The Article 29 Working Party involves the data protection
officials of all the EU's member states and monitors compliance
with Europe's Data Protection Directive. It has published a
long-awaited report into search engines and privacy which is the
result of months of consideration.
That report says that search engine companies must delete
personal data as soon as they have used it for the purpose for
which it was gathered, and that it should not be routinely kept for
longer than six months.
"If personal data are stored, the retention period should be no
longer than necessary for the specific purposes of the processing,"
said the report. "In view of the initial explanations given by
search engine providers on the possible purposes for collecting
personal data, the Working Party does not see a basis for a
retention period beyond 6 months."
Even that retention, though, needs explanation and
justification, said the Working Party. "After the end of a search
session, personal data could be deleted, and continued storage
therefore needs an adequate justification… the retention of
personal data and the corresponding retention period must always be
justified (with concrete and relevant arguments) and reduced to a
minimum, to improve transparency to ensure fair processing, and to
guarantee proportionality with the purpose that justifies such
retention."
Until last year search engine companies generally kept search
engine logs indefinitely. But the issue of retention became
prominent when Google announced that it would reduce the period for
which it keeps records to 24 and then 18 months.
That announcement triggered investigations by the Working Party
into the retention. "Some search engine companies seem to retain
data indefinitely, which is prohibited," it said in its report.
"The Working Party welcomes the recent reductions in retention
periods of personal data by major search engine providers. However,
the fact that leading companies in the field have been able to
reduce their retention periods suggests that the previous terms
were longer than necessary."
Google has opposed the restrictions, claiming that it is
required to keep search logs by the Data Retention Directive, a law
which orders telecoms companies to keep records of communications
for six to 24 months in case law enforcement agencies need them in
crime fighting.
Google's global privacy counsel Peter Fleischer said in a
statement that the Working Party's requirements do not take into
account commercial, as well as regulatory, concerns.
"We believe that data retention requirements have to take into
account the need to provide quality products and services for
users, like accurate search results, as well as system security and
integrity concerns," said Fleischer. "This perspective – the ways
in which data is used to improve consumers' experience on the web –
is unfortunately sometimes lacking in discussions about online
privacy."
The report emphasised that EU law applies to companies from
outside Europe. The Data Protection Directive applies to all
processors of personal data with offices or even just equipment in
the EU, even if a company headquarters is outside Europe, it
said.
Search engine companies have argued that they must keep search
engine logs because the Data Retention Directive demands that they
do. The Working Party says that the Retention Directive only
applies to telecoms firms, not to online content providers.
The Working Party's report, though, took further issue with
companies' use of law enforcement obligations as justification for
keeping information.
"Law enforcement authorities may sometimes request user data
from search engines in order to detect or prevent crime," it said.
"When such requests follow valid legal procedures and result in
valid legal orders, of course search engine providers will need to
comply with them and supply the information that is necessary.
However, this compliance should not be mistaken for a legal
obligation or justification for storing such data solely for these
purposes."
The report also dealt with the controversial issue of whether or
not internet protocol (IP) addresses count as personal data, and
therefore are controlled by the Data Protection Directive.
The report reiterated the Working Party's previously expressed
view that "unless the Internet Service Provider is in a position to
distinguish with absolute certainty that the data correspond to
users that cannot be identified, it will have to treat all IP
information as personal data, to be on the safe side. These
considerations will apply equally to search engine operators".
Google disputes the Working Party's interpretation. "The Working
Party's findings stated that IP addresses should be treated as
personal information, with the full weight of data protection
laws," said Fleischer. "Based on our own analysis, we believe that
whether or not an IP address is personal data depends on how the
data is being used."
