Google gets qualified praise for privacy changes

The Information Commissioner's Office has given Google a pat on the back for tightening up privacy since its Street View cars broke data protection laws, but has said the company still has work to do.

The Information Commissioner's Office has broadly welcomed moves by Google to improve its privacy policies after its Street View cars collected unsecured Wi-Fi data. Photo credit: Byrion on Flickr

In an audit carried out in July, the UK's data protection authority found that Google had taken "reasonable" steps to improve its privacy policies. The investigation — which included an on-site visit, interviews with staff, inspection of selected records and a desk-based review of documentation — followed Google's harvesting of emails and passwords from unsecured Wi-Fi networks as it collected location data using its Street View cars.

"I'm satisfied that Google has made good progress in improving its privacy procedures following the undertaking they signed with me last year," information commissioner Christopher Graham said in a statement on Tuesday. "All of the commitments they gave us have been progressed, and the company has also accepted the findings of our audit report where we've asked them to go even further."

The ICO concluded in its audit that Google's changes "reduce, but do not eliminate, the risk of an incident similar to the mistaken collection of payload data by Google Street View vehicles occurring again".

In November, the ICO ruled that the Google's collection of data was not lawful under the Data Protection Act. However, it did not impose a fine on the company, saying that it did not gain those powers until after it had begun investigating the Street View cars' actions. Instead, it received an undertaking from Google that it would improve its internal privacy structure, training and awareness, to be checked via the consensual audit.

Reasonable assurance

In its audit, the data watchdog gave Google the second-highest rating of 'reasonable assurance' that processes are in place and being followed. These include a design document to make sure projects build in privacy from the beginning; advanced data protection training for all engineers; and extra training on privacy and protection of user data for all staff.

However, Graham warned Google that it still has work to do and that the report is not a "rubber stamp" for Google's data protection policies.

The company needs to ensure its work in this area continues to evolve alongside new products and technologies. Google will not be filed and forgotten by the ICO.

– Christopher Graham, ICO

"The company needs to ensure its work in this area continues to evolve alongside new products and technologies," Graham said. "Google will not be filed and forgotten by the ICO."

The ICO also recommended other ways Google can tighten up its procedures. It suggested it issue an explanation of how data will be managed in products, an accuracy-checked privacy design document for all projects, and additional privacy training for specific engineering disciplines.

"We have worked hard on these new privacy controls, which are designed to improve our internal practices without getting in the way of the innovation that has powered Google since its inception," Alma Whitten, director of privacy for products and engineering at Google, said in a blog post response to the audit's recommendations.

"We know that there is no perfect solution, so we will continue to improve our current processes and develop new ones so that privacy awareness grows and evolves alongside Google," he added.