Google's IP 'anonymization' inadequate, says EU watchdog
Hearings with Mountain View imminent
An influential group of European privacy experts said this week that it will lead hearings with Google over the search giant's claim that EU data protection laws do not apply to it.
The Article 29 Working Party, an independent EU advisory body on data protection and privacy, said that Google is refusing to submit to Europe's data protection regime and that "strong disagreements" remain.
It said in a statement that Google "considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe." It also said that Google "wishes to retain personal data of users beyond the six months period requested by the Article 29 Working Party, without any justification."
The dispute is over the records, or logs, of users' search queries. Google keeps those and uses them, it says, to improve the quality of search results, to fight fraud and to improve data security.
The Working Party has called for such data to be deleted after just six months. In a report published in April of this year it said that companies keeping data for longer risked breaching data protection laws. "If personal data are stored, the retention period should be no longer than necessary for the specific purposes of the processing," said the Working Party's April report. "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond six months."
It also recommended that that web users must be able to provide consent to the exploitation of their data – in particular for profiling purposes. Google responded on 8th September and reaffirmed its wish to collaborate with European data protection authorities, stating that it would reduce its retention period from 18 to nine months.
But the Article 29 Working Party has responded by saying that, in substance, "Google refuses for the moment to submit to the European data protection law."
Alex Türk, chairman of the Working Party, also criticised Google for failing to improve its anonymisation mechanisms, which he called "insufficient". He said that Google considers that IP addresses are confidential data but not personal data, "which prevents granting certain rights to its users".
Türk also accused Google of failing to "express the willingness to improve and clarify the methods that are used to gather the consent of its users."
In Google’s response to the Working Party earlier this month, Peter Fleischer, the company’s global privacy counsel, said that Google was committed to engaging in a constructive dialogue with the Article 29 Working Party and other leading privacy stakeholders around the world.
Google also renounced one if its key arguments in favour of keeping the logs. Fleischer had previously claimed that the EU's Data Retention Directive forced it to keep details for between six and 24 months. The Working Party said that this was not the case because data retention laws only applied to telecoms firms.
"We agree with the Working Party that search logs are outside of the scope of the Data Retention Directive," said Fleischer in Google’s response document.
These concessions were welcomed by the Working Party this week. "In conclusion, despite some progress, significant work must still be carried out to guarantee the rights of internet users and to ensure the respect of their privacy," wrote the Working Party. "In this perspective, the Article 29 Working Party will lead hearings with Google to discuss the points of dissension."
Copyright © 2008, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
That isn't fraud, that's Googles selfish profit making pickle
So, what exactly does my searching for Hemorrhoids at 7.15pm on Wednesday the 14th of March 2007 and then clicking on the wikipedia link have to do with fraud.. in ANY way? They don't need to profile people as much. I understand a certain amount, but not keeping every single letter everyone's ever entered, how long they were on the page, where they clicked next etc, FOREVER.
" IP addresses are not personal data "
Yes they are.
It is not public information therefore it is obviously personal data. It is only available to whoever we give it out to. (Or whoever goes out of their way to trace it, and even then, it is hard to do unless you have direct contact with them through emails, IM etc and are basically trusted enough to be in the position where you have potential access to it.) If you meet someone in a pub and give them your full name they can look up your address and your phone number but not your IP address.
If your phone number or address was attached to pieces of paper lying around the streets, which had things written on it like your medical problems, who you fancy, what your sexual orientation is, what your political views are, that you're cheating on your partner...Well, it's pretty obvious that this situation where it could be linked so easily to you would NOT HAPPEN. Your phone number would be something private you would not give out, since one day someone can easily find a piece of paper in the street and match it up.
If it's not personal information and can't identify a person then why do you need to involve law enforcement just to request the IP address of someone who hacked your Myspace account (for example) ? TheRegister logs our IP addresses but is not allowed to give them out unless it involves court.
" Google does hold e-mail, passwords, billing information and other things for a great many people. "
It holds those for very clear reasons. People are asking Google to hold emails so they can read them anytime they have internet access. THEY ASKED THEM TO HOLD THEIR EMAILS. People choose to store their card details on Paypal so they can log in when they want and pay for things quickly and easily. The whole point of signing up is to get your details held by the company so you can pay stuff through them. Passwords need to be stored in order for an ACCOUNT TO FUNCTION, otherwise the 'doors' would all be open and it'd be a free for all.
YOU MAKE NO SENSE.
There is absolutely NO reason for search terms to be forever linked to the individual who did it. Please tell me why some of you are so hell bent on the information being kept? If it doesn't matter that much to you, then why don't you just stay out of it, since it's not affecting you in any way (yet..).
Needing IP addresses
Once the information has been checked (for click fraud etc) it can be deleted. There's no need to segment responses. If 18% of people search for "boobies" on google, then they don't care if it's more US IP addresses than Asian ones.
I wasn't aware that you could pick and choose which laws you 'submitted to', there's a few that I think I'll ignore becasue I don't fancy them...