Google under scrutiny by privacy regulators in Europe

October 17, 2012 |

The Age in Europe puts Google on privacy notice and Google’s privacy policy under fire and ZDnet in Google must review privacy policy, EU data regulators rule report on privacy regulators concerns about Google’s very wide privacy policy and its weak consent provisions.   This is on top of German prosecutors prosecuting Google for collection of Wi FI data by its street view cars (see Google Street View criminal case facing decision time in Germany).

The difference between the European approach to such egregious breaches of privacy as Google collecting Wi Fi data and Australia’s is stark.

In 2010 the Privacy Commissioner found that Google was in breach of the Privacy Act  The announcement provides:

Australian Privacy Commissioner obtains privacy undertakings from Google

Australian Privacy Commissioner Karen Curtis has concluded her investigation into Google’s collection of unsecured WiFi payload data in Australia using Street View vehicles.

“On the information available I am satisfied that any collection of personal information would have breached the Australian Privacy Act.

“Collecting personal information in these circumstances is a very serious matter. Australians should reasonably expect that private communications remain private.

“In response to our investigation, Google has provided me with written undertakings that it will:

  • Publish an apology to Australians in Google’s official Australian blog (www.google-au.blogspot.com) for its collection of unsecured WiFi ‘payload’ data.
  • Undertake to conduct a Privacy Impact Assessment (PIA) on any new Street View data collection activities in Australia that include personal information.
  • Provide a copy of these PIAs to my Office.
  • Regularly consult with the Australian Privacy Commissioner about personal data collection activities arising from significant product launches in Australia.

“These steps will ensure Google’s future products have privacy protections built in rather than bolted on. Google’s undertakings will last for three years. These undertakings will be reviewed following any reforms to the Privacy Act.

“Under the current Privacy Act, I am unable to impose a sanction on an organisation when I have initiated the investigation. My role is to work with the organisation to ensure ongoing compliance and best privacy practice.

“This was an issue identified by the Australian Law Reform Commission (ALRC) inquiry into Australian privacy laws. The ALRC recommended that the enforcement regime be strengthened. My Office supports these recommendations, and the Australian Government has announced its intention to adopt them.

“Other privacy authorities and law enforcement agencies may still be investigating the collection of WiFi ‘payload’ data by Google. In view of those ongoing investigations I do not propose to comment in more detail.

“I would like to thank my international counterparts in New Zealand, Canada and Hong Kong, who worked with my Office in examining this matter.

“I also acknowledge the cooperation offered by Google throughout my investigation.

At best a very soft regulatory response.  Part limited by the limited powers under the Act.  However why the Privacy Commissioner did not use of section 98 of the Privacy Act, seeking and obtaining injunctive relief, is somewhat surprising.  Given the nature of the breaches are egregious one would have thought that would be a starting point over and above an own motion investigation.

This year  the issue became public the Privacy Commissioner decided it would not open a new investigation stating:

“I have decided not to open another investigation into Google Street View. In 2010 the Office found Google in breach of the Privacy Act after it was confirmed that Google collected personal information through unsecured WiFi payload data from its Street View vehicles. Google accepted this finding and agreed to the following undertakings:

  • Publish an apology to Australians for its collection of unsecured WiFi ‘payload’ data
  • Conduct a Privacy Impact Assessment on any new Street view data collection activities in Australia and provide these to the office
  • Regularly consult with the Australian Privacy Commissioner about personal data collection activities in Australia that include personal information

I am satisfied that Google has complied with those undertakings and continues to keep our office informed of new developments. In reaching this decision, I have considered the FCC’s report and don’t consider that a new investigation would reveal any information that would change our original finding. In the case of the 2010 Google investigation, undertakings were agreed between Google and the office as the Privacy Act does not currently allow me to impose any enforceable undertakings. I am pleased that the Government has introduced a Bill into the Parliament to amend the Privacy Act that will, amongst other things, give me access to enforceable remedies for investigations of this type.”

On 6 August the Privacy Commissioner wrote to Google (found here) stating:

Dear Mr Flynn

Google Street View Wi-Fi Collection

I refer to Google’s advice, received on 27 July 2012, informing the Office of the Australian Information Commissioner (OAIC) that Google has identified more payload data collected by Google’s Street View vehicles in Australia.

The payload data was collected from unsecured WiFi networks by Google in 2010. The OAIC conducted an investigation into the collection of the payload data under s 40(2) the Privacy Act 1988 (Cth). After that investigation Google advised our Office that in March 2011 all payload data was destroyed. I understand from your letter that Google has now discovered additional disks containing payload data. You also advise that Google intends to destroy the additional disks unless I require a different course of action.

National Privacy Principle 4.2 requires that an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP2.

I do not require Google to retain the additional payload data and, unless there is a lawful purpose for its retention, Google should immediately destroy the data. Once this has occurred I would like confirmation from an independent third party that the data has been destroyed.  Further, I would also request that Google undertakes an audit to ensure that no other disks containing this data exist, and to advise me once this audit is completed.

I would add that I am concerned that the existence of these additional disks has come to light, particularly as Google had advised that the data was destroyed. Organisations that retain personal information that is no longer required could leave individuals at risk should it be misused.

I appreciate your advising me of this matter, and look forward to confirmation that the data has been destroyed.

Yours sincerely

[signed]

Timothy Pilgrim
Privacy Commissioner

6 August 2012

On 9 October 2012 the Australian reported Privacy Commissioner slams Google for Street View backtrack stating:

THE federal privacy commissioner has slammed Google after it took back promises it had destroyed WiFi data its Street View cars collected improperly.

Privacy Commissioner Timothy Pilgrim today revealed that the search giant had discovered yet more disks containing data collected in Australia and New Zealand despite giving written assurances the data had been destroyed in August.

Mr Pilgrim expressed concerns that Google was letting the WiFi data fall through the cracks in its auditing processes.

“I remain concerned that this data still exists given that Google previously confirmed that all data relating to this issue had been destroyed. I have advised Google that it is important that there is no further Street View WiFi data in Google’s possession requiring destruction,” Mr Pilgrim said in a statement.

“I have asked Google for further information about their audit process to allow me to better understand the steps taken during the review of their disk inventory.”

It was the second time in as many months that Google had admitted not meeting promises to destroy the data.

In July, Google told Britain’s Information Commission Office that it still held portions of the private data it collected in Britain, breaching an undertaking it made to that regulator in November 2010.

At the time, Google also contacted the Office of the Australian Information Commission. That prompted Mr Pilgrim to direct Google to destroy the data and conduct an audit to ensure that there were no remaining disks.

That audit uncovered two more disks, Mr Pilgrim said today.

In 2010 Google collected the WiFi data in 30 countries using vehicles specially fitted with cameras and antennas as part of its Street View digital mapping exercise.

Some of the data included emails and other private information collected from unsecured wireless networks.

In May 2010 Google gave written undertakings to Mr Pilgrim’s predecessor, Karen Kurtis, to apologise to Australians for collecting the data and to consult the commissioner’s office before conducting similar exercises.

Again the Privacy Commissioner chooses not to go to the Federal Court and seek injunctive relief.  Surely this is a case which begs for assertive action.  Unfortunately privacy enforcement has not been strong in Australia. Even more unfortunately Google is not a company that has a culture that values privacy as a core right.

Leave a Reply





Verified by MonsterInsights