Google Penalized For Violating Data Protection Law

By Author: eccuni
Total Articles: 211
Comment this article

Recently, French regulator CNIL fined Google for violating data protection laws. The authorities imposed a fine of 100,000 euros on Google for unauthorized collection of personal information from Wi-Fi networks, while capturing pictures for the company’s Street View service. While, the pictures were taken for enhancing the location finder ability of the service, it also resulted in capture of personal data such as login information, e-mail messages, mac addresses and other personal data from private and unencrypted Wi-Fi networks. The information was collected without the approval of the concerned individuals. Google started deploying vehicles with multi- dimensional cameras in 2007 to gather panoramic views of streets. The vehicles are called as street cars and the latest version has 15 lenses to capture 360 degree pictures.

CNIL started investigating the data breach case last year. Google subsequently admitted that over 600GB of data was accidentally collected. The company apologized and ensured that personal data will not be collected. However, regulators observed that Google continues to collect information such ...
... as details regarding access points through Latitude. Latitude is a mobile application, which allows users to enable other users to view their location. CNIL claimed that Google collects the data, without the knowledge of the users. According to the regulator, Google denied access to source code of software used to gather data for the street view. The French regulator also claimed that Google refused to inform users in France on the use of their phones to collect data on Wi-Fi networks. Data protection authorities in several other countries are also investigating the alleged data breach by Google.

Unauthorized data collection not only violates the privacy of the affected individuals, but also compromises information security. The extracted information could be misused for tracking user activity, analyzing trends and promoting products. Individuals having access to the collected information may also misuse them for unscrupulous purpose. While organizations must make use of technological advancements to improve services provided to the customers, they must ensure that they do not infringe on the privacy of the users. Data and privacy breach incidents may also have legal, financial and reputational implications for the business.

Data and privacy breach may be caused by intentional collection or dissemination of information, accidental disclosure, insider theft, security flaws and computer intrusions. Hiring IT professionals qualified in penetration testing, masters of security science, security audit and other security certifications would enable organizations in timely identification and mitigation of threat vectors.

Organizations must adhere to data protection laws and must take consent of the customer for using the data as required by the laws of the respective countries. Access to privileged data must be restricted to select users. Employees could be trained on security threats and data protection requirements through online degree and e-learning programs. Organizations must have proper monitoring mechanisms in place to track any unauthorized employee activity. IT professionals could also be encouraged to undertake online university degree programs on IT security and data protection to enable them to devise appropriate data protection mechanisms in the organization.