon as it can legally do so. In an apology issued on Wednesday, the company said it is working towards this deletion.
"We are profoundly sorry for mistakenly collecting payload data in the UK from unencrypted wireless networks," said Peter Fleischer, Google's global privacy counsel, in a statement. "We are in the process of confirming that there are no outstanding legal obligations upon us to retain the data, and will then ensure that it is quickly and safely deleted."
Those legal obligations include organisations or proceedings that could compel Google to keep the details, the company told ZDNet UK.
Privacy campaigners responded to the ruling by criticising how the ICO had handled the situation.
"The greatest example of mismanagement of data has come from the ICO, not Google," Privacy International director Simon Davies said. "[The investigation] really was a farce."
For example, the decision in July that Google had not gathered significant details directly contradicted the findings of the French privacy authorities in June, according to Privacy International. However, the ICO responded that, as far as it is aware, only Canada has published a detailed report after an in-depth investigation into the matter.
Privacy International also said it had confirmation from the ICO that its staff who examined the data did not have any technical training. Asked by ZDNet UK whether the staff included people with IT training, the ICO responded that they were "long-standing data protection experts".