The Article 29 Working Party, a committee of all of the EU
country's privacy or data protection commissioners, said that its
data protection rules must apply to personal data processed by
companies that do not even have offices in the EU.
"[The EU's] provisions also apply to such controllers who have
their headquarters outside the EU, but only an establishment in one
of the EU Member States, or who use automated equipment based in
one of the Member States for the purposes of processing personal
data," said a Working Party statement.
The EU's privacy watchdogs are locked in a battle with search
engine companies such as Google over the processing of personal
data. There are debates about whether companies are subject to the
EU's rules as well as what those rules mean.
The Working Party met late last week to appoint a new chairman
and discuss its progress in trying to force internet content
providers to comply with its rules. It claims that companies'
practice of keeping a record of what internet (IP) addresses gave
rise to what searches is in breach of the Data Protection
Directive, which imposes obligations on firms processing personal
data.
Companies such as Google have argued that they are forced to
keep the information by the Data Retention Directive, which demands
that communications data be retained for up to two years to help
law enforcement agencies. The Working Party believes that the Data
Retention Directive only applies to telecoms firms, not content
companies.
"As the use of search engines becomes a daily routine for an
ever growing number of citizens, the protection of the users’
privacy and the guaranteeing of their rights, such as the right to
access to their data and the right to information as provided for
by the applicable data protection regulations, remain the core
issues of the ongoing debate," said the Working Party, which is
shortly expected to publish the results of an investigation into
search engine company practices.
"Search engines fall under the EU Data Protection Directive
95/46/EC if there are controllers collecting users’ IP addresses or
search history information, and therefore have to comply with
relevant provisions," it said.
These provisions would mean that the way that companies use
personal information would be more tightly controlled than if they
did not apply. Under the rules, users must agree to the collection
of their data and have the right to verify information collected or
object to its storage, the Working Party said.
There is an ongoing debate about whether or not IP addresses
count as personal data and are therefore covered by the Data
Protection Directive. Peter Schaar, outgoing chair of the Working
Party and German Federal Data Protection Commissioner, recently
told OUT-LAW Radio that the addresses must mostly be taken to be
personal data.
"In most cases IP addresses have to be seen as personal related
and therefore the European Directive on Data Protection covers also
the use of IP addresses," he said. "I understand that under
specific circumstances IP addresses are not personal related, but
in general we would say as data protection authorities IP addresses
are personal data because they identify indirectly the user of
computer systems connected to the internet."
Schaar also said that the Data Retention Directive does not
apply to such information, and that companies are not obliged to
store IP logs.
"A service like Google search and other search engines are not
covered by the Retention Directive," said Schaar. "This only covers
internet access services and telecommunications services like email
providers. The general obligation from the European Data Protection
law is that the data must be deleted as soon as possible."
