Google and Privacy. They had it coming.
Tomás F. Serna
May 29, 2007
The Article 29 Data Protection Working Party –an advisory panel of data-protection chiefs from the 27 countries in the EU–, sent a letter last week to Google demanding an explanation on their recently announced policy of retaining data on search habits from individuals for a period of up to two years.
Google has always garnered lots of attention. That is probably very good for business purposes, but it is certainly a bad thing in the data protection arena.
Why? Because on the one hand EU authorities seem to lately have a thing for the limelight… and on the other hand our current data protection laws weren’t really designed to address the challenges that transnational corporations face. (Let alone corporations with a global scope…) –Any lawyer dealing with high tech companies or at least with transnational mergers involving companies from any industry in the EU will confirm this before you are able to pronounce ‘data protection fine’.–
On March 14th. Google’s ‘Official’ Blog announced in a post titled ‘Taking steps to further improve our privacy practices‘, signed both by their ‘Privacy Counsel-Europe’ as well as by their ‘Deputy General Counsel’:
(…) “When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we’re pleased to report a change in our privacy policy: Unless we’re legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google’s services and protect them from security and other abuses)—but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months.”
This post was, of course, very open ended in its wording… and expressions such as: (…) “previously we kept this data for as long as it was useful”, (…) “we will continue to keep server data so that we can improve Google’s services” and (…) [we] “will make this data much more anonymous”, didn’t quite serve the purpose of leaving everyone at ease with Google’s privacy practices.
On May 11th. a second post on the company’s blog tried to explain the rationale behind the inner workings of Google’s privacy practices. (Incidental: Interestingly enough, the former ‘Privacy Counsel-Europe’ has now apparently been promoted to ‘Global Privacy Counsel’.)
This second post explicitly named and rightfully complained about the challenges that companies such as Google face when trying to comply with (and make sense of…), different regulations across different jurisdictions on a global scale:
(…) “Companies like Google are trying to be responsible corporate citizens, and sometimes we are told to do different things by different government entities, or to follow conflicting legal obligations. It’s hard enough to get different government entities to talk to each other inside one country. When you multiply this by all the countries where Google must comply with the laws, the potential conflicts are enormous.”
We’ll see if this open letter strategy works for Google as well as it did for Apple while they were facing complaints from EU consumer protection authorities on DRM grounds…
I must confess that it actually surprised me that it was the ‘data protection working party’ who took the lead in this matter. I was actually expecting the European Data Protection Supervisor to be the one who would be taking Google for a ride.
In any case and in my humble opinion, while interesting to a certain extent, this is in reality a non-issue… Google will in the end have to comply with the recently adopted Directive on Data Retention (May 15th. 2006) [PDF link], and that will be that. Not that this won’t be a fascinating and extremely daunting task for the legal team at Google…
But there is an issue which technicalities interest me much more and that raises far more deep implications than this one… and this is the numerous data protection issues that globally enabled e-mail services such as Gmail raise.
Google isn’t the only company running a globally accessible e-mail service… but they certainly seem to have the EU data protection authorities attention.
All the best, TFS
3 Comments »
RSS feed for comments on this post. | TrackBack URI | bookmark on del.icio.us.
Leave a comment
Advertencia de Protección de Datos:
Los datos personales capturados con ocasión de la utilización del formulario de comentarios (nombre/apodo, dirección de correo electrónico, sitio web y dirección IP), serán incluidos en un fichero del propietario del sitio web y se publicarán (excepto su dirección de correo electrónico y su dirección IP) en esta página con la finalidad de permitir opinar públicamente al lector, así como para en su caso contestar al comentario o consultas que formule. Podrá ejercitar sus derechos de acceso, de rectificación, de cancelación y de oposición en lo referido a dichos datos personales dirigiendo un correo electrónico a la dirección: datos.personales@blogeuropa.eu.
----
Privacy notice:
Please be informed that by using the comments form, your personal data (name/nickname, e-mail address, website and IP address), will be included in a file owned by the website proprietor and published along your comment (except for your e-mail and IP addresses), in order for the reader to publicly comment, as well as -should that be the case-, to respond to any comment or query that readers may have made. You will be able to exercise your rights to access, rectify, cancel and oppose such personal data by sending an e-mail to the following address: datos.personales@blogeuropa.eu.
Tomas, I learnt a lot from your post. One nuance, however: your analysis shows that the EU can deal with any transnational corporation in this area of protecting personal data better than the different Member States alone. The Union has the size and weight to face gigantic private companies, that normally would have much more bargaining power when dealing with national authorities.
Comment by JMA — May 31, 2007 @ 9:27 pm
Dear José,
Thanks for your kind comment.
I don’t know about learning anything from my post… but I’d say that you are absolutely right in your remark. And that would of course apply to most subject matters in the EU…
Take for example Apple. If memory serves, not too long ago when they were taking some heat from different EU local consumer authorities, rumor had it that they were considering shutting down altogether one of the local EU iTunes music stores… That would have been a minor (probably just temporal) loss for Apple, but it certainly would have put pressure on the local authorities from the affected country… (who would instantly become wildly unpopular…), and would have sent a warning message to the rest of the EU neighbours…
In any case that battle was fought at the PR level… As you know now they are facing some competition (‘antitrust’ for our American friends…) investigations, and that is a whole different animal.
As a side note perhaps I should state that in my post I was deliberately mixing two different subject matters (which in the end, experience shows that are very much intertwined…), which are: ‘data retention’ and my beloved (personal) ‘data protection’.
In any case and as mentioned in the post my understanding is that Google is also trying to play the PR game here.
While they certainly have a right to do so –and they do as well raise some interesting points about the difficulties of dealing with regulations from different jurisdictions–, it is also true that the same happens to a certain extent in the US where you would be incorporated in one state and would have to comply with a plethora of different (and sometimes conflicting), regulations across the rest. And we don’t hear much complaining there…
Comment by tfserna — June 3, 2007 @ 2:47 pm
[...] briefly mentioned the ‘Article 29 Data Protection Working Party’ before. It is an independent advisory panel of data protection chiefs from all the member states of the [...]
Pingback by BlogEuropa.eu » EU to Internet search engines: six months seem more than enough. — April 7, 2008 @ 3:18 am