Google to improve privacy policies after ICO audit (TLT LLP)

Google to improve privacy policies after ICO audit

Updated September 2011

The Information Commissioner’s Office (ICO) has announced that it is satisfied with moves taken by Google to improve its privacy policies, but has also identified certain areas in which further improvements can be made. The ICO’s recommendations follow a recent audit by the ICO at Google’s London offices on 19 and 20 July 2011.

The ICO’s audit found that Google, on the whole, had made good progress in developing its privacy procedures. The audit drew particular attention to Google’s practice of ensuring that all new projects undertake a ‘privacy design document’ (in depth privacy assessment) before they start, the internal privacy structure developed across all functions of Google’s business and the privacy training provided to Google’s engineers and other staff.

The recommended areas of improvement for Google (as listed in the audit) were as follows:

Google was advised to incorporate a ‘privacy story’ in all existing products, providing users with information about the privacy features of those products.
Google was urged to ensure that all of its existing projects should also have a privacy design document.
The training provided by Google to its engineers should be developed to ensure that it reflects any issues identified in a relevant privacy design document.

Google agreed to this audit as part of an undertaking which it signed in November 2010, following an incident in which it was reported that Google’s Street View cars had collected wi-fi payload data as well as the location mapping information which was the purpose of their trips.

© TLT LLP 2011.

ICO given new powers to impose fines for marketing breaches (TLT LLP)

ICO given new powers to impose fines for marketing breaches

The Information Commissioner’s Office (ICO) has been granted new powers as a result of an amendment to the UK’s Privacy and Electronic Communications Regulations (PECR). The new powers, which came into effect on 25 May 2011, include:

Extended financial penalties: the ICO can impose a penalty of up to £500,000 for the most serious breaches of the PECR. This covers nuisance marketing emails, texts and phone calls.
Increased investigatory powers: the ICO can require telecoms companies and Internet Service Providers (ISPs) to provide information needed to investigate breaches of the PECR.
Compulsory notification when breaches occur: telecoms companies and ISPs must notify the ICO, and their customers, when a personal data breach occurs. A fixed penalty of £1,000 per offence will apply where personal data breaches are not notified.
Increased audit powers: the ICO can audit telecoms companies and ISPs for compliance with personal data breach notification requirements.
New rules for websites using cookies: the ICO will be responsible for ensuring compliance with new cookie consent requirements. (see Related publications).

The ICO will be issuing guidance on their new enforcement powers but the date for release is yet to be confirmed.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

© TLT LLP 2011. TLT LLP is a limited liability partnership registered in England and Wales number OC 308658.