After an investigation into Google’s lack of proper controls to protect personal information, Privacy Commissioner of Canada, Jennifer Stoddart has now signed off on a number of changes the organization has made.
“Google appears to be well on the way to resolving serious shortcomings in the way in which it addresses privacy issues,” says Commissioner Stoddart. “However, given the significance of the problems we found during our investigation, we will continue to monitor how Google implements our recommendations.”
The Privacy Commissioner’s office made a request to the Internet giant to undergo an independent, third-party audit of its privacy programs within a year and share the results with her Office. An audit will help measure the effectiveness of Google’s proposed measures vis-à-vis its overall privacy compliance regime.
This is the first time the Commissioner has asked a company to undergo an independent audit. In order to strengthen accountability going forward, organizations may, in appropriate cases, be asked to file independent, third-party reports attesting to the fact that they have lived up to their commitments and have complied with the Commissioner’s recommendations.
“Google is a world leader in innovation and, by its own admission, it pursues ideas which push the limits of social norms and technologies. As such, the company has an added responsibility to ensure that privacy protection gets the attention it deserves. Unfortunately, past history suggests that has not been the case until now,” she says.
The Privacy Commissioner initiated an investigation under the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, after Google admitted that its cars – which were photographing neighbourhoods for its Street View map service – had collected data transmitted over unprotected wireless networks installed in homes and businesses around the globe. It’s likely that thousands of Canadians were affected.
With Google being such a powerhouse on the Internet and collecting all types of consumer and business data including e-mails, e-mail addresses, usernames and passwords, names, home telephone numbers and addresses, and even the names of people suffering from certain medical conditions it would make sense to ensure they comply with the utmost level of privacy.
The investigation concluded that the incident was largely a result of Google’s lack of proper privacy policies and procedures.
The Office of the Privacy Commissioner issued its findings and recommendations in October 2010 and asked for a response by February 2011. Google responded and subsequently provided clarification of certain issues at the request of the Office of the Privacy Commissioner.
The Privacy Commissioner is now satisfied with the measures that Google has agreed to implement, including:
Significantly augmenting privacy and security training provided to all employees;
- Implementing a system for tracking all projects that collect, use or store personal information and for holding the engineers and managers responsible for those projects accountable for privacy;
- Requiring engineering project leaders to draft, maintain, submit and update Privacy Design Documents for all projects in order to help ensure engineering and product teams assess the privacy impact of their products and services from inception through launch;
- Assigning an internal audit team to conduct periodic audits to verify the completion of selected Privacy Design Documents and their review by the appropriate managers; and
- Piloting a review process whereby members of Google’s Privacy Engineering, Product Counsel and Privacy Counsel teams review proposals involving location-based data, as well as the software programs that are to be used for the collection of data.
Additionally, Google has advised that it has begun to delete the data it collected in Canada. This process has been complicated by various rules and regulations that the company is subject to under Canadian and U.S. laws. The company has stated that, until such time as the data can be fully destroyed, it will remain secured and will not be used.
So for now, it looks like Google is back in the good-guy books, but it will only be a matter of time before they have to come back to the table and explain how they are doing everything to protect user’s privacy, next time it will most likely be a result of Google’s social strategy which they are putting increased effort towards.