Agentless Backup is Not a Myth

The head of Europe's privacy watchdogs said that he is still in negotiations with Google about a major data retention dispute and is confident that the search giant will change its policies.

Google has claimed its data retention policy is forced on it by an EU law, but that it would keep identifiable customer data for 18 months even if that law did not exist.

"We are discussing the item with Google, I'm not sure what will be the outcome, I am optimistic," he told OUT-LAW Radio.

When asked whether he really believed that Google would change its policies, he said: "They already changed as a result of our [demands], I think we are not at the end of the street."

A year ago Google stopped keeping IP-identified records indefinitely and restricted their retention to 18 months, citing European privacy concerns as a reason for the change.

Google and other search engine and content companies keep a record of what activity has taken place from individual IP addresses, including what searches have been requested in search engines.

Data protection officials have condemned the practice, claiming that it breaches privacy rules, which state that collected personal information must be deleted after it has been used.

Google claims that the EU's Data Retention Directive may force it to keep data, which it does for 18 months. Privacy officials claim the Directive does not apply to content companies, only phone networks and ISPs.

"A service like Google search and other search engines are not covered by the Retention Directive," said Schaar. "This only covers internet access services and telecommunications services like email providers. The general obligation from the European Data Protection law is that the data must be deleted as soon as possible."

The battle between EU data protection regulators and Google has been going on for over a year and has focused on the Data Retention Directive. But focus may be switching to whether or not IP addresses count as personal data.

Schaar was quoted around the world last as having told a European Parliament hearing that IP addresses are personal data. In fact his view is that they should be treated as such for safety, but they are sometimes not countable as personal data.

"In most cases IP addresses have to be seen as personal related and therefore the European Directive on Data Protection covers also the use of IP addresses," he said. "I understand that under specific circumstances IP addresses are not personal related, but in general we would say as data protection authorities IP addresses are personal data because they identify indirectly the user of computer systems connected to the internet."

Schaar will present a report to the Article 29 Working Party in February into search engines and their compliance with privacy laws. He said that he could not reveal its contents, but that he hoped to get Working Party approval for it at its next meeting in February.

A Working Party spokesman had previously outlined the scope of the report. "We want to adopt a comprehensive opinion, saying how long they can keep data, and which ones," he said last year.

Monday was Data Protection Day. Find out how you can win the textbook on data protection.

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Related links

IP addresses and privacy
Privacy battle rages
Google privacy chief talks
OUT-LAW's guide to IP addresses and the Data Protection Act

Magic Quadrant for Enterprise Backup/Recovery