A U.K. regulatory group is giving Google 35 days to delete what remains of the data collected by its Street View cars in the U.K., and is using the threat of legal action to compel the company to comply.
The request, which was served to Google in the form of an enforcement notice from the Information Commissioner’s Office, the U.K. government’s data and privacy regulator, follows a reopening of an investigation into Google’s Street View project.
In 2010, that investigation revealed “a significant breach of the Data Protection Act,” when Google Street View cars collected payload data through the company’s Wi-Fi mapping efforts in the U.K., by scraping personal data including emails, URLs and passwords.
Google agreed to delete the payload data following that investigation, but when reaching this week’s decision, “the ICO also considered the discovery of additional disks containing payload data, which were located by Google while the reopened ICO investigation was in progress,” the group said Thursday in a statement.
“Today’s enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found,” the ICO said.
“Failure to abide by the notice will be considered as contempt of court, which is a criminal offense,” the ICO said.
Google claims to be cooperating. “We work hard to get privacy right at Google,” a spokeswoman said in a statement. “But in this case we didn’t, which is why we quickly tightened up our systems to address the issue.”
“We cooperated fully with the ICO throughout its investigation, and having received its order this morning we are proceeding with our plan to delete the data,” the company said.
“The project leaders never wanted this data, and didn’t use it or even look at it,” the spokeswoman added.
Based on the ICO’s investigation, the breach failed to meet the level required to levy a financial penalty, the ICO said.
That assessment differs somewhat from that of German regulators, who levied a fine of €145,000 (US$190,000) against Google in April for the company’s gathering and storing of emails, photos, passwords and chat protocols from unprotected Wi-Fi networks using Street View cars.
In the U.S., Google has already entered into a settlement to pay $7 million related to complaints from dozens of states about unauthorized collection of personal data transmitted over Wi-Fi networks.
Google must be very careful about how it collects data going forward, according to the ICO.
“The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information,” said Stephen Eckersley, head of enforcement at ICO, in a statement.
“The punishment for this breach would have been far worse, if this payload data had not been contained,” he said.