What did Google do to escape the first ICO fine?
Before last week's Information Commissioner's Office (ICO) fines were dished out, the big talking point in data security was regarding the Google Street View case.
Following an investigation earlier this month, where the ICO found the internet giant to have significantly breached the Data Protection Act when Google Street View cars collected payload data as part of their WiFi mapping exercise in the UK, but did not impose a fine.
Google UK was instructed to sign an undertaking where it committed to take action to ensure that breaches of this kind cannot happen again. An audit of Google UK's data protection practices will also be undertaken. The commissioner has rejected calls for a monetary penalty to be imposed but is well placed to take further regulatory action if the undertaking is not fully complied with.
A later announcement from the ICO confirmed that Google had signed a commitment to improve data handling. Its senior vice president Alan Eustace signed an undertaking on behalf of the company, which commits it to putting into place improved training measures on security awareness and data protection issues for all employees.
The company also said it will require its engineers to maintain a privacy design document for every new project before it is launched. The payload data that Google inadvertently collected in the UK will also be deleted. It will conduct an audit within nine months of the undertaking being signed.
With these decisions being made over the four weeks before the A4E and Hertfordshire County Council fines were announced, it was undoubtedly one of the largest data protection stories of the year, calling to mind issues such as WiFi security, the use of personal data by third parties and the role of major internet companies and the regulator.
There may have been some people who would have claimed that Google was not fined because of its gravitas within the online world, alternatively the facts of why it was not fined do ring true.
Stewart Room, partner of legal firm Field Fisher Waterhouse, said that the Google case tells us abut the quality of legal adversary matters, as it is based on trust with regulators and the company has to learn about failure.
He said: “Why was Hertfordshire County Council fined and not Google? Why it did not fine Google is as clear as the nose on your face, it is about who has seen it. Hertfordshire County Council and A4E experienced a failure with three years of repeated warnings, Google was not in known failure territory and no one admitted that a WiFi slurp was a failing. Google admitted it had not breached the Data Protection Act and when communications go wrong, it can say something about understanding the law of facts.”
Talking to SC Magazine, Ed Rowley, product manager of M86 Security, said that if Google is to be believed, they did not know that they had the data until later and could not delete the captured data until the end of the investigation.
He said: “There are two things to learn from this: one is the whole thing that has shown how open wireless is; and that the ICO has done its investigation and it is in a position of authority but has worked with Google to resolve the problem. It showed that it gathered the data but it was always secure and that there was no real reason to fine as it is a great lesson for everybody.”
Likewise David Jevans, CEO at IronKey, told SC Magazine that he did not feel that Google had done anything on purpose, so with no malicious activity did not warrant a financial fine for its actions. He said: “This was not done on purpose, it worked with the ICO and improved its technologies and data protection from its employees who have a privacy design document and reviewed its practises.
“The story came out and the ICO has done something but there is no drama around it, but we will see how it stands in other countries. The engineers knew what they were doing and collecting, the collection of data was not part of the exercise but they had created the database and knew what was in it.”
The data collected included fragments of personal data including emails, complete URLs and passwords, which the ICO required Google to delete as soon as it was legally cleared to do so. The Metropolitan Police has also indicated that it was not pursuing an investigation.
This probably brings an end to one of the biggest stories of 2010, while it will be far from the end for Google, as other information commissioners will be sharpening their knives for their own investigations. Perhaps the biggest story is that raised by Rowley, if this had not happened would the public have ever been aware of the security of their home WiFi? From this action, I wonder how many have changed the settings at all?