The CIO has given Google 35 days to expunge personal information sucked up by Street View vehicles via Wi-Fi during 2010 drives around the U.K. to build its first picture maps of the country. "Failure to abide by the notice will be considered as contempt of court, which is a criminal offence," warned the group's head of enforcement Stephen Eckersley.
Google had intended to identify user Wi-Fi networks and map their approximate location using its vehicles' on-board GPS coordinates; the aim was to improve the company's geographic location database for location-based mobile applications. By accident, though, the vehicles mistakenly collected payload data including the email addresses, URLs and passwords of thousands of British citizens.
[ Google caught in the act of protecting user data? Read Google, Facebook Told U.K.: We Won't Be Snoops. ]
Google had promised to destroy the data in November 2010 after conversations with the ICO. However, in July last year it told the ICO that the process seems not to have been thorough enough, as it discovered it had accidentally retained four discs containing the personal data.
To add to the search giant's embarrassment, it then 'fessed up last October to finding a fifth disc, "which may contain U.K. data," although some of the data held on the disc had not been collected in the country.
The ICO's decision to reopen the case was also, it says, prompted by the publication in April 2012 of a report by the U.S. Federal Communications Commission that raised concerns around the actions of the engineer who developed the software previously used by the cars and his managers.
In its latest letter, ICO chides Google for "procedural failings and a serious lack of management oversight, including checks on the code." Although it accepts that the personal data was collected and then retained by accident, it says Google has nonetheless contravened the U.K.'s central information privacy law, the Data Protection Act. It is also "concerned" that other discs holding payload data might have been overlooked during the destruction process.
If, after destroying the latest discs, Google discovers any more such overlooked collected personal data, it must inform the watchdog at once, said the ICO.
The ICO says it issued the warning to Google instead of levying a cash fine because it accepts Google's assurances no data ever got accessed or leaked into the public domain; therefore, any harm caused to Brits affected by the Street View issue fails to meet the level required to issue a monetary penalty. But the situation should be a warning to other collectors of data, it concludes. "The punishment for this breach would have been far worse if this payload data had not been contained," said Eckersley. "The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information."
The ICO said it will be writing to Google to confirm its preliminary findings on that score.