Google committed a "significant breach" of data protection laws when its Street View cars "mistakenly" collected people's email addresses and passwords over unsecured WiFi networks, the Information Commissioner has ruled. However, the company escaped a fine and was asked only to promise not to do it again.
Information Commissioner Christopher Graham said Google had broken the law when devices installed on its specialised cars collected the personal data. He told the company to delete the information "as soon as it is legally cleared to do so" and ordered an audit of its data protection practices.
Google admitted in May that it had collected "payload data" – information transmitted over a network when users log on – and said it was "acutely aware" it had failed to earn the public's trust over the incident. In a post published on its official blog on 22 September, the company admitted that "in some instances entire emails and URLs were captured, as well as passwords".
Mr Graham said: "It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act.
"The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again." He added that it would be followed with an Information Commissioner's Office (ICO) audit.
Peter Fleischer, Google's lawyer, said the company was "profoundly sorry for mistakenly collecting" the data. He added: "Since we announced our mistake in May we have co-operated closely with the ICO and worked to improve our internal controls. As we have said before, we did not want this data, have never used any of it, and have sought to delete it as quickly as possible. We are in the process of confirming that there are no outstanding legal obligations upon us to retain the data, and will then ensure that it is quickly and safely deleted."
The Metropolitan Police recently announced that they would not launch a criminal inquiry into the incident. The decision came after the US Federal Trade Commission ruled out direct action, while registering concerns that the information was collected.
The ICO now has plans to set up a panel of technology experts to advise the watchdog on the changing landscape of protecting privacy.
Alex Deane, director of the civil liberties blog Big Brother Watch, said: "The Information Commissioner's failure to take action is disgraceful. Ruling that Google has broken the law but taking no action against it shows the Commissioner to be a paper tiger. The Commissioner is an apologist for the worst offender in his sphere of responsibility, not a policeman of it."
The problem was uncovered in Germany and Google has since been found to have broken privacy laws in Canada and Australia as well as the UK.
The company's CEO, Eric Schmidt, stirred up controversy when he issued a warning to users about the trail of information they leave online, suggesting that many will be forced one day to change their names to escape their recorded digital past. He also told those who were unhappy at having their homes on Google Street View – for which the cars in question were taking photographs – that they "can just move".