Article 29 WP asks more data protection from search engine operators
This article is also available in:
Deutsch: Artikel 29-Gruppe fordert mehr Datenschutz von Suchmaschinenbetreibern
In a letter addressed to the three big IT companies Google, Yahoo and Microsoft on 26 May 2010, the EU independent group of privacy regulators Article 29 Working Party (WP29) shows concerns related to data protection issues and urges the companies to improve online privacy.
The group's letter explains that a person's search history contains a footprint of that person's interests, relations, and intentions "and should rightly be treated as highly confidential personal data" and calls for the limitation of the retention period of personal data, a reduction of the possibility to identify users in the search logs and the creation of an audit process involving an independent, external auditing entity.
WP29's action comes following the analysis of the answer received from the search engine operators after WP29 issued an opinion in March 2008 in which it was explaining the specific obligations for search engine providers in terms of the EU data protection directive.
The opinion of WP29 was addressing the risks of incomplete anonymisation of the users. "Even where an IP address and cookie are replaced by a unique identifier, the correlation of stored search queries may allow individuals to be identified."
Google committed to anonymise IP addresses in its server logs after nine months by deleting the last octet of the IP address but WP29 believes that this measure "does not prevent identifiability of data subjects". After analysing Google's answer, WP29 welcomed the company's commitment to a reduced retention period but strongly suggested that it should review its policy in order to "bring it into line with the recommended period of a maximum of 6 months" of the European data retention law. "Pursuant to the data protection directive the retention period should be no longer than necessary for the specific purposes of the processing, after which the data should be deleted," said the recent letter.
Another criticism to Google is that the company retains cookies for a period of 18 months. "This would allow for the correlation of individual search queries for a considerable length of time. It also appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months." WP29 concludes that the company does not comply with the European data protection directive.
Yahoo! had committed to anonymising its search logs after 90 days "with limited exceptions for fraud, security and legal obligations" and to deleting full IP addresses, not just the last octet but WP29 reached the conclusion that "a partial deletion of the personal data contained in search logs does not constitute true anonymisation." The letter also expressed the concern that the company hadn't provided enough information related to its techniques of anonymising users' identifiers and cookies. And concluded that Yahoo! did not comply with the European data protection directive either.
Microsoft's commitment was to de-identify cookies immediately after a search query, to delete the IP address associated with the search query after six months and to remove the de-identified cookie ID and any other remaining cross session-identifiers after 18 months. WP29 however believes that all cookies should be deleted after six months. "According to a technical paper describing the process of de-identification, you apply a de-identification procedure and hash to the cookies from registered users after 6 months, but you apparently retain the cookies of unregistered users for a period of 18 months," says the letter adding that the word "anonymous ID" is not quite appropriate as it seems to allow for the cross-matching of search queries for a rather long time. "Secondly, you have not provided enough information about the techniques of hashing to technically assess the quality of your anonymisation policy," says WP29 concluding that Microsoft does not comply with the European data protection directive either.
The group sent a copy of the letter to the US Federal Trade Commission and asked the US body to verify the behaviour of the three companies in terms of the Federal Trade Commission Act which prohibits unfair or deceptive acts of practices in the marketplace.
A copy of the letter was also sent to Viviane Reding, vice-president of the European Commission responsible for justice, fundamental rights and citizenship.
Article 29 Working Party letters related to search engine operators
Data protection watchdogs escalate complaints against search engines
Internet search engines scolded by EU regulators (27.05.2010)