Street View: ICO Issues Enforcement Notice

June 20, 2013

The Information Commissioner’s Office (ICO) has served Google Inc with an enforcement notice over the collection of payload data by Google’s Street View cars in the UK.

Stephen Eckersley, ICO Head of Enforcement, said on 21 June:

‘Today’s enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found. Failure to abide by the notice will be considered as contempt of court, which is a criminal offence.’ 

The ICO’s decision follows the reopening of its investigation into the Google Street View project in April last year. The decision followed the publication of a report by the US Federal Communications Commission (FCC), which raised concerns around the actions of the engineer who developed the software previously used by the cars, and his managers.

The ICO’s investigation found that the collection of payload data by the company was the result of procedural failings and a serious lack of management oversight including checks on the code. But the investigation also found there was insufficient evidence to show that Google intended, on a corporate level, to collect personal data.

The ICO has concluded that the rationale for its original decision in 2010 to issue Google with an undertaking and carry out a consensual audit remain the same. But the ICO has also this week warned Google that it will be taking a keen interest in its operations and will not hesitate to take action if further serious compliance issues come to its attention.

When reaching today’s decision, the ICO also considered the discovery of additional disks containing payload data, which were located by Google while the reopened ICO investigation was in progress. Google has provided assurances that the data has not been accessed and, like the other payload data collected, has not entered the public domain.

Based on a detailed investigation, including an analysis of the data Google has recorded, the ICO has concluded that the detriment caused to individuals by this breach fails to meet the level required to issue a monetary penalty.

Stephen Eckersley, ICO Head of Enforcement, continued:

‘The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information. The punishment for this breach would have been far worse, if this payload data had not been contained.’

The ICO’s investigation into whether Google’s privacy policy complies with the Data Protection Act is on-going. This investigation is part of coordinated action by data protection regulators across Europe, to assess whether Google’s latest privacy policy clearly explains how individuals’ personal information is being used across the company’s products and services. The ICO will shortly be writing to Google to confirm its preliminary findings.