Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Google privacy chief talks

We hear why Google privacy chief Peter Fleischer thinks European data protection officials should stop meddling with its search log retention policies.13 Jul 2007

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW Radio, the weekly podcast that keeps you up-to-date on all the twists and turns in the world of technology law. Every week we bring you the latest news and in-depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and this week we have an exclusive interview with a man at the centre of some of the most critical privacy debates in the world. Google’s global privacy Counsel Peter Fleisher.

But first, the news.

  • Police search engineering firm for music piracy; and
  • computer waste law comes into force.

Police and UK music industry body the BPI executed a search warrant at engineering firm Honeywell this week amid allegations that thousands of music files are being shared illegally on the company’s computer system.

According to a BPI statement, an employee of the company’s premises in Motherwell, Scotland reported illegal file sharing to the trade body. A two month investigation followed and a number of employees are reported to be assisting the police with their enquiries. A report will be issued to the Procurator Fiscal according to the BPI.

This is the first time that the BPI has investigated a company on suspicion of digital music piracy in the workplace.

A spokeswoman for Honeywell told OUT-LAW:  “Honeywell considers copyright infringement a very serious matter and has rigorous policies intended to prevent such activity taking place on its premises. We will continue to fully cooperate with investigators and with the BPI.”

Manufacturers, importers and retailers of domestic appliances, IT equipment and gadgets face new legal duties to ensure the proper disposal of old products. Key parts of the Waste Electrical and Electronic Equipment Regulations came into force this week.

The legislation, derived from a European Directive was intended to boost recycling instead of adding to landfill. Last year two million tons of electrical waste was generated in the UK alone, enough to fill the new Wembley Stadium six times over, according to the new Department for Business Enterprise and Regulatory Reform, which has taken over the responsibilities for the former Department for Trade and Industry (DTI).

The Regulations came into effect in January and their provisions have been phased in. As of this week, producers have to finance the costs associated with the treatment, recovery and disposal of WEEE. Take back duties also came into force on Sunday 1st July. Business and household consumers buying electrical and electronic products should be offered free take back of old products.

That was this week's OUT-LAW news.

Google’s influence on our online lives has become so pervasive that the sprawling titan beings to make Microsoft look like your local corner shop. It’s not just our search anymore but our e mail, our chat software, our purchasing, our word processing and even how we get from A to B: Google controls it all.

Google is the big guy now, and with this comes set of serious responsibilities that the company must come to terms with. For regulators and lawmakers Google and its policies are now target number one, as the still young company is just finding out.

The latest spat centres on Google’s retention of the queries we put into its search engine. The company, like all search companies keeps that information plus data that could be used to identify you, notably the internet protocol address from which the query was made. It announced earlier this year that it would anonymise this information after between 18 and 24 months, later reducing that to 18 months.

Despite the fact that the firm was voluntarily cutting down on the retention time, the decision sparked an outcry amongst privacy activists and data protection officials. The Article 29 working party, a committee of Europe’s privacy watchdogs, wrote to the company asking that it not keep logs for that long, and a very public argument began. Google says that it has taken a balanced approach, and that the data retention directive mandates keeping data for up to two years. The working party disagrees: It says that the directive only applies to communications data and not to search terms at all.

The man at the centre of the controversy is Peter Fleischer, Google’s global privacy Counsel.  He told OUT-LAW Radio that it is not yet clear whether or not the directive will apply.

Magee: The working party told us that in their view the data retention directive doesn’t apply at all to search queries, logs. What’s your view of that? Do you think it applies?

Fleischer: You know, my view is that we don’t know the answer to that question yet and I’ve asked numerous outside counsel across Europe and here’s what they’re telling me. Well, the first is that you have to wait to have this implemented in legislation in every single member state because one of the things that we know is that the member states will implement the directive differently. Each country has to decide what is an electronic communication service provider and that will be decided differently from country to country. And so we won’t know for sure until this process is over.

The working party insists that the directive definitely does not apply and has asked Google to anonymise data far earlier, but Fleischer says that the issue is not even really any of the working party’s business.

Fleischer: Remember the data retention directive comes out of the security side of government, not out of the data protection side. So, it’s interesting for me to hear what an official from the data protection world thinks about data retention. But it’s like asking somebody who works for the railway what they think of airline regulation, it just not their field.

Strong words, well we asked the European Commissioner for Justice, Freedom and Security, whether he intends that the directive cover search queries. His office agreed with the data protection officials that queries are not covered by the directive. It also said that there are no plans to modify it so that it does cover such material.

In the end the directive may not even be relevant, since Fleischer said his company will pursue its own plans regardless.

Fleischer: But I would point out that even if the data retention directive were repealed tomorrow, our decision of the factors that went in to the right period to retain server logs, the decision to keep them for 18 months and then to anonymise them. It will be the same decision even if data retention were repealed tomorrow.

There is another potential privacy problem with Google’s search query storage. If it keeps all this information and links it to an IP address that could identify you, does it inform you clearly enough that it’s doing this?

The data protection directive insists that data gathered about a person is subject to what it calls ‘fair use’. A basic principle of this is that a company tell you when it’s gathering data and what it will use it for, usually in a privacy policy.

Google gathers certain data about you on its search front page, yet there is no privacy policy linked to from there. What’s more, when you do find a privacy policy, it does not list all the uses to which Google will put the data.

Magee: Why is there not a link on the front page of Google? So from the place where you put in your search query to the privacy policy outlining all of these uses that the information is put to?

Fleischer: Well, we have a very clear and transparent privacy policy. I spent a lot of time focussing on it and how to make it as clear and easy to understand as possible for our users. Google has a very sparse homepage. It’s one of the things that we’re very proud about. It’s kind of clean and zen-like. Last I counted I think we had something like 35 words on our homepage. On ours with only 35 words, we had to keep it very sparse. Now of course we’re a search engine, so anybody who wants to see our privacy policy can type Google privacy policy and, trust me, it will come up as result number one. It’s not hard to find. We’re a search company. We don’t believe in pushing things into people’s face. We keep it easy and simple to find.

The search for it yourself argument is unlikely to cut a lot of mustard with privacy experts, who will also point out that even if you do find it, the privacy does not detail all the many uses for your data that Fleischer listed in his letters to the Article 29 working party. He says he believes it does give enough information.

Fleischer: We do, of course, say in our privacy policy that we use these things to improve our service and that we use these things to protect our service. So it’s all there. Now if your question is: could we improve the language in certain ways? We’re always trying to think about ways to improve the language. We’re always trying to find ways to provide information in a clear and comprehensible way for users. That’s an ongoing process and I think every company should be focussing on that.

Struan Robertson is a technology lawyer with Pinsent Masons, the law firm behind OUT-LAW. He says that the circumstances in which Google will break data protection laws by having no front page link are actually quite limited.

Robertson: If Google matches search queries to IP address or to cookies, in order to identify individuals with particular preferences, even if they are only doing that by using their search habits and without knowing the person’s name, they need to display a link to the privacy policy on their homepage as an absolute minimum. Now I don’t know if Google is doing that when you don’t have any account with Google. I know that when you do get an account with Google, you are directed to a privacy policy. The issue is whether what they’re doing when you don’t have an account brings in this data protection issue. But if they’re just displaying an ad, chosen solely according to single search query, there is no privacy issue, there is no profile but if they’re tailoring ads according to that person’s history of searches and they create a profile about each searcher from that then the data protection rules come into play. Commercially, I think, there’s strong arguments why they should stick in a link to the privacy policy on the homepage anyway. I think it gives users more confidence and it would also help them to silence some of their critics.

There is a major challenge here, and that is that Google wants its search engine and indeed all of its services to be the same all over the world. But every country has its own laws and demands. How does it square that circle? Fleisher says it’s fairly difficult.

Fleischer: As I talk to policymakers and regulators and others, one of the things that I really stress is that the internet is a global medium and the policies that companies implement and the regulations that companies have to respect need to be thought about in a global context. What we can’t do is implement completely different policies in Belgium and Norway and Greece and so on. And I think people understand that. That’s just the nature of the internet.

Privacy, data retention and the anonymising of search logs are just some of the issues which Google and the world’s lawmakers will have will have to negotiate over in the coming years. On data retention laws and whether they will apply to Google’s controversial search logs, Fleischer says the picture is still not clear, but that he is glad he raised the issue.

Fleischer: What I’m trying to do, is highlight for broader discussion what exactly what will be the scope of our culpability of the data retention to a company like Google and other companies because I think its really unclear. I think there’s just a lot of ambiguous things around that particular directive and more clarity is needed.

That's all we have time for this week, thanks for listening.

Why not get in touch with OUT-LAW Radio? Do you know of a technology law story? We'd love to hear from you on

Make sure you tune in next week; for now, goodbye