Google broke the law when its Street View cars harvested emails and passwords from unsecured Wi-Fi networks, the UK's privacy watchdog has ruled.
Information commissioner Christopher Graham announced the ruling on Wednesday, two days after saying that his office would not be pushed into a "knee-jerk response" on the issue. The first principle of the Data Protection Act specifies that organisations should gain consent before collecting personal information.
"It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act," Graham in a statement. "The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again — and to follow this up with an ICO [Information Commissioner's Office] audit."
The consensual audit should take place within nine months of Google making the promise, the ICO said. The company will face no punishment or fine, it added. The privacy authority was recently given the power to fine businesses up to £500,000 for a breach.
"Monetary penalties can only be served when a strict set of criteria is satisfied, including that the breach was likely to cause substantial harm or substantial distress — this alone would be very hard to prove in this case," an ICO spokewoman told ZDNet UK. "The vast majority of the pay-load data was also collected prior to 6 April, 2010, before our new powers came into force."
The decision marks a U-turn by the ICO as to whether it would take action against Google, for which Street View cars collected emails and other data from Wi-Fi networks while driving around UK cities during 2008 and 2009. In May, the privacy watchdog said that Google should go ahead and delete the data, as there was no reason to keep it for evidential purposes, as it saw no need to take action. In July, it examined the harvested data and ruled soon after that the company had not collected any "meaningful personal details" and again took no action.
The ICO said that Google's admission that it had collected passwords and whole emails and findings from Canadian privacy authorities led to the ruling on Wednesday.
"We have always said that we would await the results of the detailed investigations that were being undertaken by our international counterparts before deciding on what if any action to take," the ICO spokeswoman said. "In the light of the emerging findings from these detailed investigations, the admission by Google that personal data had indeed been collected and the fact that Google used the same technology in the UK, the commissioner has decided that formal action is necessary."
On Thursday, the privacy watchdog's handling of the investigation was described at "lamentable" by MP Robert Halfon, who introduced a parliamentary debate on the issue. The arrival of the ICO's ruling almost a week later was a coincidence, the privacy body said. "The timing of this announcement was fully determined by the ICO," it said.
The watchdog did not undertake an investigation of its own as it would have wasted resources, its spokeswoman said.
"The ICO has established that the same technology that Google Street View used worldwide was used in the UK," she said. "Other national data protection authorities...