Privacy Commissioner satisfied with Google’s response to her Office’s investigation into the company’s inappropriate collection of personal information from unsecured wireless networks across Canada, but plans further follow-up.
OTTAWA, June 6, 2011 – An investigation that revealed Google Inc. lacked proper controls to protect personal information has led to a commitment by the company to implement remedial measures that will reduce the risk of future privacy violations, says Privacy Commissioner of Canada Jennifer Stoddart.
“Google appears to be well on the way to resolving serious shortcomings in the way in which it addresses privacy issues,” says Commissioner Stoddart. “However, given the significance of the problems we found during our investigation, we will continue to monitor how Google implements our recommendations.”
The Privacy Commissioner has requested that Google undergo an independent, third-party audit of its privacy programs within a year and share the results with her Office. An audit will help measure the effectiveness of Google’s proposed measures vis-à-vis its overall privacy compliance regime.
This is the first time the Commissioner has asked a company to undergo an independent audit. In order to strengthen accountability going forward, organizations may, in appropriate cases, be asked to file independent, third-party reports attesting to the fact that they have lived up to their commitments and have complied with the Commissioner’s recommendations.
“Google is a world leader in innovation and, by its own admission, it pursues ideas which push the limits of social norms and technologies. As such, the company has an added responsibility to ensure that privacy protection gets the attention it deserves. Unfortunately, past history suggests that has not been the case until now,” she says.
The Privacy Commissioner initiated an investigation under the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, after Google admitted that its cars – which were photographing neighbourhoods for its Street View map service – had collected data transmitted over unprotected wireless networks installed in homes and businesses around the globe. It’s likely that thousands of Canadians were affected.
The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names, home telephone numbers and addresses, and even the names of people suffering from certain medical conditions.
The investigation concluded that the incident was largely a result of Google’s lack of proper privacy policies and procedures.
The Office of the Privacy Commissioner issued its findings and recommendations in October 2010 and asked for a response by February 2011. Google responded and subsequently provided clarification of certain issues at the request of the Office of the Privacy Commissioner.
The Privacy Commissioner is now satisfied with the measures that Google has agreed to implement, including:
- Significantly augmenting privacy and security training provided to all employees;
- Implementing a system for tracking all projects that collect, use or store personal information and for holding the engineers and managers responsible for those projects accountable for privacy;
- Requiring engineering project leaders to draft, maintain, submit and update Privacy Design Documents for all projects in order to help ensure engineering and product teams assess the privacy impact of their products and services from inception through launch;
- Assigning an internal audit team to conduct periodic audits to verify the completion of selected Privacy Design Documents and their review by the appropriate managers; and
- Piloting a review process whereby members of Google’s Privacy Engineering, Product Counsel and Privacy Counsel teams review proposals involving location-based data, as well as the software programs that are to be used for the collection of data.
Additionally, Google has advised that it has begun to delete the data it collected in Canada. This process has been complicated by various rules and regulations that the company is subject to under Canadian and U.S. laws. The company has stated that, until such time as the data can be fully destroyed, it will remain secured and will not be used.
The Office of the Privacy Commissioner will follow up with Google next year to gauge full implementation of its recommendations. At that time, the Privacy Commissioner will determine whether and how best to pursue the matter in accordance with her authorities under the Act.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two pieces of federal legislation: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act(PIPEDA), which applies to commercial activities in all provinces, except British Columbia, Alberta and Quebec, which have enacted substantially similar legislation.
I’m trying to find out if Google has actually agreed to undergo the independent third-party audit. Will update this post when I find out.
Update 1: The Privacy Commissioner’s Office didn’t give me a yes or no and referred me to one of Google’s attorneys. I’ve emailed her to ask. More when I have it….
Update 2: I received a response from a Google spokesperson:
As we have said before, we are sorry for having mistakenly collected payload data from unencrypted networks. We have worked with the Office of the Privacy Commissioner throughout their investigation. We are pleased that the OPC has determined that our proposed measures will meet their requirements.
We have received the recommendation for third party assessment and look forward to discussing with the Office of the Privacy Commissioner.
So it appears that they haven’t agreed to the request – at least, not yet.