Should the European Commission address the privacy implications of the Google Doubleclick merger review and impose conditions? What does the Data Protection Directive mean for the logging and profiling of users by Web search providers? These were the central questions discussed at the public seminar, of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament, on Monday 21 January 2008. Invited speakers included, Peter Hustinx (EDPS), Pamela Jones Harbour (FTC), Mark Rotenberg (EPIC) , Peter Fleischer (Google), Thomas Myrup Kristensen (Microsoft), Cornelia Kutterer (BEUC) and Sjoera Nas (Dutch DPA).
Although the afternoon started promising, with opening remarks by chair Cavada on the long history of the need for scrutinizing concentration in the information and communication industry, referring to the fundamental issues at stake for individuals and society as a whole, the debate did not bring many perspectives that had not been offered previously.
The discussion about IP addresses, processed by Web search providers in their logfiles, made the news. More specifically, the statements by Hustinx, and Peter Schaar, chair of the Article 29 Working Party that search engines should treat them as personal data, as defined in the European Data Protection Directive. This is just a reiteration of earlier conclusions, most notably the opinion of the Article 29 Working Party on the concept of personal data. The Dutch DPA recently published guidelines on privacy and publications of personal data on the Web, that included the same conclusion. I never heard any sensible legal argument why ip-addresses would not (in general, there are a few specific exceptions) fall under the definition of personal data in EU law. Surely there are many practical reasons, including the lack of will to deal with the provisions on fair and accountable procession of personal data of the Directive, but that’s a different question. In the U.S. there is a similar debate, which is more open due to the lack of any definition or norm of what constitutes personal data under U.S law.
The remarks about the relevance of the possible privacy implications of the merger were not of the same quality and level as the discussion in the United States. FTC Commissioner Harbour restated her opinion that the economic relevance of the personal data and the effects on privacy of the merger should be part of a merger review. There seems reason to believe that the Commission will approve the merger, without privacy conditions. However, merged or unmerged, data protection laws will apply. As Sjoera Nas of the Dutch Data Protection Authority stated:
“In her opinion, the privacy directive was adequate, in that it provided a clear, useable framework. For her, it was not
for the data protection authorities to consider the consequences of a merger, but for the companies themselves to continue to comply with data protection rules. She also called for adequate enforcement powers of all data protection authorities.”
An official summary of the seminar is available through Statewatch.