Has the Information Commissioner’s Office lost its bottle?
Google breached Data Protection Act but faces no fine.
The news that the Information Commissioner's Office (ICO) will not issue Google with a fine for what it described as a "significant breach" of the Data Protection Act has enraged privacy advocates.
The row centres on Google's capturing of data from unsecured wireless networks via the antennae on its Street View cars, which have been touring this and other countries, ostensibly to photograph street scenes. Google said the capturing of data being broadcast on private wifi networks was a mistake, and that it is "profoundly sorry".
Yesterday the Information Commissioner, Christopher Graham, said:
"It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act. The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit."
Not good enough, say privacy advocates. A letter signed by Privacy International, NO2ID, Big Brother Watch, Action on Rights for Children and the Open Rights Group described the decision merely to audit Google in future as "the latest episode in a litany of regulatory failure that brings disrepute on the Commissioner's Office and which calls into question whether the ICO is fit for purpose".
They argue that the ICO has been inept over the Google case from start to finish. It's not the first time the office has been accused of lacking teeth.
True enough, it was a request for information by the German authorities – the ICO was nowhere to be seen – that first uncovered the harvesting of personal data by Street View cars. And though this came to light in April, the ICO only visited Google to take a look at a sample of the data it had gathered in the UK on 15 July. After that visit, it said:
On the basis of the samples we saw we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data.
It was only after news that Canada and Spain had both ruled that Google's moves had breached their laws that the ICO announced that it, too, does now believe that Google committed a "significant breach" of the Data Protection Act. Yet, despite that finding, the Information Commissioner's Office has said it won't issue a fine – it has the power to issue fines of up to £500,000 – not least because Google has promised not to do it again.
The letter from the privacy groups fumes:
The ICO has completed a full reversal of its position . . . In our view the ICO is incapable of fulfilling its mandate. The Google incident has compromised the integrity of the Office. We can think of very few substantial privacy issues over the past ten years that the ICO has championed. In most cases the Office has become part of the problem either by ignoring those issues or by issuing bizarre and destructive rulings that justify surveillance rather than protecting privacy.
An ICO spokesperson said that it couldn't issue a fine in this case because it would be hard to prove that the breach had caused "substantial harm or substantial distress". Besides, most of the payload data was captured before 6 April, when the ICO was granted its powers to impose fines of up to £500,000. Case closed.
Jason Stamper is NS technology correspondent and editor of Computer Business Review.