Ireland has strange Regulators, as we have learned. For example, what is the Irish Data Protection Commissioner doing about the Google “Street View” scandal?
The scandal involved the deliberate collection, by Google, of wi-fi data, through its Street View vehicles. Google Street View is part of Google Maps and Google Earth. It uses adapted vehicles (mostly cars) to travel through public locations in at least thirty countries in the world. The vehicles have cameras to record a 360 degree view of each location.
I saw one in Dublin in August.
While it was using the vehicles as a camera platform, Google also used them to secretly collect data passing over wireless networks. That data would be all, or part, of emails, passwords, videos, audio files, documents and network names.
Seemingly, German privacy authorities discovered this Google secret early in 2010 and launched an investigation. A proper investigation would require that the evidence be preserved, would it not? Here’s what Google put up on its website:
“On Friday May 14 the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland. We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible.”
This was more than the Data Protection Commissioner told us. In fact he told us nothing of the issue. HERE‘s his website.
Google’s reference to the data being “…collected in error…” was disingenuous. The data was collected calculatedly.
Bank robbery is irresistible if the only sanction is that you have to give the money back if you are caught.
Did we actually get our money back?
I think the issue here is that justice, while it may have been done, wasn’t seen to have been done. Also, in the absence of any substantive penalties for breaches of the DPA, the teeth that the DPC has are blunt at best.
I would like to see the DPC adopt the approach of the ICO in the UK where they tweet out information about investigations, including details of the undertakings that are entered into by errant knaves who breach the UK DPA. This is an excellent and timely resource for professionals in the field.
That takes care of amplifying the bark (or the tweet), but penalties need to be in place to put some teeth into the bite I fear.
I’ve blogged about how changes to the penalties for breaches of DP regulations is likely to be an inevitable evolution – see http://blogs.ics.ie/dp
Also, re: the specifics of the investigation, if the offence being investigated was that Google had processed personal data excessive to their specific purpose then the remedy open to the Irish DPC is to issue an enforcement notice requiring the data be deleted. The offence is to have the data, the evidence that is required is evidence of its secure destruction.
The s.22 offence of “disclosure of personal data obtained without authority” requires that the person who captures the data have disclosed it to another party. This does not appear to have been the case – the offence committed was likely to be one of excessive processing.
Of course, if we consider the implications of the Criminal Damage Act 1991 or the Criminal Justice (Theft & Fraud Offences) Act 2001, then an investigation requiring a chain of evidence might be needed. However, under both of these a intent, and in the case of the Fraud Offences a dishonest intent, must be shown.
And as Google has manifestly undertaken to “Not be Evil”, so such dishonest intent would surely be out of character?
But ultimately, I’m not a qualified solicitor or barrister so my comments are the ramblings of a man on the omnibus of your choice.
However, the DPC should have made a lot more of this issue. Perhaps their marketing and communications budget has suffered under the recent swathe of cut backs.