The UK's data protection watchdog said on Wednesday that Google violated the law with its Street View Wi-Fi collection programme, but that it will let the company off with a warning and will not impose a fine.
The latest development marks a change in position for the Information Commissioner's Office (ICO), which said earlier this year that Google only appeared to have breached data protection requirements. It declined to take further action after Google agreed to delete the data.
Google said in May that it had collected information on unencrypted Wi-Fi routers, including fragments of data transmitted by those routers. The purpose of the data collection, which occurred as its Street View imagery vehicles were cruising streets in many countries, was to improve a geo-location database for location-based mobile applications.
Google denied the data could be traced back to an individual. But the company said on October 22 that an examination of the data by seven external regulators have now shown that in some instances entire emails and URLs were collected along with some passwords.
Earlier this year officials from the ICO that viewed a sample of data that was collected apparently missed that some data could be traced back to specific people. They concluded "that the data as fragmentary and was unlikely to constitute personal data" and declined to take further action.
ICO officials look at parts of the data that was provided by Google and also did their own random sampling, but did not find information that constituted personal data, according to an ICO spokesman. It is not known which regulatory agency in the 30 countries examining the Street View data discovered the full emails and passwords, although it should eventually be revealed, the ICO spokesman said.
To satisfy the ICO, Google will be subject to an audit within nine months, and must sign a document saying they will face further action unless the company takes steps to ensure data is protected.
The ICO has mandated that the company must put programmes in place to train employees on data protection and the law, train engineers on the handling of data and start a security awareness training scheme, among other requirements.
The Wi-Fi collection programme remains under investigation by agencies in several countries. In Germany, Hamburg's Data Protection Authority (DPA) and the city's prosecutor's office continue to examine the data and whether it broke that country's laws.
Last month, Spain's Data Protection Agency said it is investigating Google for up to five infractions of the law over the collection of Wi-Fi data, for which the company could face more than €300,000 (£261,000) in fines. In August, South Korean police raided Google's offices and launched an investigation into unauthorised data collection and illegal wiretapping.