cearta.ie

the Irish for rights

Google and Privacy redux

image via Battelle mediaFollowing on from my posts Who will google Google?, That was the week that was, and Watching your every move, come two articles from John Collins in today’s Irish Times (sub req’d), as well as some important developments by Google.

In Google classed as ‘hostile to privacy’, John writes:

How much information Google collects on its users and what it does with that information has once again become a burning topic for internet users.

(Disclosure: he quotes me at the end of the article. Don’t read that far). And in Blogspot, he writes:

Since Privacy International singled out Google for being involved in “comprehensive consumer surveillance and entrenched hostility to privacy”, Matt Cutts’s blog has been receiving lots of traffic. … Cutts posted “Why I disagree with Privacy International” and promptly became the top story on popular news aggregator Techmeme, as well as racking up more than 100 comments.

Since the publication of its report, Privacy International has made various claims, and has called on the major Internet companies to meet with the organization in July in San Francisco to achieve an Accord “that will provide customers with consistent and strengthened privacy protections, and to give companies a greater understanding of the key challenges”. In the meantime, Google has responded to the Article 29 Working Party‘s letter (discussed and linked here):

After considering the Working Party’s concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously-established period of 18 to 24 months. We believe that we can still address our legitimate interests in security, innovation and anti-fraud efforts with this shorter period. However, we must point out that future data retention laws may obligate us to raise the retention period to 24 months. We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months. … As we build new products and services, we look forward to continuing our discussion with the Article 29 Working Party and with privacy stakeholders around the world. Our common goal is to improve privacy protections for our users.

The full text of Google’s letter is here (pdf), and it is plainly a step in the right direction. However, OUT-LAW (republished in the Register) has questioned whether Google can rely on the data retention justification:

However, a senior European data protection official told OUT-LAW today that Google cannot rely on that law as justification for its retention.

“The Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems,” said Philippos Mitletton. Mitletton works for the European Commission’s Data Protection Unit, which itself is represented on the Article 29 Working Party, the committee of Europe’s data protection authorities.

“Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof,” he said.

Oh dear. Admittedly, Google can still rely on security concerns (as explained by their Global Privacy Counsel Peter Fleischer on his own blog). But that can bring them only so far in retaining personal data. Moreover, limiting the amount of time online companies hold data about us is only one element of the necessary response. We (those who generate or are the subjects of the data being storted) should be able to have greater control over what the online companies hold. Moreover, if these companies do not themselves move towards establishing an ombudsman (see suggestions to this effect here and here) or other equivalent office, then thought will have to be given to developing a strong independent privacy czar who can oversee such companies and assert and protect the privacy of those who generated or are the subject of the data those companies are storing. Finally, there should in principle be a relatively simple meachanism by which we can opt out of any such storage, and an ombudsman or indepdent czar will be necessary to ensure that such opt outs are respected.

Related Tags: [ , ]

11 Responses to “Google and Privacy redux”

  1. liam says:

    Great post Eoin. Much better than mine. But now my head is beginning to hurt. The article 29 working party said in their letter of the 16th May to Google that..”server logs…can..be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason their collection and storage must respect data protection rules.”

    So who is right?

    Is there a difference between Data Protection and Data Retention and if so what? Also it seem strange that the working party focused only on server logs and not the user database which can have even more personal information.

    I would imagine that my ISP holds more information about my online activities that Google does. Can the Irish authorities say get access to my ISP logs which hold both my web traffic and search history under the 2005 Act.? Or does it just cover email and phone communications?

    As i said in my post, I would like companies like search engines and ISP’s who have access to people’s traffic data to report on the number of requests that they receive, from whom they receive them and the number that they comply with.

  2. Eoin says:

    Modestly, Liam didn’t link to his post: Google’s response on Privacy to EU Data Protection Working Party, in which he makes a number of perceptive comments about Google’s letter to the Article 29 Working Party, some of which are echoed in his message above.

    Liam: thanks for the excellent response. Lots to chew on there, but I’ll take one point now if you don’t mind. There is a difference between data protection and data retention. Data protection law is all about the rights of data subjects (you, me and everybody) to have acccess to and to correct data stored about us by other people (have a look at the Data Protection Commissioner’s website about this). This is a Good Thing, and we need more of it. In fact, because Google have lots of personal data, they are subject to data protection obligations, to allow us access to the data, and to correct it; that’s the effect of the quote in your first paragraph. That is a Good Thing, though of course it doesn’t go far enough.

    Data retention, on the other hand, is all about imposing on data ISPs etc an obligation to retain data about us, and allow law enforcement access to it, for a very long time (have a look at EPIC’s page about this). This is Not a Good Thing, and we need less of it, or none at all. Google’s claim is that their data retention obligations require them to keep the data. OUT-LAW’s analysis is that this is not necessarily correct.

    Does this help?

  3. liam says:

    Thanks Eoin. I suspect we’ll have more conversations around this particular issue.

  4. Eoin says:

    HI frooby,

    Thanks for the link. That comment, the post to which that is a comment, and other posts on the site, are all very helpful indeed.

    Eoin.

  5. […] I appreciated the attention paid to the role of search engines, data controllers and others; Google comes in for predictable criticism (and remember that the book was written before the current upping of the ante. […]

  6. Ronan says:

    There is a vast difference between DR and DP Liam. The fundamental difference is the shield given under the Data Retention Enforcement Directive (DRED) gives safe-harbour from normal Data Protection rules.

    There are vast differences in the timescales that EU Member states require telco’s to store data. Many member states have Retention regimes and Legal Interception (LI) regimes built into Law since the inception of incumbent telco’s or at beginning of market liberalisation in the EU 13/25/27 states from about 1997.

    Ireland P&T Act 1983 mandated 6 years retention of traffic data, which changed in 1993 to 3 years under the P&T amendment Act. (P&T being Posts and Telegraphs), relevant section are Ss. 98 and 13 of ’93 [from memory].

    There was a basic problem with this, in that the acts only applied to An Bord Telecom Eireann (BTE) or the Limited Company we know today as eircom. As new entrants arrived in Ireland the minister disproportionately directed Statutory Instruments making certain (but not all) new entrant telco’s also retain data for the same duration.

    In 2003 during the Swedish and Irish presidencies of the EU, France, Sweden, UK and Ireland sponsored a Council Decision to bring forward a Data Retention Enforcement Directive (DRED). The Irish motivation being the tragedy that was Omagh and with Madrid and London soon following on the DRED grew legs. In early 2006 the Directive was voted upon and Ireland and Slovenia rejected [voted against] the EU Pillar placement of the Directive in Pillar 1 (EC) rather Pillar 3 (PJCC), this matter is being litigated by the Irish Govt under the Dept of Justice, Equality and Law Reform.

    DRED goes much further that the requirements to retain telco ‘traffic data’ including [with member state scope] such items as SMS data, dynamic record retention, server logs and dial-up ISP data.

    To exemplify the problems of DR. Ireland’s Counter Terrorism Act 2005 (S.63 & 64) mandates DR for 3 years etc. Italy is a period of 2 which can be extended by a judge to 4 years in duration depending on the issue.

    So taking the Omagh bomb that was detonated with a prepaid GSM telephone so I am not that sure that the DRED or a flavour thereof is a bad thing once the rules/law by which retained data is recovered are strict.

    Interference with Privacy Rights might be justified where required on the grounds of the protection of the constitutional rights of others, the common good and public order and morality.

    I attended a conference in Brussels with DG Information Society and Justice on this and the participants displayed in mathematical terms the amound of tape and storage devices required to maintain such data [at worst] and it was quiet funny to see the figures. One might have asked whether one should buy shares in EDS or another data storage company.

    Sorry for hogging your comments section Eoin.

    PS: There is also a criminal sanction section in the DRED which will require special treatment I assume given our constitutional shield to EU criminal sanctions etc.

    R.

  7. Eoin says:

    Frank Pasquale has an excellent post on this on Concurring Opinions: Google Street View: All the World’s a Stage

  8. Eoin says:

    More on the security justification for Google’s retention of data: Peter Fleischer told OUT-LAW Radio that the retention of search engine query data is a security matter and not one for Europe’s data protection officials.

  9. […] Working Party released an opinion (Opinion 1/2008, WP 148: pdf; background on this blog here and here) concerning the applicability of the Data Protection Directive (95/46/EC) and the Data Retention […]

Leave a Reply

 

Welcome

Me in a hatHi there! Thanks for dropping by. I'm Eoin O'Dell, and this is my blog: Cearta.ie - the Irish for rights.

"Cearta" really is the Irish word for rights, so the title provides a good sense of the scope of this blog.

In general, I write here about private law, free speech, and cyber law; and, in particular, I write about Irish law and education policy.

Subscribe

  • RSS Feed
  • RSS Feed
  • Subscribe via Email
  • Twitter
  • LinkedIn

Archives by month

Categories by topic

My recent tweets

Blogroll (or, really, a non-blogroll)

What I'd like for here is a simple widget that takes the list of feeds from my existing RSS reader and displays it here as a blogroll. Nothing fancy. I'd love a recommendation (via the Contact page, above) if you have one.

I had built a blogroll here on my Google Reader RSS subscriptions. Google Reader produced a line of html for each RSS subscription category, each of which I pasted here. So I had a list of my subscriptions as my blogroll, organised by category, which updated whenever I edited Google Reader. Easy peasy. However, with the sad and unnecessary demise of that product, so also went this blogroll. Please take a moment to mourn Google Reader. If there's an RSS reader which provides a line of html for the list of subscriptions, or for each RSS subscription category as Google Reader did, I'd happily use that. So, I'd love a recommendation (via the Contact page, above) if you have one.

Meanwhile, please bear with me until I find a new RSS+Blogroll solution

Thanks,

Eoin.

Licence

Creative Commons License

This blog is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. I am happy for you to reuse and adapt my content, provided that you attribute it to me, and do not use it commercially. Thanks. Eoin