Will The ICO Make An Example Of Google?

It is quite possible that the Information Commissioner was somewhat cheered by the recent fresh revelations about the extent of the privacy breach by Google’s Street View cars.

The Information Commissioner’s Office  talks tough about data breaches, and has fought for the right to impose tough penalties on the culprits. While the ICO would prefer the power to send people to prison, it did get the right, early this year, to impose fines of up to £500,000 on those who leak private data, snoop, or retain it inappropriately.

A good target for the watchdog’s teeth?

Commentators welcomed a new toughness, and hoped that online data protection would no longer be a wild frontier, and companies would make the effort to control their wanton USB sticks.

But in reality, nothing has happened. At least, nothing visible. Thare have been no fines for data breaches since the ICO got the power to impose them. And this is a period when there have been some spectacular losses of data.

The problem may be partly the identity of the organisations at fault.  A hospital lost patient details on a USB stick, and a medical recruitment agency exposed doctors’ details. In both cases, the breach was real, and the ICO surely evaluated whether to request that the culprit be fined.

The problem is, those organisations were involved in the NHS – and it seems healthcare is actually one of the worst places for losing data. Fining an NHS organisation would divert money away from doctors and patients, and put that money in a different public pocket, at a time when cuts are making things hard for everyone in the public sector.

Fining a public body would be a defensible move. It could certainly be argued that the current slack attitude to data protection would sharpen up markedly once someon – anyone – got caught up and brought to book.

But it would also be a public relations problem. The ICO would be seen as vindictive and legalistic.

So the ICO has a problem. Either it is seen as toothless for not invervening, or it could get bad press if it seized money from a public sector body already feeling the squeeze.

What it needs, it could be arguned, is a big commercial body. Preferably one without too much public support, but certianly one with a s big a profile as possible.

If the ICO wants to make an example of someone, it should be someone everyone has heard of, to get maximum publicity), and someoone everyone is suspicioius of to get the minimum backlash. It should also be someone who can afford to pay up without too much complaint, if the charges stick.

For all these reasons, Google would be the perfect target for the ICO’s first privacy breach suit. £500,000 would be a fleabite to it, given it paid £8.5 million for a few people whose privacy was breached by Google Buzz.

Paying up could also be good publicity for Google. It has a disappointing tendency to try and shirk responsibility for its failings. Paying a fine to the ICO would show it taking the rap and acting maturely. The publicity might even be worth more to Google than the fine

So, while we are sure the ICO does not like to hear about data breaches that compromise the privacy of UK citizens, in this case the news could have a bright side.