EU wants search engines to delete data
BRUSSELS, Belgium (AP) - Aoril 9, 2008 The new report from the EU-funded privacy watchdog recommended
that search engines follow European data protection rules
regardless of their headquarters' location.
Although the watchdog has no policy powers, its report could
lead to stricter privacy rules. The EU's executive, the European
Commission, is currently redrafting data-protection rules for the
27-nation bloc.
The panel's report said search engines fall under EU laws if
they collect users' numeric Internet Protocol, or IP, addresses or
track search history using a unique ID on small data files called
cookies installed on users' computers.
Most search engines, including Google Inc., Yahoo Inc.,
Microsoft Corp.'s MSN and Time Warner Inc.'s AOL, do so to gather
insights on usage.
Germany's data protection commissioner Peter Scharr said in
January that IP addresses should generally be regarded as personal
information.
IP addresses consist of a string of numbers that identifies
individual computers on the Internet so that a search engine would
know where to return results.
Search engines have generally regarded IP addresses as anonymous
information because they aren't necessarily linked to personal data
about individuals. However, they can reveal the individual's
location or service provider, from which a company or government
agency armed with a subpoena can track down the individual.
Treating IP addresses as personal information would have
implications for how search engines record the data they need to
understand search patterns and correctly bill online advertisers
for the number of times their ad is viewed.
The data can be a boon to advertisers for targeting pitches
based on a user's taste for particular clothing, music or cars, but
search companies also say the data help them make products better
and safer.
"This perspective - the ways in which data is used to improve
consumers' experience on the Web - is unfortunately sometimes
lacking in discussions about online privacy," Peter Fleischer,
Google's global privacy counsel, wrote on a company blog this week.
Whether or not an IP address is personal information, he added,
should depend on how the data are being used.
Search engines have already gone some way to responding to
privacy concerns. Google was the first to cut the time it stored
search information to 18 months. Microsoft now has an 18-month
policy, while Yahoo and AOL retain search requests for 13 months.
But EU watchdog said it "does not see a basis for a retention
period beyond six months."
The group of privacy officers said information recorded on
users, such as what search terms were used and whether users
clicked on any of the results, should be erased after that time to
better protect the privacy of users and to avoid any possible
misuse of the data.
"If personal data are stored, the retention period should be no
longer than necessary for the specific purposes of the
processing," the report said. "Therefore, after the end of a
search session, personal data could be deleted and continued
storage ... needs an adequate justification."
The panel also slammed the search companies for failing to
properly inform users on why some data are needed to perform
searches on their sites. It said the search engines have
"insufficiently explained" to customers what they are retaining
the data for.
Google's Fleischer told EU lawmakers in January that Google
collects IP addresses to give customers a more accurate service
because it knows what part of the world a search result comes from
and what language they use - and that was not enough to identify an
individual user.
He said the way Google stores IP addresses meant one of them
forms part of a crowd, giving valuable information on general
trends without infringing on an individual's privacy.