Recently, the Information Commissioner's Office (ICO) in the UK decided to send a letter to Google informing Google that it has decided to reopen its investigation into Google Street View after the issuance of the US Federal Communications Commission's (FCC) report on Google Street View (which by the way, did not find Google Street View to be illegal).
The ICO's reason for reopening the investigations in the UK appears to be on the basis of new information coming to its attention. According to the letter, the ICO was informed by Google that the collection of personal data was a mistake. However, after its review of the FCC report, the ICO surmised that the personal data was possibly collected deliberately. Here is the ICO in their own words:
"However, during the course of our investigation we were specifically told by Google that it was a simple mistake and if the data was collected deliberately then it is clear that this is a different situation than was reported to us in April 2010"It remains to be seen what will come out of this second go at Google Street View (my guess here is that nothing much will come out of this review, or at the very most the ICO will obtain some form of undertakings from Google).
However, all this got me wondering whether any data protection authority in Asia will do the same. Will data protection authorities in Asia reopen any of their investigations into Google Street View?
Hong Kong did not commence a formal investigation into Google Street View, but managed to get certain undertakings from Google. The following points in the decision of the Hong Kong Privacy Commissioner are interesting:
- Mistake / Lack of intention. Like other data protection authorities, the Hong Kong Privacy Commissioner had accepted Google's assertion that Google had no intention to collect the personal data. However, as the FCC report suggests, the collection may have been deliberate.
- based on their analysis of the data collected, the Hong Kong decision mentions that only minimal amount of personal data was collected, and often only fragmented pieces of information was collected. The decision mentions that "no sensitive personal data, such as passwords or contents of the whole email messages, etc were detected".
However, the FCC report (section 25 of the report) refers to investigations in Canada, France and the Netherlands that confirmed that Google had collected large amounts of payload data, including data that was both intact and personally identifiable. Interestingly, the Dutch Data Protection Agency had also mentioned that the recorded data was not meaningless fragments, and that it was factually possible to capture 1 to over 2,500 packets per individual user in 0.2 seconds. This is interesting because the Hong Kong decision mentions that Google had provided an affidavit that the equipment "only collected fragments of information". Only fragments?
In any event, I think it is very unlikely that Hong Kong will reopen the investigation as Google was required to destroy the personal data as part of its undertakings to the Privacy Commissioner (you can't go back to review the personal data anymore), and the issue does not appear to be at the forefront of public discussion in Hong Kong. Also, the Privacy Commissioner already has undertakings from Google - which it believes is sufficient.The different experience between Hong Kong and the other countries makes me wonder why the Hong Kong experience was so different.
I don't usually consider Australia to be part of Asia ... (it is the Pacific part of "Asia Pacific") but it is worth noting that the Office of the Australian Information Commissioner has already decided not to open a new investigation into Google Street View.
What is interesting are the comments that the OAIC made in its press statement:
"I have considered the FCC's report and don't consider that a new investigation would reveal any information that would change our original finding. In the case of the 2010 Google investigation, undertakings were agreed between Google and the office as the Privacy Act does not currently allow me to impose any enforceable undertakings. I am pleased that the Government has introduced a Bill into the Parliament to amend the Privacy Act that will, amongst other things, give me access to enforceable remedies for investigations of this type." (emphasis added)
I wonder whether their decision not to reopen would have been different if they have an expanded suite of enforcement powers now. Enforceable undertakings are quite an effective and often-used measure for regulators in Australia as there would be the threat of legal consequences behind the undertaking.
It would be interesting to see what Korea will do here as the investigation of Street View appears to be still on-going. As you may know, the police raided the Google offices in Korea sometime back, and had determined that Google had breached privacy laws in Korea. The last I know of this is that the police have appeared to have sent this over to the prosecutors for legal action.
Honestly, with the exception of Korea where the matter does not appear to have concluded, I can't see data protection authorities in Asia reopening their closed investigations into Street View. What would be the harm which they are trying to protect against in the context of any information (new or otherwise) in the FCC report? Most regulators have already obtained undertakings or assurances that the information has been deleted, and that there will be no further collection of personal data. Regulators also have finite resources to expend. Finally, much of the furore or outcry from the ground has dissipated, and along with it the pressure on regulators to act.
I leave you with this parting thought. If Google wants to put the privacy-controversaurus dinosaur far behind it, it would be wise of them to drive their Street View car faster ... much faster ... not so much to escape from the lumbering giant but so that they don't spend too much time in one place collecting personal information about us.