Following on from my posts Who will google Google?, That was the week that was, and Watching your every move, come two articles from John Collins in today’s Irish Times (sub req’d), as well as some important developments by Google.
In Google classed as ‘hostile to privacy’, John writes:
How much information Google collects on its users and what it does with that information has once again become a burning topic for internet users.
(Disclosure: he quotes me at the end of the article. Don’t read that far). And in Blogspot, he writes:
Since Privacy International singled out Google for being involved in “comprehensive consumer surveillance and entrenched hostility to privacy”, Matt Cutts’s blog has been receiving lots of traffic. … Cutts posted “Why I disagree with Privacy International” and promptly became the top story on popular news aggregator Techmeme, as well as racking up more than 100 comments.
Since the publication of its report, Privacy International has made various claims, and has called on the major Internet companies to meet with the organization in July in San Francisco to achieve an Accord “that will provide customers with consistent and strengthened privacy protections, and to give companies a greater understanding of the key challenges”. In the meantime, Google has responded to the Article 29 Working Party‘s letter (discussed and linked here):
After considering the Working Party’s concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously-established period of 18 to 24 months. We believe that we can still address our legitimate interests in security, innovation and anti-fraud efforts with this shorter period. However, we must point out that future data retention laws may obligate us to raise the retention period to 24 months. We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months. … As we build new products and services, we look forward to continuing our discussion with the Article 29 Working Party and with privacy stakeholders around the world. Our common goal is to improve privacy protections for our users.
The full text of Google’s letter is here (pdf), and it is plainly a step in the right direction. However, OUT-LAW (republished in the Register) has questioned whether Google can rely on the data retention justification:
However, a senior European data protection official told OUT-LAW today that Google cannot rely on that law as justification for its retention.
“The Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems,” said Philippos Mitletton. Mitletton works for the European Commission’s Data Protection Unit, which itself is represented on the Article 29 Working Party, the committee of Europe’s data protection authorities.
“Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof,” he said.
Oh dear. Admittedly, Google can still rely on security concerns (as explained by their Global Privacy Counsel Peter Fleischer on his own blog). But that can bring them only so far in retaining personal data. Moreover, limiting the amount of time online companies hold data about us is only one element of the necessary response. We (those who generate or are the subjects of the data being storted) should be able to have greater control over what the online companies hold. Moreover, if these companies do not themselves move towards establishing an ombudsman (see suggestions to this effect here and here) or other equivalent office, then thought will have to be given to developing a strong independent privacy czar who can oversee such companies and assert and protect the privacy of those who generated or are the subject of the data those companies are storing. Finally, there should in principle be a relatively simple meachanism by which we can opt out of any such storage, and an ombudsman or indepdent czar will be necessary to ensure that such opt outs are respected.
Great post Eoin. Much better than mine. But now my head is beginning to hurt. The article 29 working party said in their letter of the 16th May to Google that..”server logs…can..be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason their collection and storage must respect data protection rules.”
So who is right?
Is there a difference between Data Protection and Data Retention and if so what? Also it seem strange that the working party focused only on server logs and not the user database which can have even more personal information.
I would imagine that my ISP holds more information about my online activities that Google does. Can the Irish authorities say get access to my ISP logs which hold both my web traffic and search history under the 2005 Act.? Or does it just cover email and phone communications?
As i said in my post, I would like companies like search engines and ISP’s who have access to people’s traffic data to report on the number of requests that they receive, from whom they receive them and the number that they comply with.
Modestly, Liam didn’t link to his post: Google’s response on Privacy to EU Data Protection Working Party, in which he makes a number of perceptive comments about Google’s letter to the Article 29 Working Party, some of which are echoed in his message above.
Liam: thanks for the excellent response. Lots to chew on there, but I’ll take one point now if you don’t mind. There is a difference between data protection and data retention. Data protection law is all about the rights of data subjects (you, me and everybody) to have acccess to and to correct data stored about us by other people (have a look at the Data Protection Commissioner’s website about this). This is a Good Thing, and we need more of it. In fact, because Google have lots of personal data, they are subject to data protection obligations, to allow us access to the data, and to correct it; that’s the effect of the quote in your first paragraph. That is a Good Thing, though of course it doesn’t go far enough.
Data retention, on the other hand, is all about imposing on data ISPs etc an obligation to retain data about us, and allow law enforcement access to it, for a very long time (have a look at EPIC’s page about this). This is Not a Good Thing, and we need less of it, or none at all. Google’s claim is that their data retention obligations require them to keep the data. OUT-LAW’s analysis is that this is not necessarily correct.
Does this help?
Thanks Eoin. I suspect we’ll have more conversations around this particular issue.
This explains all
http://searchengineland.com/070612-041042.php#comment-2852
HI frooby,
Thanks for the link. That comment, the post to which that is a comment, and other posts on the site, are all very helpful indeed.
Eoin.
There is a vast difference between DR and DP Liam. The fundamental difference is the shield given under the Data Retention Enforcement Directive (DRED) gives safe-harbour from normal Data Protection rules.
There are vast differences in the timescales that EU Member states require telco’s to store data. Many member states have Retention regimes and Legal Interception (LI) regimes built into Law since the inception of incumbent telco’s or at beginning of market liberalisation in the EU 13/25/27 states from about 1997.
Ireland P&T Act 1983 mandated 6 years retention of traffic data, which changed in 1993 to 3 years under the P&T amendment Act. (P&T being Posts and Telegraphs), relevant section are Ss. 98 and 13 of ’93 [from memory].
There was a basic problem with this, in that the acts only applied to An Bord Telecom Eireann (BTE) or the Limited Company we know today as eircom. As new entrants arrived in Ireland the minister disproportionately directed Statutory Instruments making certain (but not all) new entrant telco’s also retain data for the same duration.
In 2003 during the Swedish and Irish presidencies of the EU, France, Sweden, UK and Ireland sponsored a Council Decision to bring forward a Data Retention Enforcement Directive (DRED). The Irish motivation being the tragedy that was Omagh and with Madrid and London soon following on the DRED grew legs. In early 2006 the Directive was voted upon and Ireland and Slovenia rejected [voted against] the EU Pillar placement of the Directive in Pillar 1 (EC) rather Pillar 3 (PJCC), this matter is being litigated by the Irish Govt under the Dept of Justice, Equality and Law Reform.
DRED goes much further that the requirements to retain telco ‘traffic data’ including [with member state scope] such items as SMS data, dynamic record retention, server logs and dial-up ISP data.
To exemplify the problems of DR. Ireland’s Counter Terrorism Act 2005 (S.63 & 64) mandates DR for 3 years etc. Italy is a period of 2 which can be extended by a judge to 4 years in duration depending on the issue.
So taking the Omagh bomb that was detonated with a prepaid GSM telephone so I am not that sure that the DRED or a flavour thereof is a bad thing once the rules/law by which retained data is recovered are strict.
Interference with Privacy Rights might be justified where required on the grounds of the protection of the constitutional rights of others, the common good and public order and morality.
I attended a conference in Brussels with DG Information Society and Justice on this and the participants displayed in mathematical terms the amound of tape and storage devices required to maintain such data [at worst] and it was quiet funny to see the figures. One might have asked whether one should buy shares in EDS or another data storage company.
Sorry for hogging your comments section Eoin.
PS: There is also a criminal sanction section in the DRED which will require special treatment I assume given our constitutional shield to EU criminal sanctions etc.
R.
Frank Pasquale has an excellent post on this on Concurring Opinions: Google Street View: All the World’s a Stage
More on the security justification for Google’s retention of data: Peter Fleischer told OUT-LAW Radio that the retention of search engine query data is a security matter and not one for Europe’s data protection officials.