Royaume-Uni: Google, WiFi et vie privée (2)

En juillet et octobre 2012, Google a informé l'Information Commissioner's Office (ICO) du Royaume-Uni être en possession de disques durs contenant des données dites "de contenu" collectées via des réseaux WiFi par le biais de Google Street View alors que ceux-ci auraient dû être détruits (billet).  

Après analyse, l'ICO est d'avis que l'entreprise n'a pas respectée l'un des principes de protection des renseignements personnels du Data Protection Act 1998, plus particulièrement le cinquième principe (Partie I, Annexe 1) qui se lit comme suit: 

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Partant, l'ICO donne 35 jours à Google pour détruire lesdites données sous peine d'outrage. Ainsi, on peut lire dans la décision du 11 juin 2013 que:

"The Commissioner is of the view that, in respect of the retention of payload data collected by Street View vehicles in the UK, the data controller has contravened the Fifth Data Protection Principle in that they did not erase the payload data referred to in paragraph 5 above. 

The data controller has given an explanation for their failure to erase the payload data referred to in paragraph 5 above. However, the Commissioner is still concerned that other discs holding payload data may have been overlooked during the destruction process.

The Commissioner considered, as he is required to do under section 40(2) of the Act when deciding whether to serve an Enforcement Notice, whether any contravention has caused or is likely to cause any person damage or distress. The Commissioner took the view that the likelihood of distress is self-evident. Individuals whose personal data has been collected by the data controller are likely to suffer worry and anxiety on account of the fact that other discs holding payload data may not have been destroyed.

In view of the matters referred to above the Commissioner hereby gives notice that, in exercise of his powers under section 40 of the Act, he requires that:

(1) Within 35 days of the date of this notice the data controller shall securely destroy any personal data within the meaning of the Data Protection Act 1998 held on vehicle discs and collected in the UK using Street View vehicles (to the extent that the data controller has no other legal obligations to retain such data) and,

(2) If the data controller subsequently discovers a Street View vehicle disk holding personal data and collected in the UK it shall promptly inform the Information Commissioner."

(Source: ICO Enforcement Notice, June 11, 2013)

et, selon Stephen Eckersley de l'ICO:

"Today’s enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found. Failure to abide by the notice will be considered as contempt of court, which is a criminal offence."

(Source: ICO News Release, June 21, 2013)

Pour aller plus loin, voir notamment:

• INFORMATION COMMISSIONER'S OFFICE OF THE UNITED KINGDOM: 
• Enforcement Notice, June 11, 2013. 
• "Further action for Google over Wi-Fi data collection", News Release, June 11, 2013.