Google slapped with Street View data deletion order by UK watchdog
Google must delete all wi-fi payload data collected by its Street View cars in the UK within the next 35 days or it could face legal action.
The Information Commissioner's Office, which is currently weighing up Google's new unified privacy policy, announced today it had served Google with an enforcement notice requiring it to delete all of the wi-fi payload data collected by its Street View cars in 2009 or be held in contempt of court.
"Today's enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found," Stephen Eckersley, ICO head of enforcement said in a statement on Friday.
"Failure to abide by the notice will be considered as contempt of court, which is a criminal offence." The order was dated 11 June, giving Google just 15 more days to comply with the order.
Google's Street View cars were found to have gathered payload data from unsecured wi-fi connections in a number of countries while on the road taking photos for the mapping service.
The UK's data protection authority reopened its investigation into Google's Street View data harvest last April off the back of claims in a report by the FCC in the US that Google may have been aware that its cars were gathering payload data.
During its investigation, Google reported to the ICO — as it did in other jurisdictions — that it had discovered additional discs containing the payload data that it had failed to destroy, which it had been required to do by an earlier order.
Specifically in the UK, Google found four discs last February that it had failed to destroy, and reported the find to the ICO in July and September. In October, Google found a fifth disc that may contain UK data.
The ICO however fears there may be more discs that Google has missed, it said.
"The data controller has given an explanation for their failure to erase the payload data... However, the Commissioner is still concerned that other discs holding payload data may have been overlooked during the destruction process."
The ICO's opted for an enforcement order partly because it believes that people whose data was collected would likely suffer "worry and anxiety" with the knowledge some discs may not have been destroyed.
Still, the ICO, which can fine organisations up to £500,000 for a serious data breach, does not believe the detriment caused to those affected warrants issuing Google with a fine.
The new enforcement order comes as France's information watchdog, the Commission Nationale de l'Informatique et des Libertes (CNIL) has ordered Google to change its recently consolidated privacy policy. Its counterparts in Spain and Italy have also taken action over the policy.
The ICO's investigation into whether Google's consolidated privacy policy complies with the UK's Data Protection Act is ongoing and it will shortly write to Google to confirm its preliminary findings.