The internet giant agreed in 2010 that it would delete the data, including personal communications and WiFi passwords, that was collected from people’s unsecured internet connections as the Street Views cars passed by. That followed a fine from the Information Commissioner’s Office. But now Google admits it failed to carry out that deletion fully, as the result of an oversight.
It is the latest twist in a recurring story that is doing great damage to Google’s reputation – not just its reputation for respecting people’s privacy but even for its basic competence in handling data. It comes after the revelation in April that a Google engineer had written software for the express purpose of picking up the data.
The trickle of admissions coming from Google, which was found to have obstructed investigations by American authorities but broken no laws, suggests that even this might not be the end of the tale. Google appears to be doing its best to draw a line under the episode, declining to comment further in response to the new reports.
The ICO says that Google’s failure to delete the data it acquired from the Street View software “appears to breach the undertaking”, but the ICO itself is not blameless. Privacy group Big Brother Watch has now criticised the data regulator for demanding deletion of the data in the first place, arguing that it should have investigated the content of what Google held more thoroughly. This time the ICO wants to see what data exists before it is finally deleted.
Indeed, in the light of developments since the ICO handed down its fine, the initial investigation has come to seem far too perfunctory, and the penalty too lenient. And having the controversy string out over a period of years has probably made Google look worse than if the facts had all been laid bare at once.
Google says it has never accessed the data, but this is hardly the point any more. This is now about whether big companies can be trusted to handle large amounts of personal data. To avoid similar situations in future, the ICO needs to have the power and inclination to investigate suspected data breaches thoroughly, and to enforce penalties that act as a real deterrent.