Feeds

Google's IP 'anonymization' inadequate, says EU watchdog

Hearings with Mountain View imminent

  • alert
  • submit to reddit

The essential guide to IT transformation

An influential group of European privacy experts said this week that it will lead hearings with Google over the search giant's claim that EU data protection laws do not apply to it.

The Article 29 Working Party, an independent EU advisory body on data protection and privacy, said that Google is refusing to submit to Europe's data protection regime and that "strong disagreements" remain.

It said in a statement that Google "considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe." It also said that Google "wishes to retain personal data of users beyond the six months period requested by the Article 29 Working Party, without any justification."

The dispute is over the records, or logs, of users' search queries. Google keeps those and uses them, it says, to improve the quality of search results, to fight fraud and to improve data security.

The Working Party has called for such data to be deleted after just six months. In a report published in April of this year it said that companies keeping data for longer risked breaching data protection laws. "If personal data are stored, the retention period should be no longer than necessary for the specific purposes of the processing," said the Working Party's April report. "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond six months."

It also recommended that that web users must be able to provide consent to the exploitation of their data – in particular for profiling purposes. Google responded on 8th September and reaffirmed its wish to collaborate with European data protection authorities, stating that it would reduce its retention period from 18 to nine months.

But the Article 29 Working Party has responded by saying that, in substance, "Google refuses for the moment to submit to the European data protection law."

Alex Türk, chairman of the Working Party, also criticised Google for failing to improve its anonymisation mechanisms, which he called "insufficient". He said that Google considers that IP addresses are confidential data but not personal data, "which prevents granting certain rights to its users".

Türk also accused Google of failing to "express the willingness to improve and clarify the methods that are used to gather the consent of its users."

In Google’s response to the Working Party earlier this month, Peter Fleischer, the company’s global privacy counsel, said that Google was committed to engaging in a constructive dialogue with the Article 29 Working Party and other leading privacy stakeholders around the world.

Google also renounced one if its key arguments in favour of keeping the logs. Fleischer had previously claimed that the EU's Data Retention Directive forced it to keep details for between six and 24 months. The Working Party said that this was not the case because data retention laws only applied to telecoms firms.

"We agree with the Working Party that search logs are outside of the scope of the Data Retention Directive," said Fleischer in Google’s response document.

In July Google made another concession to privacy activists when it agreed to publish a link to its privacy policy on its front page after calls from regulators to do so.

These concessions were welcomed by the Working Party this week. "In conclusion, despite some progress, significant work must still be carried out to guarantee the rights of internet users and to ensure the respect of their privacy," wrote the Working Party. "In this perspective, the Article 29 Working Party will lead hearings with Google to discuss the points of dissension."

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
Oz biz regulator discovers shared servers in EPIC FACEPALM
'Not aware' that one IP can hold more than one Website
Apple tried to get a ban on Galaxy, judge said: NO, NO, NO
Judge Koh refuses Samsung ban for the third time
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.