The Information Commissioner’s Office has been telling journalists that it can’t fine Google over the Wi-Fi slurping scandal, saying the ability to apply monetary penalties to companies only came in after the incident in question — leaving its hands tied.

But this is simply not true. At the moment, the ICO does not know if it can fine Google, so the possibility of £500,000 in punishment remains (though it sounds unlikely).

Let me explain.

On 27 April, the German authorities asked Google why its Street View camera cars were scanning Wi-Fi connections. Google said not to worry; it wasn’t picking up any private data.

On 13 May, Google admitted that it was wrong. An audit showed it had indeed picked up private data, and the company immediately pulled its camera cars from roads around the world.

On 29 July, the ICO said the data sample it viewed showed that no “meaningful”  private information was collected by the cars.

On 25 October, Google admitted it had picked up emails, URLs and passwords. The ICO said it would take another look into the incident..

On 1 November, the ICO said it refused to “panic” and rush into action against Google, reiterating to me – and other journalists – that it was unable to fine the company because the incident happened before its ability to fine.

Now here’s the other key date: 6 April. That’s the very day when the ICO was given the ability to fine companies; any data protection incidents that happened after that date can be punishable by a fine.

As the Google Street View data breach occurred before this date, even if it was appropriate, we would be unable to use this enforcement power on this occasion

The data watchdog’s press office stressed to me this very point, also telling it to The Guardian, which quoted: “On 6 April 2010, the Information Commissioner’s Office was given the power to issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act. As the Google Street View data breach occurred before this date, even if it was appropriate, we would be unable to use this enforcement power on this occasion.”

You’ll note that date comes three weeks before the Germans raised the issue, and five weeks before Google pulled the cars.

After I asked about these calendar contradictions, I was given this new statement: “The vast majority of the pay-load data was collected by Google prior to 6 April, before our new powers came into force.”

We’ve now gone from all the data being collected prior to the 6^th, to the “vast majority” of it. That suggests some data falls into the fineable category, as far as timelines go, at least.

On the road…

So how much data did Google collect in the UK in those five weeks? How many days were the cars on UK roads after 6 April? A Google rep told me: “I do not have precise dates, I’m afraid, but as announced in our blog, on discovering this mistake we immediately grounded all cars and then removed the Wi-Fi collecting equipment. Cars had been in UK prior to that on and off and varying with the weather.”

I asked if that meant cars were on UK roads between 6 April and 13 May, and got a very straightforward answer:  “Yes.”

With that in mind, I went back to the ICO. Did they have information from Google proving it hadn’t collected any data after the 6^th? It would certainly clear things up if they did. An ICO spokeswoman said: “I cannot comment on the specifics of our investigation – such as what type of data may or may not have been collected after 6 April — as it is still on-going.”

In other words, the ICO is still looking into the matter and can confirm nothing… nothing except the fact that it apparently can’t fine Google. That is the one thing it has consistently confirmed. If the investigation is still ongoing, how can it possibly know whether its legally possible to issue a fine or not? It can’t.

Another spokesman told me: “I understood that it would be part of the investigation, therefore we don’t know yet whether information was collected after the 6th, so therefore we couldn’t say whether a fine was even possible or not, because we don’t know whether information was collected after April the 6th or not.” So why are his colleagues telling other journalists that a fine is a legal impossibility?

What’s going on?

Of course, even if the dates work out and the timeline of events is no hurdle to the ICO fining Google, that doesn’t mean the watchdog should or even could fine the web firm. To issue such a penalty, the breach must have been serious and cause substantial damage, and either be deliberate or negligent.

Now possibly the only “serious” breaches happened before the 6th, but this isn’t about whether or not Google should be fined. It’s about whether the ICO has any idea what date its own investigation started, whether its communications team knows what the commissioner is up to, and whether the watchdog has already decided against fining Google, regardless of what its own investigation shows.

I asked, and got no meaningful response. No matter what the reasoning is, none of it bodes well for the watchdog’s ability to be a useful tool to protect our privacy.

Update: About three seconds after posting this blog, I received a press release from the ICO saying they would not be fining Google, but would file an enforcement notice — which essentially requires Google to promise to never do this again. I suppose that means the investigation is over, so the ICO should be able to reveal if any data was picked up after 6 April. I’ll update the post when they get back to me.

Take the Information Commissioner, for example. Christopher Graham may have started talking tough about cracking down on data leaks when he waltzed into his six-figure salary job this summer, but his feeble actions speak far louder than his fighting talk.

It was the Information Commissioner’s Office (ICO) who revealed that staff at a UK mobile network had illegally sold thousands of customer account details to brokers. That data was used to cold-call customers nearing the end of their contracts, in a bid to convince them to move to a rival network.

Mr Graham used this revelation to repeat his calls for “deterrent custodial sentences” to “stop the trade in unlawful personal information”. What he wasn’t prepared to do, however, was name the network involved – the very company who had a legal duty to protect its customers’ data. “We are preparing a prosecution case, and it would obviously prejudice a prosecution,” said a spokesperson, when asked why the ICO had taken a sudden vow of silence.

Of course, it took us no longer than two or three hours to work out who the guilty party was. Britain only has five major mobile networks – once we’d got the blanket denials from the other four, T-Mobile had little choice but to release a confession, issuing a mightily ironic riposte to the Information Commissioner for breaching its confidentiality in the process.

No-one’s disputing the fact that the real villains here were the members of staff who stole the data and sold it to the brokers – indeed, in some respects, T-Mobile was as much a victim as the people who had their details pilfered. But something was inherently wrong with an IT system that allowed employees to steal thousands of customer records and seemingly go undetected for months.  And there’s something even more wrong with an Information Commissioner that pledges to “promote openness by public bodies” and then tries to hide the identity of companies who fail to protect their customers’ data.  Not to mention the fact he’s now given T-Mobile’s lawyers a cast iron defence should any prosecution actually materialise (“The case has been prejudiced, m’lud”).

Abject ad watchdog

The Information Commissioner isn’t the only watchdog you can barely hear bark, let alone see it bite. Take the Advertising Standards Authority (ASA). I’ve lamented its abysmal failure to clamp down on the worst excesses of broadband providers in the past – ads for “unlimited broadband” that have strictly defined limits, for instance.

Yet, its ineffectiveness reached new lows in a recent adjudication against Vodafone. The ASA upheld a complaint made against adverts claiming the network had “abolished” its roaming charges, when in fact Vodafone had merely postponed the charges for a few months. (Vodafone, incidentally, made a valiant attempt to redefine the word “abolished” in its defence to the ASA, the comical details of which you can read here.)

Being a summer campaign, Vodafone stopped running the adverts at the end of August. The ASA issued its adjudication on 28 October. The sanction? “The ads must not appear again in their current form.” Bravo.

The ASA has a staff budget of more than £5 million, according to its most recent annual report. Yet it takes an average of 66 days to resolve complaints that require investigation. Even if an industry-funded body is never going to dish out fines to the companies that pay its way, is it really too much to ask for it to deal with complaints more promptly?

Ofcom go-slow

Then again, when it comes to quick responses, we should all bow to the undisputed procrastination masters, Ofcom. Back in 2007, Ofcom told mobile phone networks they would have to transfer customers’ numbers from one network to another within two hours by September this year.  However, Ofcom’s plans were waylaid when the Competition Appeals Tribunal (CAT) ruled that it had had got its sums wrong over the cost of implementing such measures. Ofcom said it would cost £5m, Vodafone successfully argued it would cost closer to £37m, so it was only out by a factor of seven or eight.

Now Ofcom has had to start the whole tedious process from scratch, and says it “aims to have any new porting process arrangements in place during 2011”. (“These things take time,” an Ofcom spokesperson told me.)  Oh, and instead of two hours, it’s now considering watering down the transfer time to one working day.

With watchdogs like these, who needs enemies?

“BT did not discuss these trials with the ICO as they were technical in nature,” the ICO claims in a statement sent to PC Pro.

Considering that pretty much every piece of personal data  is now held on a computer database somewhere, is there anything left that isn’t too “technical in nature” for our poor Information Commissioner, which is presumably waiting for Mrs Miggins from the corner shop to lose her paper-round book before clamping down with the full force of our stringent data laws?