Feeds

Google's IP 'anonymization' inadequate, says EU watchdog

Hearings with Mountain View imminent

  • alert
  • submit to reddit

Reducing the cost and complexity of web vulnerability management

An influential group of European privacy experts said this week that it will lead hearings with Google over the search giant's claim that EU data protection laws do not apply to it.

The Article 29 Working Party, an independent EU advisory body on data protection and privacy, said that Google is refusing to submit to Europe's data protection regime and that "strong disagreements" remain.

It said in a statement that Google "considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe." It also said that Google "wishes to retain personal data of users beyond the six months period requested by the Article 29 Working Party, without any justification."

The dispute is over the records, or logs, of users' search queries. Google keeps those and uses them, it says, to improve the quality of search results, to fight fraud and to improve data security.

The Working Party has called for such data to be deleted after just six months. In a report published in April of this year it said that companies keeping data for longer risked breaching data protection laws. "If personal data are stored, the retention period should be no longer than necessary for the specific purposes of the processing," said the Working Party's April report. "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond six months."

It also recommended that that web users must be able to provide consent to the exploitation of their data – in particular for profiling purposes. Google responded on 8th September and reaffirmed its wish to collaborate with European data protection authorities, stating that it would reduce its retention period from 18 to nine months.

But the Article 29 Working Party has responded by saying that, in substance, "Google refuses for the moment to submit to the European data protection law."

Alex Türk, chairman of the Working Party, also criticised Google for failing to improve its anonymisation mechanisms, which he called "insufficient". He said that Google considers that IP addresses are confidential data but not personal data, "which prevents granting certain rights to its users".

Türk also accused Google of failing to "express the willingness to improve and clarify the methods that are used to gather the consent of its users."

In Google’s response to the Working Party earlier this month, Peter Fleischer, the company’s global privacy counsel, said that Google was committed to engaging in a constructive dialogue with the Article 29 Working Party and other leading privacy stakeholders around the world.

Google also renounced one if its key arguments in favour of keeping the logs. Fleischer had previously claimed that the EU's Data Retention Directive forced it to keep details for between six and 24 months. The Working Party said that this was not the case because data retention laws only applied to telecoms firms.

"We agree with the Working Party that search logs are outside of the scope of the Data Retention Directive," said Fleischer in Google’s response document.

In July Google made another concession to privacy activists when it agreed to publish a link to its privacy policy on its front page after calls from regulators to do so.

These concessions were welcomed by the Working Party this week. "In conclusion, despite some progress, significant work must still be carried out to guarantee the rights of internet users and to ensure the respect of their privacy," wrote the Working Party. "In this perspective, the Article 29 Working Party will lead hearings with Google to discuss the points of dissension."

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Security and trust: The backbone of doing business over the internet

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.