The Information Commissioner’s Office (ICO) has recently announced that it is to reinvestigate Google over information gathered from private wireless networks during the company’s controversial Street View project. The initial investigation in July centred on Google’s alleged harvesting of individuals’ personal data via the Street View cars that travelled the country capturing images of street scenes. The ICO was acting in response to concerns that the Street View technology was grabbing personal information from unsecured wireless networks, however it found that any information captured did not include ‘meaningful personal details that could be linked to an identifiable person’, i.e. information that would come within the remit of Britain’s data protection legislation. Overseas investigations continued after the ICO reported in July.
Those international investigations have since discovered, and Google has disclosed via its blog – that in fact it ‘accidentally’ collected significant amounts of personal information, including entire emails, URLs and passwords. This information could fall within the definition of ‘personal data’, the use of which is heavily regulated under the Data Protection Act 1998 (the “Act”). In light of this development, the ICO is reopening its investigation into the Street View project, and announced that it was considering all options, including use of the enforcement powers given to it under the Act.
Contravention of the Act is a criminal offence punishable by an unlimited fine, and the ICO itself has the power to levy fines of up to £500,000 for those who misuse personal information. However as Google appears to be willing to rectify its mistake and ensure compliance with the legislation, the ICO is unlikely to take action so long as it is satisfied that Google’s actions were accidental.
Nevertheless, the fact that the Street View incident has made the news, and the strength of Google’s response in apologising and promising to delete and not use any personal information collected by the Street View project, demonstrates the importance of complying with the many requirements of the Act. Examples of such requirements include:
- notifying the ICO of the use of any personal information in certain circumstances;
- obtaining the necessary consent from individuals before their personal information is collected and used;
- adequately securing and protecting that information; and
- ensuring that the information is only used for its permitted purpose.
The importance to businesses of developing comprehensive policies – and communicating those policies to relevant individuals – to ensure that they do not contravene the Act cannot be overstated.
Please click here to email Simon Halberstam, Head of Technology Law, or call 020 3206 2781.