Google has discovered it is in possession of payload data it should have deleted, collected from unsecured UK Wi-Fi networks as part of its Street View operation.
The discovery comes after the Information Commissioner's Office (ICO) reopened an investigation last month into whether the search and advertising giant had gathered personal information from home and other Wi-Fi networks while Street View cars were driving around neighbourhoods collecting photos for the mapping service.
"Earlier today Google contacted the ICO to confirm that it still had in its possession some of the payload data collected by its Street View vehicles prior to May 2010," the ICO said in a statement. "This data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010."
The Street View data unearthed by Google will now be forensically examined by, or on behalf of, the ICO in order to determine whether personal information was harvested, an ICO spokesman told ZDNet on Friday.
Depending on whether harvesting took place, and whether Google has breached its undertaking, the ICO has a number of enforcement options open to it, up to and including a civil monetary penalty.
Google's possession of the data came to light after global privacy counsel Peter Fleischer sent an email to the ICO on Friday saying the company had found "a small portion of payload data" during a manual Street View disk inventory conducted in recent months.
"In conducting that review, we have determined that we continue to have payload data from the UK and other countries," said Fleischer. "We are in the process of notifying the relevant authorities in those countries."
Fleischer requested that Google be able to delete the new data, an option that was turned down by ICO head of enforcement Steve Eckersley.
"I ask that the data be stored securely until such time as we can complete our examination," Eckersley said in a response. "Could you please start the arrangements to enable us to examine the data as soon as practicable."
The ICO will now work with European colleagues through the Article 29 Working Party, and colleagues from the Global Privacy Enforcement Network (GPEN), to co-ordinate investigations, the ICO said in a statement.
"We are looking at how to respond, and how to co-ordinate responses," an ICO spokesman told ZDNet UK.
ZDNet UK understands that the ICO is working with colleagues from Australia and France, and that other countries that may be affected include Ireland and the Netherlands.
Google was supposed to turn over all of its UK data for deletion, and employed risk management company Stroz Freidberg to complete the task in 2010, after getting the green light from the ICO to delete the data.