Google has been asked to undergo an independent, third-party audit of its privacy programs within a year following an investigation of Google Street View.
Canada's Privacy Commissioner Jennifer Stoddart announced the request Monday as she released a report on Google's response to her office's finding last October that Google had breached Canadian privacy laws.
That investigation found Google had been in "serious violation of Canadians’ privacy rights" when it collected personal data such as email addresses and passwords while photographing cities for its street-level mapping service. The data had been gathered as it was transmitted over unprotected home and business wireless networks along the route of the Google Street View cars in Canada and around the world.
"Google appears to be well on the way to resolving serious shortcomings in the way in which it addresses privacy issues," Stoddart said in a statement Monday.
"However, given the significance of the problems we found during our investigation, we will continue to monitor how Google implements our recommendations."
This is the first time the office has requested that a company undergo a third-party audit. Google has also been asked to share the results of the audit with the Privacy Commissioner's office.
The Privacy Commissioner can investigate complaints of alleged breaches of Canada's privacy laws and make recommendations, but does not have enforcement powers. If a company refuses to remedy breaches of privacy law, the commissioner must ask the Federal Court to intervene.
The investigation found that the Street View data breach was "largely a result of Google's lack of proper privacy policies and procedures."
As recommended by the privacy commissioner's office, Google has agreed to:
- Boost privacy and security training to all employees.
- Track all projects that collect, use or store personal information and make those involved accountable for privacy.
- Make sure the privacy impact of all projects is designed and assessed from inception through launch.
- Conduct internal periodic audits to ensure projects follow their privacy design.
- Ensure privacy and legal teams review proposals involving location-based data.
Google was fined $139,000 in March by France's privacy authority CNIL over the collection of personal data by Google Street View cars.