Czech inquiry falls in line with international suits, as Internet giant calls incidents “accident”

Internet giant Google has apologized for the interception of personal data from Wi-Fi networks while gathering information for its Street View service. The expressed regret comes a month after the Czech Office for Personal Data Protection launched a probe into the company’s activities.

Peter Barron, Google’s director of communications for North and Central Europe, said the company was sorry for its “accidental collection” of personal information from the public’s Wi-Fi networks.

“We are determined to learn the lessons from this mistake,” he said in an interview with the BBC May 22. “Collection of data is not to know anything about you as an individual; it is about providing a better service.”

The mea culpa comes as data protection agencies across the globe launched investigations into Google’s activities after the company admitted May 17 that its fleet of Street View vehicles, used for the collection of images for its Google Maps service, had intercepted communications sent over unsecured wireless networks in people’s homes. The data, totaling 600 gigabytes (GB), was collected from 30 countries over the past three years.

“We screwed up,” said Sergey Brin, the company’s co-founder, at the opening of Google’s conference for software developers in San Francisco May 20. Google is adding to its internal controls after it mistakenly captured the data, he added.

Investigations have been launched in several countries including Australia, the United States and Italy to see whether the tech giant has breached data protection and computer hacking laws. In the United States, Google is facing an investigation by the Federal Trade Commission and a class action lawsuit that could force the company to pay up to $10,000 (8,200 euros/211,200 Kč) each time it records data from unprotected hotspots. Meanwhile, in Germany, Hamburg prosecutors are conducting a criminal investigation.

Locally, the Czech Office for Personal Data Protection said its case was based on Google’s failure to “fulfill conditions of registration” for the collection of personal data as prescribed by Czech law.

“Google has not complied with the registration requirement imposed by law for the personal data controllers who intend to process personal data,” Czech Office for Personal Data Protection spokeswoman Hana Štěpánková told The Prague Post. “Their intentions are not justified by any specific law.”

According to the agency, Google could face a fine of up to 392,000 euros for the breach.

Privacy experts speculated the incidents may have exposed a significant oversight in Google’s operations.

“Google must have accessed a lot of passwords and data when carrying out the unauthorized data collection. I do not understand why Google did not address the possible risk of its actions in advance,” said Kateřina Hlatká, a spokeswoman for local privacy group Iuridicum Remedium. “Perhaps it is easier for them to go out there in the first place and deal with the risks involved afterward.”

Hlatká added that she supported the Czech Office for Personal Data Protection investigation.

“At least it will be a deterrent case for other companies,” she said.

Meanwhile, Simon Davies, director of Privacy International, said the incident was a massive blow for Google’s credibility: “This is a cock-up that makes even the most unconcerned wonder if they could believe a company claim ever again.”

“How did nobody notice there was 600 GB of data that wasn’t meant to be there?” he said, according to The Financial Times. “Something is amiss, frankly, in the whole story.”

This is not the first time Google’s Street View project has come under scrutiny. Earlier this year, the company said it might cancel the Street View service in the EU due to the unmanageable requests of the European Commission, including a demand that residents be notified before cameras were sent out.

In November 2009, Switzerland’s Federal Data Protection and Information Commissioner said the agency would be suing Google because a number of faces and vehicle number plates “are not made sufficiently unrecognizable from the point of view of data protection” in the Street View service. Meanwhile, shortly after its UK launch in March last year, Privacy International sent a formal complaint about the service to the UK data protection agency, the Information Commissioners Office (ICO), which cited more than 200 reports from members of the public who were identifiable in Street View images.

The latest incident has prompted a number of agencies, including the ICO and the Irish Data Protection Authority, to ask Google to delete all of the personal information it has collected from their respective countries.

Privacy International said it is against such a move, saying it is unlawful.

“Privacy International believes this instruction is based on advice that is ill-informed and irresponsible, as the action may be unlawful,” it said in an open letter to EU privacy commissioners. “We urge Google to politely ignore these instructions and, instead, securely store the data with a trusted third party pending further investigation.”

The letter added that destroying any data would constitute a destruction of evidence.