The Roman poet Juvenal asked Quis custodiet ipsos custodes? (who will watch the watchers?). In a similar vein, one of Elvis Costello‘s more acidic songs of loss is ‘Watching the Detectives’ (lyrics | lyrics with images | YouTube). If Google is the search engine which does (most of) our detecting for us, one of the animating questions of the moment is who is watching the Google detective on our behalf? One answer is provided by Article 29 of Directive 95/46/EC (also here) of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
This is the EU Data Protection Directive, and it is a major plank in the data protection strand of the EU’s information society policy. It has been implemented in Ireland by the Data Protection (Amendment) Act, 2003 (also here) amending the Data Protection Act, 1988 (also here)). Article 29 of the Directive provides for the establishment of a Working Party on the Protection of Individuals with regard to the Processing of Personal Data. That’s a bit of a mouthful, so it’s usually simply called either the Article 29 Data Protection Working Party or even the Article 29 Working Party. It is composed of a representative from each of the EU member states’ data protection authorities (the Irish member is the the Data Protection Commissioner), and of various EU representatives. It is one of many such official and quasi-official data privacy watchdogs; the International Conference of Data Protection and Privacy Commissioners (ICDPPC) had already founded the International Working Group on Data Protection in Telecommunications (IWGDPT) in 1983. This all might seem more than a bit arcane, except that the Article 29 Working Group is in the news this weekend, as the detective watching Google.
Google has been told that it may be breaking European privacy laws by keeping people’s search information on its servers for up to two years. … The Article 29 group … has asked Google to clarify its policy.
In particular, according to c|netNews.com:
The issue surrounds Google’s policy of anonymizing its server logs after 18 to 24 months. According to a Commission source, the advisory group is concerned with how the information is managed, rather than the length of time it is stored.
More to the point, SilconValley.com are reporting that the Article 29 Working Group have the support of EU Justice Commissioner Franco Frattini:
EU spokesman Pietro Petrucci said Friday that … Commissioner … Frattini … “considers those questions raised by the letter to be appropriate and legitimate,” …
Google will tell European regulators that it needs to hold on to users’ search data for up to two years for security and commercial reasons … The world’s top Internet search engine said Friday it would respond by June 19 to a letter from a European Union data protection advisory group expressing concern it was keeping information on users’ searches for too long.
“The concern of EU law is that a company that collects data on its customers should keep it as long as it is necessary, but not longer,” Peter Fleischer, Google’s global privacy counsel, told Reuters in a telephone interview.
This is an important development in the protection of our online privacy. And, in principle – as the image (above left) from John Battelle’s blog conveys – it applies not just to Google but all the other search engines as well. Watch Google. Watch the search engines. As John Battelle says of this: watch this space.
(Disclosure: many of the links in this post were found using Google’s search engine!)
Update (5 June 2006): Data Protection Thinker has an informative post and some extremely well-chosen links for further reading on this issue, including the text (pdf) of the letter from the Article 29 Working Party to Google.