Google has been given 35 days to delete data collected during the Street View incident, where data from unsecured WiFi networks was accidentally collected.
The Information Commissioner's Office (ICO) served Google with an enforcement notice over the collection of payload data by Google's Street View cars in the UK after it decided to reopen its investigation into the Google Street View project in April last year. With the enforcement notice served on 11th June, Google must comply by the 16th July.
The decision followed the publication of a report by the US Federal Communications Commission (FCC), which raised concerns around the actions of the engineer who developed the software previously used by the cars, and his managers.
The story began in May 2010, when Google apologised for collecting the data, saying it was 'clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products'.
The ICO made a decision that Google had breached the Data Protection Act over Street View, with information commissioner Christopher Graham then saying that Google had passed an audit but ordered it to make privacy improvements on all of its products.
Google escaped without a monetary penalty, but the case was reopened a year ago after it was suggested that Google engineers knew about the capability to collect data via Street View cars. Google responded by saying that it had made data available for analysis that ‘was representative of the payload collection', and rebuffed suggestions that data made available to the ICO for analysis was ‘pre-prepared'.
The ICO has now further warned Google that it will be taking ‘a keen interest in its operations' and will not hesitate to take action if further serious compliance issues come to its attention. Google provided assurances that the data has not been accessed and, like the other payload data collected, has not entered the public domain.
Stephen Eckersley, the ICO's head of enforcement, said that Google had failed to meet the level required to issue a monetary penalty despite the detriment caused to individuals by this breach.
He said: “Today's enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found. Failure to abide by the notice will be considered as contempt of court, which is a criminal offence.
“The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information. The punishment for this breach would have been far worse, if this payload data had not been contained.”