Google Has 35 Days To Delete UK “SpyView” Data Or Face “Criminal Action”

The UK data protection authority Information Commissioner’s Office (ICO) has served notice that Google must destroy personal information obtained from its Street View WiFi “payload” data collection within 35 days. While Google has a right to appeal the decision, a refusal to comply (absent an appeal) is considered a “criminal office” and could result in prosecution.

The ICO letter (.pdf and below) is dated June 11, so the deadline would be mid-July.

This ultimatum is the culmination of a UK investigation that began in 2010 following the “WiSpy” revelations that launched investigations in the US and throughout Europe. Google has received some modest fines in Europe and the US but largely escaped any major consequences for the episode.

The renewed publicity is unwelcome at a time when Google is seeking to present itself as a champion of transparency and consumer privacy in the wake of the recent NSA surveillance disclosures.

The first revelation that Google had collected sensitive ”payload” information came in May 2010. Google cofounder Sergey Brin admitted the problem at Google’s I/O developer conference and characterized it as a “mistake.”

A subsequent FCC investigation revealed that the data capture was intentional and instigated by an engineer at Google who believed the data might be useful to Google later. Because the engineer invoked his 5th Amendment against self-incrimination, the FCC decided not to pursue a criminal case against Google.

After the FCC report, the UK reopened its own investigation and the deadline above is a result. Google is currently facing multiple privacy related investigations and demands in Europe, including a pan-European ultimatum to make changes in its consolidated privacy policy or face fines.

The ICO demand to destroy the personal “payload” data is contained in the letter below:

Within 35 days of the date of this notice the data controller [Google] shall securely destroy any personal data within the meaning of the Data Protection Act 1998 held on vehicle discs and collected in the UK using Street View vehicles (to the extent that the data controller has no other legal obligations to retain such data) and, If the data controller subsequently discovers a StreetView vehicle disk holding personal data and collected in the UK it shall promptly inform the Information Commissioner.

About The Author

Greg Sterling

Greg Sterling is a Contributing Editor at Search Engine Land. He writes about the connections between digital and offline commerce. He previously held leadership roles at LSA, The Kelsey Group and TechTV. Follow him Twitter or find him on LinkedIn.