[JURIST] Canadian Privacy Commissioner Jennifer Stoddart [official website] announced Tuesday that Google [corporate website; JURIST news archive] was in violation of the Personal Information Protection and Electronic Documents Act [text, PDF] (PIPEDA) when it unintentionally captured personal information while taking pictures for its Google Street View feature [website]. A preliminary letter of findings [text] explained that Google specifically violated principles 4.1 – 4.4 of PIPEDA, which details a company’s liability when employee error results in private data collection and states that the company must provide the purpose for the data collection, that individuals must consent to the data collection and that data collection must be limited to what is necessary for the organization. Stoddart revealed that Google collected [press release] complete e-mails, e-mail addresses, personal medical information, usernames and passwords, and names with corresponding telephone numbers and addresses. Google alleged that the breach was due to carelessness. Stoddart agreed and recommended that Google implement greater controls, administer privacy training and delete the data they have collected from Canadians. Google has yet to make an official comment on the finding, although the preliminary letter of findings indicated the company’s cooperation:
Google informed our Office that engineering and product teams are accountable for complying with Google’s privacy policies and principles. Google then stated that it is working towards improving its code-and-product review processes, as well as accountability mechanisms, for engineering and product management personnel in order to improve their sensitivity to privacy issues at all stages of product and code development. A legal team is working with engineering directors to ensure a comprehensive review of codes for any privacy issues. Google believes that the review of its policies and procedures that it has undertaken will ensure no recurrences. Google stated that it will keep this Office informed as Google completes its review.
Canada launched the investigation in June [JURIST report]. The commission has given Google until February 1 to carry out its recommendations, although it did not address what actions would be taken if Google did not comply.
Google has been under scrutiny from several other nations in relation to its data collection policies. Australia’s privacy commissioner reached the same conclusion as Canada’s, declaring Google in violation of national privacy laws [JURIST report] in July. Both the UK and Connecticut launched investigations against the company in June for collecting image data over unsecured wireless networks for the Google Street View feature [JURIST reports]. Google testified to the US House of Representatives that any privacy violations were lawful mistakes [JURIST report]. Belgium, the Czech Republic, France, Germany, Italy, Spain and Switzerland have also asked Google to retain data collected in those respective nations. Canada has pursued other outlets for violation of privacy laws related to data-sharing, including launching an investigation [JURIST report] of Facebook [official website] in January and finding the Society for Worldwide Interbank Financial Telecommunication (SWIFT) [official website] not in violation of privacy laws [JURIST report] when sharing financial information with the US after 9/11.