Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Privacy battle rages

The privacy chiefs of Europe and Google battle over privacy rights and whether technology or the law should protect us.09 Nov 2007

For a transcript, email

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law.

Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and this week we hear from the two men who are battling over the future of our privacy: Google's global Privacy Chief and Europe's Privacy Watchdog.

But first, the news:

  • Wikipedia not liable for libel; and
  • German online gambling ban impossible, says court.

The Wikimedia Foundation is not responsible for defamatory comments published in its user generated encyclopaedia Wikipedia, a French court has ruled. The comments had been removed quickly after being notified to the site operators.

Three men sought €69,000 in damages when a Wikipedia entry identified them as gay activists. A French court ruled, though, that the company that publishes the encyclopaedia cannot be held liable for user contribution. The ruling afforded Wikimedia similar protection to that enjoyed by ISPs.

The judge said that a 2004 French law exonerated the company. He said that he had taken into account the fact that the articles in question had been censored quickly after Wikimedia was informed of it.

He also said that the website hosts were not under any legal obligation to investigate or monitor the information which is published through them.

It is impossible to enforce a ban on internet gambling and so such a ban is 'null and void', according to a German court. The Court of Appeal in the state of Hessen reversed a ruling from a lower court banning an Austrian firm from operating.

The ruling comes just weeks before German states are expected to ban internet sports betting across the country. It forms one episode in a long struggle between some European countries who want to control online gambling and the EU institutions that want to promote free cross border trade.

BWIN Interactive, a major Austrian gambling company with plans for Europe-wide expansion, had been banned by a lower court in Hessen from operating there until the overturning of the ruling.

Germany and France are trying to keep state monopolies on gambling intact but have fallen foul of European legislation mandating free trade of goods and services within the EU.

The French Government lost a case earlier this year when the country's highest court, the Cour de Cassation, ruled that Zeturf, a Maltese company, could operate in France. That undermined the French state monopoly.

That court had said that the monopoly was inconsistent with EU competition law.

That was this week's OUT-LAW news

The world of European privacy policy is dominated by two Peters: Uber-regulator Peter Hustinx, who is the European data protection supervisor, and Google's global privacy counsel Peter Fleischer.

The two have been at loggerheads for some time over how our private details should be treated in an age when a company as ubiquitous as Google can know more about a person than their granny from the enormous amounts of data stored on their servers.

The two men took each other on at an online privacy debate run recently by Think Tank the Centre for European Policy Studies.

Google has been attacked by privacy advocates recently for adopting lax policies. One solution, they say, is for Google to simply adopt the strictest policy around to make sure that it complies with all of them.

Fleischer says it just isn't that easy.

Fleischer: People some times say, "oh well that’s easy, just do it to the highest common denominator," and while that is a nice slogan in practice it is not always so easy to know what that is. So it is one of the things that we need to focus on.

Privacy activists and Google have been fighting this year over the retention of Google's search and usage records. It reduced its retention of identifying information from an indefinite period to 18 months. This move was criticised by activists who believed it did not going far enough.

Google though has argued that the Data Retention Directive forces it to keep records for up to 24 months, but privacy regulators including Hustinx say it does not apply to search data.

Fleischer: Ours is a balance, I think we struck we struck the right balance but I have no time for the extremist community that says that logs should not be retained for one second after someone conducts a search. That is not an analysis, that it is ideology because what it says is, I care about privacy but I disregard all other factors. Going forward data retention, who knows? Who knows how that is all supposed to work and I do not mean to be flip I am actually trying to figure it out being one of the people it is directed at. So what exactly does it apply to in jurisdictional terms, which services of Google would it apply to and does it apply to a service provider or in what way is it established outside of the EU? What happens when every country in the EU picks a different time period, what time period do you retain things for if you can only have one time period? The longest, the shortest, an average? Or do you just pick whichever one you think is best, whatever that means? Those are really very basic questions and I am not being political, I am talking about it from a very practical point of view.

While Fleischer expressed exasperated confusion at what the Data Retention Directive might or might not mean, Hustinx was keen to remind him that he feels he knows exactly what it means.

Hustinx: That Data Retention Directive does not apply to content like searching behaviour on the net. So it may apply, yes it does apply, to some traffic data in e-mail but in terms of internet browsing behaviour it is minimal indeed, so let us not be confused about this. If Google are thinking about a search engine kind of retention that has nothing to do with a Data Retention Directive.

Fleischer responded.

Fleisher: Data retention obligations for companies are not just about the directives that we call data retention and I know that sometimes in policy circles we use that as short hand, we always mean the data retention directive. Companies have to keep things for all kinds of other reasons, tax reasons, accounting reasons, because your customers like your advertisers might come back to you and say, "Gee you just charged me €10,000 show me why".  You have to have records.

The two men also clashed on whether Google can operate more than one simple global policy, whether it can accommodate differing national laws which is something it is not keen to do. In discussing the controversial Street View application, which shows photos of US streets, pedestrians and all, Fleischer said that the service would differ once it was offered in more privacy-protective Canada. Hustinx pounced on the revelation.

Husinx: You made an interesting point again Peter when you discussed the possibility that Street View in Canada could be different from the US - that is interesting. That is an example of ICT architecture on the net which would distinguish on jurisdiction. You would not make that point in the discussion of retention, but I think we should want to see more of that differentiation and different functionalities which is responsive to culture and legal environment.

Hustinx and Fleischer have a basic philosophical difference in how they think of solutions to privacy problems. Hustinx looks to laws and regulations, while Fleischer and Google say that they believe that technology can find the answer to the question on how to protect our privacy. He previewed an upcoming Google feature that he says will let you manage your own privacy.

Fleischer: I think we believe strongly in a technology solution rather than a very expense cadre of lawyers or accountants to look into this and we are well under way to thinking about a digital dash board. Picture this: it is a world where on your computer you can see every single thing that Google knows about you and control it. You can say, yes keep this and use it for this purpose; no do not keep it; yes keep it use it for this purpose but not that purpose.

Fleischer has been in the news recently calling for a global privacy standard for the 75% of the world's countries that he says have no privacy laws. He proposed adopting the policy hammered out by the Asia-Pacific Economic Community. Though privacy activists have derided this as too weak, Hustinx surprisingly offered support for one element of the proposal.

Hustinx: If we look at the APEC framework it is also interesting that at a very pragmatic approach to allow some late starters to step in. There is maybe, needless administration around it, it could be simplified. Not to free space but to make protection more effective. So I am thinking of developing, that is an interesting idea from the APEC Framework, I am quoting it all the time, that is the accountability principle, so if we can make important players accountable wherever they act, that is very much in line with what we already have and I think we could enhance that.

Hustinx and Fleischer agreed that the laws and regulations needed to change, with Hustinx admitting that major changes would be needed in around five years time. Fleischer said that the world of regulation simply had to keep up with what amounts to an internet revolution.

Husintx: I would expect that some five years down the road, we need to see some changes in the existing framework. Not in the principles, although some parts perhaps need to be revisited, my emphasis would be we need more flexible arrangements to make it work better, to make it more effective.

Fleischer: The architecture of the internet is such that data is flowing around the world all the time in ways that were simply unimaginable back in lets just take 1980 as an example, when the OECD principles were first being promulgated, and if you think about it the amount of data that is flowing across borders today, a quarter century later, is millions, millions of times greater than it was then. The internet, I think, is the most fundamental revolution in data collection and data transfer since the development of the printing press and that if the most fundamental revolution in the last 500 years is not going to present some challenges to traditional notices of data protection I do not think we are challenging ourselves to think things through again.

Magee: That's all we have time for this week, thanks for listening.

Why not get in touch with out-law radio? Do you know of a technology law story? We'd love to hear from you on

Make sure you tune in next week; for now, goodbye