Google faces threat of £500k fine as privacy policies slammed by ICO

Google has been told that it must update its privacy policies to comply with UK laws or face the risk of a fine of up to £500,000.

Google pushed ahead with a number of major policy changes last year, causing uproar at the time, and the Information Commissioner’s Office (ICO) vowed to investigate.

Now, in an update on its work, the data watchdog said it believes Google’s policies are not in line with UK law and should be updated. 

“We have today written to Google to confirm our findings relating to the update of the company’s privacy policy,” an ICO spokesperson said in a statement.

“In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act.”

The spokesperson said that the main issues the ICO has related to the clarity of the policies in place.

“In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products,” they said.

As a result, it must update the policies or face a potential fine from the watchdog.

“Google must now amend their privacy policy to make it more informative for individual service users,” the ICO said.
“Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.”
In response, Google issued a vague statement claiming it does adhere to UK laws, but it made no direct comment on the ICO's letter or its contents.
“Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we’ll continue to do so going forward."
While the ICO's stance is likely to be welcome by privacy campaigners and shows the regulator baring its teeth, the threat of a fine of £500,000 is unlikely to have executives at the firm worried, although the reputational damage from such an outcome could be more of an issue.
The move is the second time in recent weeks that the ICO has taken action against Google. It has already told the organisation it must delete Street View WiFi data by the 25 of July.

Four big Dutch telecoms companies keep details of clients' internet use

Four big telecom firms KPN, Tele2, T-Mobile and Vodafone - have been breaking privacy legislation by storing details about their clients' internet use.
The Dutch privacy watchdog CBP has been investigating the storage of personal data gleaned through 'deep package inspection' for two years and says the big four firms have been keeping details for far longer than necessary.
'This is serious,' CBP board member Wilbert Tomesen said in a statement. DPI allows providers to monitor which websites clients visit and what apps they use.
Tele2
KPN has since destroyed all the records and T-Mobile and Vodafone have partly done so. Tele2 has the 'most difficulty in complying with the law', Tomesen said. The company has also been using the information for market research, which is against the law, the CPB said.
Tele2 said in a reaction it wished to discuss the matter with the CPB to try to reach a solution which is acceptable to everyone.
The CPB is to distribute its findings to other European privacy watchdogs.

European Parlement Adopts Harder penalties for cyber attacks

A draft directive outlining minimum jail terms for some crimes was adopted by the European Parliament on 4 July.
The directive says those found guilty of running a botnet of hijacked home computers should serve at least three years in jail.
It also seeks to improve co-operation between member states to investigate crimes and prosecute offenders.
"The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions," said Cecilia Malmstrom, European Commissioner for Home Affairs in a statement.
The directive builds on Europe-wide rules that have been in force since 2005 but introduces new offences that cover use of a botnet, the theft of confidential details such as passwords and use of tools that make cybercrimes possible.
Botnets have become a staple in cybercrime circles and are used by many criminal hackers to send spam, attack websites or as a resource that can be plundered for saleable data. Some botnets have millions of PCs enrolled in them.
In addition, the directive recommends that criminals involved in some crimes should serve minimum sentences. The longest jail term of five years should be served by those who do serious damage to systems or attack computers controlling a nation's critical infrastructure.
In addition, it said companies could be be shut down if they hired hackers to attack rivals or steal corporate secrets.
Under terms outlined in the directive, member nations will also be required to render aid to another state stricken by a significant cyber-attack within eight hours.
The directive is widely expected to be formally adopted soon after which member states will have two years to translate it into national law.