As I wrote yesterday, the Article 29 Working Party has adopted an opinion on privacy, data protection and search engines. The opinion deals with a lot of issues, many of which have been publicly discussed in the last year. The first conclusion of the Working Party is that: “The Data Protection Directive (95/46/EC) generally applies to the processing of personal data by search engines, even when their headquarters are outside of the EEA.” The Working Party dismisses the claim that the Data Retention Directive could be an excuse for retaining search logs. This directive does not apply to providers of search services.
The opinion calls upon search engines to clarify the activities of their establishments in EU Member States in light of provisions with regard to jurisdiction of Member States over personal data processing (Article 4 of the Directive). Search engines have been particularly hesitant to admit such jurisdiction of European States. Instead, market leader Google has called for the development of global privacy standards and favours self-regulation, such as proposed by the FTC in December 2007.
Another conclusion relates to the retention periods of search engine logs. The Working Party concludes that they should be minimized to 6 months, which would amount to a significant reduction: â€œRetention periods should be minimised and be proportionate to each purpose put forward by search engine providers. In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.â€ The opinion also contains an extensive list of data typically processed by search engines in Annex I.
The above mostly relates to data protection and search logs, which the opinion refers to as â€˜user privacyâ€™. With regard to the privacy of the possible targets of a search and the issue of personal data in search results and a search engineâ€™s cache the opinion comes to the following conclusion: â€œIn their second role, as providers of content data (such as the data in the index), generally they are not to be held as primarily responsible under European data protection law for the personal data they process. Exceptions are the availability of a long-term â€˜cacheâ€™ and value added operations on personal data (such as search engines aimed at building profiles of natural persons). When providing such services, search engines are to be held fully responsible under the Data Protection Directive and must comply with all relevant provisions.â€
An issue which has been debated extensively already is whether or not ip-addresses should be considered personal data. Most of the confusion in the discussion seems to be a result of the transatlantic differences in what is personal data (for a short overview see here). In the United States there is a U.S. debate about what is personally identifiable information. In the EU, the question from a legal point of view is mainly whether a piece of information falls within the broad definition of personal data in the Data Protection Directive. The Article 29 Working Party issued an extensive opinion on the concept of personal data. Most of the discussion about whether or not ip addresses are personal data in the sense of the Data Protection Directive is a repetition on earlier discussions of the concept of personal data, such as the discussions about number plates and telephone numbers. Regardless of the merits of some of the arguments in this debate, the discussion on ip addresses will probably continue for a while. Googleâ€™s Peter Fleischer is correct in pointing out that there are a few important recent rulings in France on this issue, that at least do not follow the line of the French Data Protection Authority CNIL. One of the problems of these rulings is that they make the question about certain information being personal data depend on the holder of such data, the result of which seems predictable for data protection compliance and problematic from the point of view of access to personal data for law enforcement and national security purposes (the invisible handshake).
In the debate about ip addresses and personal data in the context of search logs, there is one element which deserves more attention. That is the fact that search engines usually log (much) more then ip addresses, for instance unique cookie data and date and time as well. The fact that they place a unique cookie on the computer of a user, and store search sessions over long periods of time are contextual elements that deserve to be taken into account.
(Disclaimer: I should note that I have advised the Dutch Data Protection Authority on its input for the Article 29 Working Party (a past commitment, which ended months ago). My writings on this blog are my personal contribution to the debate on search engine privacy and do not reflect in any way the points of view of the Dutch Data Protection Authority, or the Institute for Information Law, where I conduct my PhD research on Search engine regulation.)