EU to Internet search engines: six months seem more than enough
Tomás F. Serna
April 7, 2008
Last friday (April 4), the Spanish Data Protection Agency distributed a press release making public that the ‘Article 29 Data Protection Working Party’ had finally issued its announced opinion on Internet search engines. As per said press release, the Working Party’s opinion states that search engines will not be able to keep personal data pertaining to user’s searches for more than six months. As of this writing, the opinion is not yet available for public consumption.
We briefly mentioned the ‘Article 29 Data Protection Working Party’ before. It is an independent advisory panel of data protection chiefs from all the member states of the EU.
It was established by Article 29 of Directive 95/46/EC, and its role and general objectives are defined in Article 30 of the same Directive and in Article 14 of Directive 97/66/EC.
To offer a taste of the broadness of such objectives I would like to bring to the reader’s attention article 30.3: “The Working Party may, on its own initiative, make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community.”
While it made sense to me that the ‘European Data Protection Supervisor‘ on its own would be having a more prominent role within its consultative powers in this area of “technical advancements”, the case has been that the art. 29 WP has taken the lead in dealing with Internet search engines and their practices towards privacy and (personal) ‘data protection’.
On November 2006, by way of a resolution titled: “Privacy Protection and Search Engines”, certain EU data protection authorities already expressed their concerns on the challenges to privacy that the key role of search engines on the Internet could pose to users of such services. An extremely clear description of the risks was outlined, and a few recommendations were made.
While its true that this precedent took place, it really doesn’t seem to be very much connected (in cause-effect terms), to the actual issue being fought for: the length of the period of time that search engines are lawfully allowed to retain and process personal data pertaining to user’s queries.
An approximate non-exhaustive chronology of the actual issue appears to have been the following:
On that post Google announced its intentions to move away from a previously publicly unnoticed policy of keeping data pertaining to queries to its search engine “for as long as it was useful”, to a more conservative stance between 18 to 24 months. –Articles in the press claim that “for as long as it was useful” equaled to a default of 30 years!?–
By the wording used on the letter, it seems that Google directed a previous communication to the Working Party regarding their ‘new’ privacy practices. Google is reminded of their obligations towards compliance with european laws in general and privacy laws in particular, regarding its operations on European soil and any services aimed at EU citizens.
“In the spirit of transparency”, Google makes that response public.
On a side note, it might be worth to mention that ever since May 2007 and up until a few days ago, Google seemed to start to fight this fight at the PR level as well, and a series of privacy related posts found their way to the ‘Official Google Blog’.
Titles of such posts include: “Why does Google remember information about searches?” (June 16, Google announces that it is reducing the period of time it will remember searches to 18 months.), “Putting users in charge” (announcing a piece published at FT), “How long should Google remember searches?”, “Cookies: expiring sooner to improve privacy” and “Why data matters”.
Other thoughtful titles in this same series include: “Celebrating data privacy”, “How Google keeps your information secure”, “Using log data to help keep you safe” and “Using data to help prevent fraud”.
In-between the events above, many events took place: At least one national data protection authority conducted its own proceedings, other search engines were amicably questioned, keynotes were given at conferences, and even some severe comment exchanges were logged by the press…
There is no doubt that this is a setback for search engines. Some of the reasons in which I base this judgement on were outlined here.
I’m not in a position to judge on whether complying with this will cost a lot of time and effort on search engine’s engineering teams. Will they need to internally establish different sets of guidelines with regard to geographic criteria? With regard to the national’s declared citizenship? Will this rule out some current and/or projected features or even some services as a whole? I honestly don’t have the slightest clue. We’ll have to wait and see.
What would trouble me very much, as well, if I were in the search engine business… would be the precedent.
Word to the wise: I haven’t read the opinion (as of this writing it isn’t available), but I have read previous documents both from the Working Party as well as by at least one national authority regarding the screening of e-mail for any purposes other than for scanning for spam and/or viruses…. and it is considered against the Law… The notion of ‘relevant ads’ comes to mind.
4 Comments »
RSS feed for comments on this post. | TrackBack URI | bookmark on del.icio.us.
Leave a comment
Advertencia de Protección de Datos:
Los datos personales capturados con ocasión de la utilización del formulario de comentarios (nombre/apodo, dirección de correo electrónico, sitio web y dirección IP), serán incluidos en un fichero del propietario del sitio web y se publicarán (excepto su dirección de correo electrónico y su dirección IP) en esta página con la finalidad de permitir opinar públicamente al lector, así como para en su caso contestar al comentario o consultas que formule. Podrá ejercitar sus derechos de acceso, de rectificación, de cancelación y de oposición en lo referido a dichos datos personales dirigiendo un correo electrónico a la dirección: datos.personales@blogeuropa.eu.
----
Privacy notice:
Please be informed that by using the comments form, your personal data (name/nickname, e-mail address, website and IP address), will be included in a file owned by the website proprietor and published along your comment (except for your e-mail and IP addresses), in order for the reader to publicly comment, as well as -should that be the case-, to respond to any comment or query that readers may have made. You will be able to exercise your rights to access, rectify, cancel and oppose such personal data by sending an e-mail to the following address: datos.personales@blogeuropa.eu.
Does the data retention directive provide arguments for longer storage?
Thanks, Juan
Comment by Juan — April 8, 2008 @ 12:59 pm
The issue you raise is indeed a tricky one… thank you for the question… I guess…
First of all, the announced opinion has finally appeared at the WP’s website.
As of yesterday morning, it still wasn’t there. You’ll be able to find it here. [PDF document]
Ever since the data retention directive was in the works, it was evident to me that this matter would be in certain aspects very much connected with personal data protection issues.
This is what I responded to a question at an earlier post at this forum:
(…) “As a side note perhaps I should state that in my post I was deliberately mixing two different subject matters (which in the end, experience shows that are very much intertwined…), which are: ‘data retention’ and my beloved (personal) ‘data protection’.”
Well, according to the newly adopted opinion, I was wrong.
Google, who also cited the data retention directive in its letters to the art. 29 WP, to justify its initially proposed 18 to 24 month period of time for “remembering searches”… apparently, was wrong as well…
This is what the WP says: (…) “A search engine provider can however offer an additional service that falls under the scope of an electronic communications service such as a publicly accessible email service which would be subject to ePrivacy Directive 2002/58/EC and Data Retention Directive 2006/24/EC.
Article 5(2) of the Data Retention Directive specifically states that “No data revealing the content of the communication may be retained pursuant to this Directive”. Search queries themselves would be considered content rather than traffic data and the Directive would therefore not justify their retention.
Consequently, any reference to the Data Retention Directive in connection with the storage of server logs generated through the offering of a search engine service is not justified.”
This should clarify the matter, right?
Well, in my humble opinion it doesn’t. And I will add that I still think that both matters are very much connected, and that neither myself nor everyone else who has been saying so is wrong.
While I’ll save an analysis of this issue for another post, I’m happy to advance that the data retention directive is very clear when stating that IP addresses fall within the various categories of data to be retained under its provisions.
So then, the next question would be: Are IP addresses personal data?
Bests, TFS
Comment by tfserna — April 9, 2008 @ 9:40 am
[...] do with that…), I think that along the lines of the remarks above lies at least part of the problem that has been haunting Google lately in Brussels and that has left some records of bitter interaction between their representatives and certain data [...]
Pingback by BlogEuropa.eu » Understanding privacy in Europe, playing well with others — May 19, 2008 @ 9:32 pm
[...] earlier discussed in this forum, Google has been engaged in a year and a half ‘disagreement‘ [...]
Pingback by BlogEuropa.eu » Yahoo! takes the lead in EU data protection compliance — December 17, 2008 @ 3:43 pm