The Article 29 Working Party, a committee of all of the EU country's privacy or data protection commissioners, said that its data protection rules must apply to personal data processed by companies that do not even have offices in the EU.
"[The EU's] provisions also apply to such controllers who have their headquarters outside the EU, but only an establishment in one of the EU Member States, or who use automated equipment based in one of the Member States for the purposes of processing personal data," said a Working Party statement.
The EU's privacy watchdogs are locked in a battle with search engine companies such as Google over the processing of personal data. There are debates about whether companies are subject to the EU's rules as well as what those rules mean.
The Working Party met late last week to appoint a new chairman and discuss its progress in trying to force internet content providers to comply with its rules. It claims that companies' practice of keeping a record of what internet (IP) addresses gave rise to what searches is in breach of the Data Protection Directive, which imposes obligations on firms processing personal data.
Companies such as Google have argued that they are forced to keep the information by the Data Retention Directive, which demands that communications data be retained for up to two years to help law enforcement agencies. The Working Party believes that the Data Retention Directive only applies to telecoms firms, not content companies.
"As the use of search engines becomes a daily routine for an ever growing number of citizens, the protection of the users’ privacy and the guaranteeing of their rights, such as the right to access to their data and the right to information as provided for by the applicable data protection regulations, remain the core issues of the ongoing debate," said the Working Party, which is shortly expected to publish the results of an investigation into search engine company practices.
"Search engines fall under the EU Data Protection Directive 95/46/EC if there are controllers collecting users’ IP addresses or search history information, and therefore have to comply with relevant provisions," it said.
These provisions would mean that the way that companies use personal information would be more tightly controlled than if they did not apply. Under the rules, users must agree to the collection of their data and have the right to verify information collected or object to its storage, the Working Party said.
There is an ongoing debate about whether or not IP addresses count as personal data and are therefore covered by the Data Protection Directive. Peter Schaar, outgoing chair of the Working Party and German Federal Data Protection Commissioner, recently told OUT-LAW Radio that the addresses must mostly be taken to be personal data.
"In most cases IP addresses have to be seen as personal related and therefore the European Directive on Data Protection covers also the use of IP addresses," he said. "I understand that under specific circumstances IP addresses are not personal related, but in general we would say as data protection authorities IP addresses are personal data because they identify indirectly the user of computer systems connected to the internet."
Schaar also said that the Data Retention Directive does not apply to such information, and that companies are not obliged to store IP logs.
"A service like Google search and other search engines are not covered by the Retention Directive," said Schaar. "This only covers internet access services and telecommunications services like email providers. The general obligation from the European Data Protection law is that the data must be deleted as soon as possible."