Google's IP 'anonymization' inadequate, says EU watchdog
Hearings with Mountain View imminent
An influential group of European privacy experts said this week that it will lead hearings with Google over the search giant's claim that EU data protection laws do not apply to it.
The Article 29 Working Party, an independent EU advisory body on data protection and privacy, said that Google is refusing to submit to Europe's data protection regime and that "strong disagreements" remain.
It said in a statement that Google "considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe." It also said that Google "wishes to retain personal data of users beyond the six months period requested by the Article 29 Working Party, without any justification."
The dispute is over the records, or logs, of users' search queries. Google keeps those and uses them, it says, to improve the quality of search results, to fight fraud and to improve data security.
The Working Party has called for such data to be deleted after just six months. In a report published in April of this year it said that companies keeping data for longer risked breaching data protection laws. "If personal data are stored, the retention period should be no longer than necessary for the specific purposes of the processing," said the Working Party's April report. "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond six months."
It also recommended that that web users must be able to provide consent to the exploitation of their data – in particular for profiling purposes. Google responded on 8th September and reaffirmed its wish to collaborate with European data protection authorities, stating that it would reduce its retention period from 18 to nine months.
But the Article 29 Working Party has responded by saying that, in substance, "Google refuses for the moment to submit to the European data protection law."
Alex Türk, chairman of the Working Party, also criticised Google for failing to improve its anonymisation mechanisms, which he called "insufficient". He said that Google considers that IP addresses are confidential data but not personal data, "which prevents granting certain rights to its users".
Türk also accused Google of failing to "express the willingness to improve and clarify the methods that are used to gather the consent of its users."
In Google’s response to the Working Party earlier this month, Peter Fleischer, the company’s global privacy counsel, said that Google was committed to engaging in a constructive dialogue with the Article 29 Working Party and other leading privacy stakeholders around the world.
Google also renounced one if its key arguments in favour of keeping the logs. Fleischer had previously claimed that the EU's Data Retention Directive forced it to keep details for between six and 24 months. The Working Party said that this was not the case because data retention laws only applied to telecoms firms.
"We agree with the Working Party that search logs are outside of the scope of the Data Retention Directive," said Fleischer in Google’s response document.
These concessions were welcomed by the Working Party this week. "In conclusion, despite some progress, significant work must still be carried out to guarantee the rights of internet users and to ensure the respect of their privacy," wrote the Working Party. "In this perspective, the Article 29 Working Party will lead hearings with Google to discuss the points of dissension."
Copyright © 2008, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
Sponsored: Protecting mobile certificates