WiFi Privacy Flap Shows Google Does Not Respect EU, Reding Says

By Clint Boulton  |  Posted 2010-05-18

Google continues to be under siege by regulators in Europe for accidentally scooping citizens' data from WiFi networks, with the European Union's justice commissioner claiming the company doesn't respect its rules.

The search engine May 14 admitted that its Street View Cars, which shoot pictures of streets and locales all over the world as a feature of Google Maps, had unwittingly captured 600GB of peoples' "payload data" from unsecured WiFi networks.

This includes e-mail, passwords and browsing habits culled from WiFi networks in the United States, Germany, Britain, Ireland, France, Brazil and Hong Kong over the last three years.

That the company said it did not use this data and is working with the affected countries to delete it was of little consolation to regulators in Europe, which along with U.S. regulators may investigate the company more fully for the sustained transgression against user privacy.

Viviane Reding, Justice Commissioner for the European Union in Brussels, said in a statement sent to eWEEK May 18 that it "is not acceptable that a company operating in the EU does not respect EU rules."

Reding added that she reminded Google co-founder Larry Page during a meeting last June that all companies that operate in the EU must abide by the European Union's high standards of data protection and privacy.

She noted that the processing of personal data by Google Street View falls within the scope of the Data Protection Directive 95/46/EC and is therefore subject to its provisions.

The fire burns hotter under Google elsewhere in Europe.

Johannes Caspar, the data protection supervisor for the city state of Hamburg in Germany, told the New York Times May 18 that it is giving Google until May 26 to hand over one of the hard drives that it had used to store information in Germany or he will consider fining the company.

"Up until now, all we have to go on at this point is what Google has told us that they have collected," Caspar told the Times. "But until we can inspect one of the hard drives ourselves, we will not know to what extent what kinds of data have actually been stored."

Street View is not yet available in Germany, ratcheting up the pressure on privacy watchdogs such as Caspar to save face by pushing Google hard for the data. Caspar said  he could impose fines on the company and could ask the state prosecutor in Hamburg to consider bringing charges against Google for "improper collection of private data."

Meanwhile, the UOOU, the Czech data protection agency, launched an administrative investigation into Google's practices, according to the Financial Times. The FTC may also open an inquiry into Google's admittance of data harvesting.

Google explained the WiFi data collection in this blog post May 14, but declined to add anything about the threats of action against the company when contacted by eWEEK May 18. "We don't have anything to add beyond what we've said in our blog post. We're continuing to have discussions with the relevant authorities," a spokesperson said.

Part of those discussions involve how best to go about deleting the data, and progress has already been made in Ireland, where Alex Stamos, partner for iSEC Partners, said he oversaw the physical destruction of four hard drives that housed payload data Google collected in Ireland.

"We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party," wrote Alan Eustace, senior vice president of engineering and research at Google.

"We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible."

Rocket Fuel