The Information Commissioner’s Office has re-opened its investigation into Google’s use of its StreetView camera cars to collect information from household WiFi networks.
The ICO investigated the matter in 2010, and made recommendations for Google to improve its secure project management practices.
However, an investigation by the US Federal Communications Commission (FCC) found that, contrary to Google’s initial claim that it was the result of one rogue engineer, a number of its employees had been aware that Street View cars were recording data transmitted over unprotected WiFi connections.
"During the course of our investigation [in 2010] we were specifically told by Google that it was a simple mistake and if the data was collected deliberately then it is clear that this is a different situation than was reported to us," the ICO said today.
The ICO is therefore reopening its investigation, and wants to know exactly what type of personal data Google capture, the exact point at which Google managers became aware of the data capture, and a host of other difficult questions. The ICO also wants a "substantial explanation" as to why Google failed to tell it about the sensitive data it was collecting when the ICO audited Google in 2010.
Data protection lawyer Chris Pounder said that the FCC’s findings are "an embarrassment" for the Information Commissioner Christopher Graham.
"It looks as if he should not have taken Google’s reassurances on face value and perhaps ordered Google to retain what personal data it captured," Pounder wrote on his blog. "If, for example, the ICO had served a formal Information Notice on Google, then because of the FCC report findings, Google would be at risk of committing an offence, because the ICO was furnished with explanations of suspect quality (or “porkies”, if one wants to be more direct)".
Pounder also pointed to a recent ruling from a Swiss federal court, which found that Google’s Street View images do in fact count as personal data. The court ruled that collected images which are sensitive – such as those of nursing homes, schools, courts and hospitals – must be rendered entirely anonymous before internet publication.
"According to the Swiss Data Protection Commissioner, this means that in such cases it will no longer be sufficient to blur faces and that such images may have to be altered, perhaps manually," Pounder wrote.
Pounder suggested that the Swiss court’s findings might show Google’s Street View program as "unfair processing" of personal data, meaning that Google’s privacy breaches might no longer be classified as "insignificant and unintentional".
"I think this Swiss judgement will be closely scrutinised by most of Europe’s Data Protection Commissioners to see what parts can be implemented elsewhere in Europe," he wrote.