Google Inc. was praised on Tuesday by the U.K.’s data protection watchdog for strengthening its privacy policies but the agency said the company still needs to improve.
Google has been under scrutiny by the Information Commissioner’s Office (ICO) since the company admitted in May 2010 to collecting payload data from unencrypted Wi-Fi networks it was indexing as part of its Street View imagery program.
The ICO said in November 2010 that Google broke the law with the data collection, which in some cases recorded entire e-mails, passwords and URLs. The ICO declined to impose a fine and instead demanded that Google submit to an audit of its privacy polices.
The audit took place last month, the ICO said in a statement. “The audit found that Google has taken action in all of the agreed improvement areas,” the agency said. “The ICO has now asked the company to go further to enhance privacy, including ensuring that users are given more information about the privacy aspects of Google products.”
Google is training its engineers now on advanced data protection and overall is paying more attention to privacy issues when products are designed, the ICO said.
But Google should also ensure that its products have a so-called “privacy story,” used to educate users about products’ privacy features. While Google has implemented a “privacy design document” for products, those documents should be checked for accuracy. Also, the core training for engineers should include specific design principles that come from the privacy design document, the ICO said.
A Google spokeswoman contacted in London said the company had no direct comment on the ICO’s findings.
Google ignited a firestorm when it said it mistakenly collected traffic passing on unencrypted Wi-Fi routers, including fragments of data transmitted by those routers. The purpose of the data collection, which occurred as its Street View imagery vehicles were cruising streets in many countries, was to improve a geolocation database for location-based mobile applications.
Google, which immediately stopped the data collection, faced investigations in many countries including Germany, the U.S., Spain, South Korea, France and Italy.