News

ARCHIVED - Backgrounder

Privacy Commissioner's investigation of WiFi data collection by Google Inc.

OTTAWA, June 6, 2011 – Key dates related to Office of the Privacy Commissioner of Canada’s investigation into Google Inc.’s collection of data from unsecured wireless networks:

May 2010

Following an audit request from the Hamburg Data Protection Authority in Germany, Google discovered that it had been collecting payload data from unsecured wireless networks as its cars gathered images of neighbourhoods around the world for its Street View map service.

May 31, 2010

The Office of the Privacy Commissioner of Canada initiated three complaints against Google and began an investigation.

October 15, 2010

The Office issued a preliminary letter of findings to Google.

The investigation found that Google had contravened Canadian privacy law.  The Privacy Commissioner recommended that the company: enhance privacy training to foster compliance amongst all employees; designate an individual or individuals responsible for privacy issues; delete the Canadian data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings.

In a news release, Privacy Commissioner Jennifer Stoddart stated:  “The impact of new and rapidly evolving technologies on modern life is undeniably exciting.  However, the consequences for people can be grave if the potential privacy implications aren’t properly considered at the development stage of these new technologies.”

February 2011

Following meetings with company representatives and counsel, Google submitted written representations in response to the investigation recommendations.  The Office of the Privacy Commissioner subsequently requests clarification on certain issues.

June 6, 2011

The Office of the Privacy Commissioner makes public its Report of Findings.

The Privacy Commissioner stated she was satisfied with the measures that Google had agreed to implement, including:

  • Significantly augmenting privacy and security training provided to all employees;
  • Implementing a system for tracking all projects that collect, use or store personal information and for holding the engineers and managers responsible for those projects accountable for privacy;
  • Requiring engineering project leaders to draft, maintain, submit and update Privacy Design Documents for all projects in order to help ensure engineering and product teams assess the privacy impact of their products and services from inception through launch;
  • Assign an internal audit team to conduct periodic audits to verify the completion of selected Privacy Design Documents and their review by the appropriate managers; and
  • Pilot a review process whereby members of Google’s Privacy Engineering, Product Counsel and Privacy Counsel teams review proposals involving location-based data, as well as the software programs that are to be used for the collection of data.

Additionally, Google had begun to delete the data it collected in Canada. 

2012

The Privacy Commissioner requested that Google undergo an independent, third-party audit of its privacy programs and share the results with her Office by June 2012.  The Office of the Privacy Commissioner will follow up with Google to gauge full implementation of its recommendations.  At that time, the Privacy Commissioner will determine whether and how best to pursue the matter in accordance with her authorities under the Act.

For more information (media only), contact:

Valerie Lawton
Office of the Privacy Commissioner of Canada
E-mail: Valerie.Lawton@priv.gc.ca