The Information Commissioner Christopher Graham has said that Google UK will be subject to an audit and must sign an undertaking to ensure data protection breaches do not occur again or they will face enforcement action.
The Commissioner has concluded that there was a significant breach of the Data Protection Act when Google Street View cars collected payload data as part of their wi-fi mapping exercise in the UK. He has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again. An audit of Google UK’s Data Protection practices will also be undertaken.
The Commissioner has rejected calls for a monetary penalty to be imposed but states that he is well placed to take further regulatory action if the undertaking is not fully complied with.
International data protection authorities that undertook in-depth investigations found fragments of personal data including e-mails, complete URLs and passwords. Following the admission by Google that personal data had indeed been collected, and the fact that Google used the same technology in the UK, the Commissioner decided that formal action was necessary.
The Commissioner is now requiring Google to delete the payload data collected in the UK as soon as it is legally cleared to do so. The Metropolitan Police has indicated that they are not pursuing an investigation.
Christopher Graham, said:
‘It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act. The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit.’