In a Preliminary Letter of Findings issued yesterday, Canadian Privacy Commissioner Jennifer Stoddart found that Google’s collection of payload data from unencrypted Wi-Fi networks by Google’s Street View cars violated Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Canada’s Office of the Privacy Commissioner (“OPC”) conducted an investigation of Google, including examining the payload data collected from Canadian residents. OPC examiners found that Google captured personal information, such as email addresses, complete email messages, addresses and phone numbers, and included sensitive personal information such as medical information. OPC also found that the error was caused by a design engineer’s “careless error” by failing to follow Google’s design review procedures.
OPC found that by inadvertently collecting the unencrypted Wi-Fi data, Google violated PIPEDA Principles because: (1) it did not have consent of the individuals from whom the personal information was collected (Principle 4.3); (2) it did not identify a purpose for the collection of the data (Principle 4.2); and (3) the collection was not limited to necessary data (Principle 4.4).
As a result of the investigation, Commissioner Stoddart recommended that: (1) Google reexamine and improve employee privacy training; (2) ensure that it has effective procedures to protect privacy and controls to ensure they are followed prior to the launch of any product; (3) designate individuals who are accountable for compliance with Canadian privacy law; and (4) delete the Canadian payload data to the extent it is allowed to do so under Canadian and U.S. laws. The Preliminary Letter of Findings gives Google until February 1, 2011 to comply with these recommendations.