ICO’s View on the Street View Mistake

August 4, 2010

In light of widely expressed concern over the collection by Google of data from wi-fi networks, the ICO has reviewed the various factors and issued a statement.

Readers will recall that Google had collected data from unsecured wi-fi networks when its Street View vehicles trawled areas for the Street View photographic data. The fact that wi-fi data was collected came to light  in May when the Hamburg data protection authority investigated the data collected by the cars. The data protection authority discovered that each car had an antenna designed to locate and capture details of open wi-fi hotspots and they had also captured some payload data sent from these networks. Google said it was all a mistake and that the captured payload data was no more than fragments. It was then revealed that the mistake was not confined to Hamburg or Germany, but had arisen from an error in software used in many jurisdictions.

The statement from the ICO indicates that ‘we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data’ and goes on to say that there is no evidence that the data captured by Google ‘has caused or would cause any individual detriment’ … ‘[n]evertheless it was wrong to collect the information’.

Google remains under investigation by the police for a possible breach of the Regulation of Investigatory Powers Act 2000.

The ICO investigation was limited to a review of data samples only and was not a detailed analysis of all wi-fi data collected by Google. It states that  it will remain vigilant and will review its decision in light of any further evidence or findings presented by data protection authorities in other countries.

The ICO statement is set out in full below.

 

‘The ICO has visited Google’s premises to assess samples of the “pay-load” data it inadvertently collected. Whilst Google considered it unlikely that it had collected anything other than fragments of content, we wanted to make our own judgement as to the likelihood that significant personal data had been retained and, if so, the extent of any intrusion. The information we saw does not include meaningful personal details that could be linked to an identifiable person. As we have only seen samples of the records collected in the UK we recognise that other data protection authorities conducting a detailed analysis of all the payload data collected in their jurisdictions may nevertheless find samples of information which can be linked to identifiable individuals. However, on the basis of the samples we saw we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data. There is also no evidence as yet that the data captured by Google has caused or could cause any individual detriment. Nevertheless it was wrong to collect the information. We will be alerting Privacy International and others who have complained to us of our position. The Information Commissioner is taking a responsible and proportionate approach to this case. However, we remain vigilant and will be reviewing any relevant findings and evidence from our international counterparts’ investigations.’