The news that the Information Commissioners’ Office (ICO) will not issue Google with a fine for what it described as a "significant breach" of the Data Protection Act has enraged privacy advocates.
The row centres on Google’s capturing of data from unsecured wireless networks via antenna on its Street View cars, which have been touring this and other countries ostensibly to photograph street scenes. Google said the capturing of data being broadcast on private wi-fi networks was a mistake, and that it is "profoundly sorry".
Yesterday the Information Commissioner Christopher Graham said:
"It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act. The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit."
Not good enough, say privacy advocates. A letter signed by Privacy International, NO2ID, Big Brother Watch, Action on Rights for Children and the Open Rights Group, described the decision to merely audit Google in future as, "the latest episode in a litany of regulatory failure that brings disrepute on the Commissioner’s office and which calls into question whether the ICO is fit for purpose."
They argue that the ICO has been inept over the Google case from start to finish. It’s not the first time the ICO has been accused of lacking teeth.
True enough, it was a request for information by German authorities – the ICO was nowhere to be seen – that first uncovered the harvesting of personal data by Street View cars. And though this came to light in April, the ICO only visited Google to take a look at a sample of the data it had gathered in the UK on July 15th. After that visit, it said:
"On the basis of the samples we saw we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data."
It was only after news that Canada and Spain had both ruled that Google’s moves had breached their laws that the ICO announced that it, too, does now believe that Google made a "significant breach" of the Data Protection Act. But despite that finding, the Information Commissioner’s Office has said it won’t issue a fine – it has the power to issue fines of up to £500,000 – not least because Google has promised not to do it again.
The letter from those privacy groups fumes that:
"The ICO has completed a full reversal of its position… In our view the ICO is incapable of fulfilling its mandate. The Google incident has compromised the integrity of the Office. We can think of very few substantial privacy issues over the past ten years that the ICO has championed. In most cases the Office has become part of the problem by either ignoring those issues or by issuing bizarre and destructive rulings that justify surveillance rather than protecting privacy."
An ICO spokesperson said that it couldn’t issue a fine in this case because it would be hard to prove the breach had caused "substantial harm or substantial distress". And besides, most of the payload data was captured before April 6, when the ICO was granted its powers of fines of up to £500,000. Case closed.
Follow this author on Twitter: www.twitter.com/jasonstamper