Internet search services provider Google Inc, US, contravened Canadian privacy law when it inappropriately collected personal information from unsecured wireless networks in neighbourhoods across the country, an investigation has found. The Privacy Commissioner's investigation also concluded that the incident was the result of an engineer's careless error as well as a lack of controls to ensure that necessary procedures to protect privacy were followed.
The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses. It is likely that thousands of Canadians were affected by the incident.
Technical experts from the Office of the Privacy Commissioner travelled to the company's offices in Mountain View, Calif. in order to perform an on-site examination of the data that was collected. They conducted an automated search for data that appeared to constitute personal information.
To protect privacy, the experts manually examined only a small sample of data flagged by the automated search. The Privacy Commissioner launched an investigation under the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, after Google revealed that its cars had inadvertently collected data transmitted over wireless networks installed in homes and businesses across Canada and around the world over a period of several years. The networks were not password protected or encrypted.
In light of the investigation, Privacy Commissioner, Jennifer Stoddart, recommended that Google ensure it has a governance model in place to comply with privacy laws. The model should include controls to ensure that necessary procedures to protect privacy are duly followed before products are launched.
The Commissioner has also recommended that Google enhance privacy training to foster compliance amongst all employees. As well, she called on Google to designate an individual or individuals responsible for privacy issues and for complying with the organisation's privacy obligations - a requirement under Canadian privacy law.
It was also recommended that Google delete the Canadian payload data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings. If the Canadian payload data cannot immediately be deleted, it needs to be secured and access to it must be restricted. The Privacy Commissioner will consider the matter resolved upon receiving, by February 1, 2011, confirmation from Google that it has implemented the recommendations.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Search for more google information
To access our daily STM news feed through your iPhone, iPad, or other smartphones, please visit www.myscoope.com for a mobile friendly reading experience.
