Posted on November 3rd, 2010 by Nicole Kobie
The Information Commissioner’s Office has been telling journalists that it can’t fine Google over the Wi-Fi slurping scandal, saying the ability to apply monetary penalties to companies only came in after the incident in question — leaving its hands tied.
But this is simply not true. At the moment, the ICO does not know if it can fine Google, so the possibility of £500,000 in punishment remains (though it sounds unlikely).
Let me explain.
On 27 April, the German authorities asked Google why its Street View camera cars were scanning Wi-Fi connections. Google said not to worry; it wasn’t picking up any private data.
On 13 May, Google admitted that it was wrong. An audit showed it had indeed picked up private data, and the company immediately pulled its camera cars from roads around the world.
On 29 July, the ICO said the data sample it viewed showed that no “meaningful” private information was collected by the cars.
On 25 October, Google admitted it had picked up emails, URLs and passwords. The ICO said it would take another look into the incident..
On 1 November, the ICO said it refused to “panic” and rush into action against Google, reiterating to me – and other journalists – that it was unable to fine the company because the incident happened before its ability to fine.
Now here’s the other key date: 6 April. That’s the very day when the ICO was given the ability to fine companies; any data protection incidents that happened after that date can be punishable by a fine.
The data watchdog’s press office stressed to me this very point, also telling it to The Guardian, which quoted: “On 6 April 2010, the Information Commissioner’s Office was given the power to issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act. As the Google Street View data breach occurred before this date, even if it was appropriate, we would be unable to use this enforcement power on this occasion.”
You’ll note that date comes three weeks before the Germans raised the issue, and five weeks before Google pulled the cars.
After I asked about these calendar contradictions, I was given this new statement: “The vast majority of the pay-load data was collected by Google prior to 6 April, before our new powers came into force.”
We’ve now gone from all the data being collected prior to the 6th, to the “vast majority” of it. That suggests some data falls into the fineable category, as far as timelines go, at least.
On the road…
So how much data did Google collect in the UK in those five weeks? How many days were the cars on UK roads after 6 April? A Google rep told me: “I do not have precise dates, I’m afraid, but as announced in our blog, on discovering this mistake we immediately grounded all cars and then removed the Wi-Fi collecting equipment. Cars had been in UK prior to that on and off and varying with the weather.”
I asked if that meant cars were on UK roads between 6 April and 13 May, and got a very straightforward answer: “Yes.”
With that in mind, I went back to the ICO. Did they have information from Google proving it hadn’t collected any data after the 6th? It would certainly clear things up if they did. An ICO spokeswoman said: “I cannot comment on the specifics of our investigation – such as what type of data may or may not have been collected after 6 April — as it is still on-going.”
In other words, the ICO is still looking into the matter and can confirm nothing… nothing except the fact that it apparently can’t fine Google. That is the one thing it has consistently confirmed. If the investigation is still ongoing, how can it possibly know whether its legally possible to issue a fine or not? It can’t.
Another spokesman told me: “I understood that it would be part of the investigation, therefore we don’t know yet whether information was collected after the 6th, so therefore we couldn’t say whether a fine was even possible or not, because we don’t know whether information was collected after April the 6th or not.” So why are his colleagues telling other journalists that a fine is a legal impossibility?
What’s going on?
Of course, even if the dates work out and the timeline of events is no hurdle to the ICO fining Google, that doesn’t mean the watchdog should or even could fine the web firm. To issue such a penalty, the breach must have been serious and cause substantial damage, and either be deliberate or negligent.
Now possibly the only “serious” breaches happened before the 6th, but this isn’t about whether or not Google should be fined. It’s about whether the ICO has any idea what date its own investigation started, whether its communications team knows what the commissioner is up to, and whether the watchdog has already decided against fining Google, regardless of what its own investigation shows.
I asked, and got no meaningful response. No matter what the reasoning is, none of it bodes well for the watchdog’s ability to be a useful tool to protect our privacy.
Update: About three seconds after posting this blog, I received a press release from the ICO saying they would not be fining Google, but would file an enforcement notice — which essentially requires Google to promise to never do this again. I suppose that means the investigation is over, so the ICO should be able to reveal if any data was picked up after 6 April. I’ll update the post when they get back to me.
Read more: Why the ICO has no idea if it can fine Google | PC Pro blog
http://www.pcpro.co.uk/blogs/2010/11/03 ... z14crbBOtBAnother Ofcom, why doesn't that surprise me. Oh, and I wouldn't be surprised if this has anything to do with Cameron cosying up to the big players online these days.
