Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Wednesday, June 06, 2007

Google's EU Data Protection Issues

On May 16, 2007, the Article 29 Data Protection Working Party sent Google a letter praising Google's efforts in improving its privacy practices. However, the Article 29 Working Party questioned Google's storage of server logs of 18-24 months.

Why should Google, a company based in the United States, care about what the EU says? Simply, the Article 29 Working Party states:

Although Google's headquarters are based in the United States, Google is under legal obligation to comply with European laws, in particular privacy laws, as Google's services are provided to European citizens and it maintains data processing activities in Europe, especially the processing of personal data that takes place at its European centre.

That said, why does the EU care about server logs being kept for 18-24 months. Well, first, server logs are information that can be linked to an identified or identifiable natural person. This fact falls within the definition of "personal data" of Data Protection Directive 95/46/EC. The processing of server logs is tantamount to the processing of personal data and thus subject to the Data Protection Directive.

Article 6(e) requires that the personal data be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed."

The Article 29 Working Party is concerned that Google has not sufficiently specified the purposes for which the server logs are to be kept. So the WP specifically asked Google to clarify why this long storage period was chosen and to specify Google's legal justification for the storage of server logs in general.

The Article 29 Working Party also questioned Google's use of cookies that last approximately 30 years. The WP stated that the lifetime of the google cookie is disproportionate with respect to the purpose of the data processing which is performed and goes beyond what seems to be strictly necessary for the provision of the service, within the meaning of Article 5(3) of the ePrivacy Directive 2002/58/EC.

The Article 29 Working Party will deal with the above issues at its June 2007 meeting and requested Google to respond to their concerns.

While I've not seen a formal response from Google, its global privacy counsel, Peter Fleischer, stated to Reuters that "I will tell the working party that Google needs to hold on to its log database to protect itself and the system from attacks and refine and improve the effectiveness of our search results." (eWeek)

Further, Mr. Fleischer posed the post Why does Google remember information about searches on the Official Google Blog on May 11, 2007. Mr. Fleischer outlined three critical factors in deciding upon the 18-24 month period: (1) to improve Google's services, (2) to maintain security and prevent fraud and abuse, and (3) to comply with legal obligations to retain data.

In its explanation to the third factor, in light of the Article 29 Working Party letter, it's interesting that Mr. Fleischer stated that "Google may be subject to the EU Data Retention Directive, which was passed last year, in the wake of the Madrid and London terrorist bombings, to help law enforcement in the investigation and prosecution of "serious crime."

Labels: ,