Google unpunished for privacy breaches
A fresh probe into the collection of personal data by Google Street View vehicles has highlighted inadequacies in Australian privacy laws, experts have claimed.
The British Information Commissioner’s Office (ICO) is re-investigating Google over claims it deliberately collected personal data, including emails and passwords, when capturing images for its Street View maps service. The decision follows a US report by the Federal Communications Commission (FCC), which found Google’s claims that it was unaware its vehicles intercepted WiFi networks were untrue.
Australia’s privacy commissioner, Timothy Pilgrim, considered the new information contained in the FCC report but, on 29 May, decided he would not commence another investigation. He cited the department’s inability to impose enforceable undertakings as one reason for his decision.
While the ICO can fine organisations up to £500,000 for serious privacy breaches, the Australian regulator does not have the power to impose penalties or other remedies under the Privacy Act.
Graham Phillips (pictured), a partner and technology law specialist at Herbert Geer, told Lawyers Weekly that the privacy commissioner must be given greater powers by the Australian government if compliance with privacy legislation is to be taken seriously by organisations like Google.
“The Google Street View investigation is a reminder of the current limitations on the privacy commissioner’s powers,” he said. “Where there is a risk of penalties you would expect compliance to increase.”
In May 2010, Google admitted it had “inadvertently” collected personal data from private WiFi networks using its Street View cars. Two months later, Karen Curtis (the Australian privacy commissioner at the time) found Google guilty of breaching the Privacy Act.
While Google honoured Curtis’ directions, which included a privacy impact assessment on new Street View activities involving the collection of personal data, the undertakings were not enforceable.
This would change under the Attorney-General’s Bill (introduced 23 May) to amend the Privacy Act, which would give the privacy commissioner powers to make enforceable undertakings and seek court orders for compensation. The Bill represents the first stage of the government’s response to the Australian Law Reform Commission 2008 report on Australian privacy law and practice.
The strengthening of these powers would send a message to businesses, like Google, that there are serious consequences for privacy violations, said Phillips.
Commissioner Pilgrim also welcomed the changes. Referring to the Google case, he said the new Bill would give him “access to enforceable remedies for investigations of this type”.
The Bill, which is more than 230 pages, has been referred to the House of Representatives Standing Committee on Social Policy and Legal Affairs.