Google Street View breached PIPEDA by collecting personal information from wi-fi networks

Following an investigation, the Privacy Commissioner of Canada has concluded that Google breached Canadian privacy laws by inadvertently allowing its Google Street View cars to collect personal information from unencrypted Wi-Fi networks. The Commissioner alleges that Google violated the Personal Information Protection and Electronic Documents Act (PIPEDA) by collecting this information in the course of determining the location of publicly broadcast Wi-Fi radio signals. The personal information collected included personal addresses, email addresses, usernames and passwords, telephone numbers and health information, and likely affected thousands of Canadians.

The Commissioner concluded that this collection of personal information was in violation of PIPEDA, as it was carried out without the knowledge or consent of the individual, that no purpose for the collection was identified and that the collection was not limited to the purpose for which it was carried out (since no purpose had been identified).

The Commissioner stated that "Google did capture personal information – and, in some cases, highly sensitive personal information such as complete emails." This characterization of email as “highly sensitive” is of particular note as under PIPEDA, more “sensitive” information is more likely to require express consent, and is subject to increased safeguards.

A spokesperson for Google indicated that the collection of personal information from unencrypted Wi-Fi networks was unintentional, and resulted from the actions of one of their engineers who was responsible for drafting the code used in the launch of a location-based service. However, the Commissioner characterized it as “the result of a careless error — one that could easily have been avoided.”

The Commissioner recommended that Google destroy any personal information collected as a result of this breach, and where this is not possible, to provide adequate safeguards to protect it. Google was also instructed to ensure that it had an appropriate privacy policy in place, and to ensure that its employees were properly trained in respect of their obligations under privacy law. The Commissioner set a February 1, 2011 deadline for Google to delete all the inappropriately collected information, and to implement an appropriate privacy policy. If Google complies with the Commissioner’s requests by the deadline, the matter will be considered resolved.