Google violated the privacy of thousands of Canadians when it inadvertently collected personal information about them with its Street View mapping cars, the country's privacy commissioner has ruled.
But the decision not to pursue legal proceedings against the search giant, despite being found breaking the law, has been described as "worrying" by influential privacy groups.
Google committed a "serious violation of Canadians' privacy rights" when it accidentally intercepted and stored data including emails and, separately, names of people suffering from certain medical conditions, Jennifer Stoddart, the Canadian privacy commissioner said on Tuesday.
The commissioner's investigation showed that confidential information of thousands of Canadian citizens was picked up by Google's Street View cars as they mapped the surrounding environment. Google apologised for the capture in May.
"Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete e-mails, e-mail addresses, usernames and passwords," Stoddart said.
"This incident was a serious violation of Canadians' privacy rights."
Upon hearing the ruling, some privacy groups expressed dismay at the perceived reluctance of Canada's privacy commissioner to reprimand Google, despite concluding that it seriously broke the law. Privacy International, a UK-based pressure group, wrote on Tuesday to the commissioner [OPCC] expressing concern.
Alexander Hanff, an adviser to Privacy International, told the Guardian:
"We are deeply concerned by the statement and have raised those concerns with the OPCC directly.
"They [the OPCC] have stated that this was the work of a lone engineer which is so implausible it beggars belief and could potentially have consequences which impact on ongoing cases elsewhere in the world.
"[…] Their lack of enforcement or legal action despite confirming Google broke the law, is worrying – we would have liked to see some real action off the back of such a conclusion."
The Australian privacy commissioner has already ruled that Google's data capture broke the country's privacy law. Communications minister Stephen Conroy labelled it the "single greatest breach in the history of privacy".
Google also faces similar investigations in Spain and South Korea, among other countries.
The news leaves the ruling by the UK's information commissioner that Google is unlikely to have collected "significant amounts of personal data" or data likely to "cause any individual detriment" looking increasingly conspicuous. Privacy campaigners Big Brother Watch considered the conclusion "farcical" at the time.
Privacy International on Tuesday told the Guardian it was unlikely that the UK commissioner would revisit the case, even in light of the findings of equivalent bodies in other countries.
Google said that it had "been working with the Office of the Privacy Commissioner in its investigation and will continue to answer the commissioners questions and concerns".
Experts from the Canadian privacy commissioner's office examined the offending data at Google's Mountain View headquarters. Here, it was established that the incident "was the result of a careless error" of one Google engineer who developed the unintentionally-nefarious code in 2006.
The engineer identified "superficial privacy implications" with the code, the commissioner found, but the implications were never assessed by other Google officials and the company was unaware of the presence of the code when its Street View cars were rolled into action.
The Canadian privacy commissioner ordered Google to delete all of the confidential data collected in the country and said it must comply with its security recommendations by 1 February.