"Captured" Communications on Wi-Fi Networks: The Italian DPA Requires Google to Block Data Processing and Reports the Case to Judicial Authorities...
[doc. web n. 1750713]
"Captured" Communications on Wi-Fi Networks: The Italian DPA Requires Google to Block Data Processing and Reports the Case to Judicial Authorities
The Italian DPA ordered Google to block the processing of "payload data" captured by Google StreetView cars and reported the case to judicial authorities that should establish whether the data collection entailed any criminal offences.
The DPA had started investigating the case in May this year; it had been informed that the Google cars driving throughout Italy had not only collected pictures, but also "captured" fragments of electronic communications ("payload data") from April 2008 via specific software, if those communications were transmitted between users that relied on non-secured Wi-Fi networks.
Google provided the information requested by the DPA and confirmed that payload data had actually been captured by its cars; however, it specified that the information had been collected mistakenly and was so fragmented that it could not be considered to amount to personal information. The company stated that this information was stored in servers located in the USA and had never been used or disclosed to third parties.
Conversely, the DPA holds the view that the data collection in question does entail the factual risk that some of the captured information is personal data (i.e. that it can be related to identified or identifiable individuals) – considering that the data were collected systematically and over a long time span (until May 2010). Accordingly, Google might be seriously in breach of criminal law as it has not only violated the Data Protection Code, but also possibly infringed some provisions contained in Italy’s Criminal Code – such as those banning illicit interception of communications that take place over an IT or computerised system (section 617-quater) and the installation (in breach of the law) of "equipment that is suitable for intercepting, preventing or discontinuing" communications of the same type (section 617-quinquies).
For the above reasons, the DPA decided to report the case to judicial authorities, which should now establish whether criminal offences have been committed. Since the payload data may serve as proof of such criminal offences, if any, the DPA decided additionally they should not be deleted from the servers where they are currently stored and ordered their processing to be blocked – whereby Google was required to discontinue any processing operations involving them.
21 September 2010