Google sent cars with roof-mounted cameras around the UK's cities last year to photograph the streets for its photo-map Street View service. It emerged earlier this year that the cars also mapped where there were open Wi-Fi spots, and that snippets of data were gathered and stored in this process.
The ICO cleared that activity as not being an infringement of the Data Protection Act, which it is responsible for enforcing, in July. But earlier this month research by the Canadian Privacy Commissioner revealed that significant personal information, including whole emails; usernames; passwords; and addresses were gathered and stored by Google.
The ICO has now announced that it will take some action against the company, but will stop short of imposing fines. It recently won additional powers to fine organisations up to £500,000
"The Commissioner has rejected calls for a monetary penalty to be imposed but is well placed to take further regulatory action if the undertaking is not fully complied with," said an ICO statement.
Instead, Google will be made to sign an undertaking to improve its data protection practices and will face an audit of existing policies and practices.
"The Commissioner has concluded that there was a significant breach of the Data Protection Act when Google Street View cars collected payload data as part of their Wi-Fi mapping exercise in the UK," said the ICO statement. "He has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again. An audit of Google UK’s Data Protection practices will also be undertaken."
"Following the admission by Google that personal data had indeed been collected, and the fact that Google used the same technology in the UK, the Commissioner decided that formal action was necessary," it said. "The Commissioner is also requiring Google to delete the payload data collected in the UK as soon as it is legally cleared to do so. The Metropolitan Police has indicated that they are not pursuing an investigation."
ICO guidance published when its powers to fine were increased in April of this year outlined the situations in which it could use those powers.
"The Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress," the guidance said. "In addition the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it."
Information Commissioner Christopher Graham defended the decision not to impose a fine.
"The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit," he said.