Euro privacy chief predicts Google policy flip
EU-Google negotiations going swimmingly
The head of Europe's privacy watchdogs said that he is still in negotiations with Google about a major data retention dispute and is confident that the search giant will change its policies.
Google has claimed its data retention policy is forced on it by an EU law, but that it would keep identifiable customer data for 18 months even if that law did not exist.
Peter Schaar is Germany's Federal Data Protection Commissioner and Chairman of the group of European privacy regulators the Article 29 Working Party. He is negotiating with Google over its retention of logs of user activity combined with identifying internet protocol, or IP, addresses.
"We are discussing the item with Google, I'm not sure what will be the outcome, I am optimistic," he told OUT-LAW Radio.
When asked whether he really believed that Google would change its policies, he said: "They already changed as a result of our [demands], I think we are not at the end of the street."
A year ago Google stopped keeping IP-identified records indefinitely and restricted their retention to 18 months, citing European privacy concerns as a reason for the change.
Google and other search engine and content companies keep a record of what activity has taken place from individual IP addresses, including what searches have been requested in search engines.
Data protection officials have condemned the practice, claiming that it breaches privacy rules, which state that collected personal information must be deleted after it has been used.
Google claims that the EU's Data Retention Directive may force it to keep data, which it does for 18 months. Privacy officials claim the Directive does not apply to content companies, only phone networks and ISPs.
"A service like Google search and other search engines are not covered by the Retention Directive," said Schaar. "This only covers internet access services and telecommunications services like email providers. The general obligation from the European Data Protection law is that the data must be deleted as soon as possible."
The battle between EU data protection regulators and Google has been going on for over a year and has focused on the Data Retention Directive. But focus may be switching to whether or not IP addresses count as personal data.
Schaar was quoted around the world last as having told a European Parliament hearing that IP addresses are personal data. In fact his view is that they should be treated as such for safety, but they are sometimes not countable as personal data.
"In most cases IP addresses have to be seen as personal related and therefore the European Directive on Data Protection covers also the use of IP addresses," he said. "I understand that under specific circumstances IP addresses are not personal related, but in general we would say as data protection authorities IP addresses are personal data because they identify indirectly the user of computer systems connected to the internet."
Schaar will present a report to the Article 29 Working Party in February into search engines and their compliance with privacy laws. He said that he could not reveal its contents, but that he hoped to get Working Party approval for it at its next meeting in February.
A Working Party spokesman had previously outlined the scope of the report. "We want to adopt a comprehensive opinion, saying how long they can keep data, and which ones," he said last year.
Monday was Data Protection Day. Find out how you can win the textbook on data protection.
Copyright © 2008, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
But Google *is* an email provider
So on the one hand the regulator is saying that the rule applies only to telecoms providers, ISPs and email providers and so not to not Google, while on the other hand, Google is an email provider.
Regulation is a tricky thing. We hope it stops companies from doing Bad Things, but the regulators themselves seem to live in a narrow vertical world and it looks like there is a lack of thought about how, all told, companies can be in compliance with all applicable rules (at least in this case).
Still, Google is large enough to have the staff to figure it all out I suppose.
If the NSA gets its way
Then they will get free access to every Google record, which will kill their business because nobody will let the NSA look over their shoulder and it will make Google illegal in the EU.
So they'll have to go back and think carefully how they can anonymize that data from day 1 and how much data they really need to collect in the first place.
Privacy is a good selling point.