Google and Privacy redux

image via Battelle mediaFollowing on from my posts Who will google Google?, That was the week that was, and Watching your every move, come two articles from John Collins in today’s Irish Times (sub req’d), as well as some important developments by Google.

In Google classed as ‘hostile to privacy’, John writes:

How much information Google collects on its users and what it does with that information has once again become a burning topic for internet users.

(Disclosure: he quotes me at the end of the article. Don’t read that far). And in Blogspot, he writes:

Since Privacy International singled out Google for being involved in “comprehensive consumer surveillance and entrenched hostility to privacy”, Matt Cutts’s blog has been receiving lots of traffic. … Cutts posted “Why I disagree with Privacy International” and promptly became the top story on popular news aggregator Techmeme, as well as racking up more than 100 comments.

Since the publication of its report, Privacy International has made various claims, and has called on the major Internet companies to meet with the organization in July in San Francisco to achieve an Accord “that will provide customers with consistent and strengthened privacy protections, and to give companies a greater understanding of the key challenges”. In the meantime, Google has responded to the Article 29 Working Party‘s letter (discussed and linked here):

After considering the Working Party’s concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously-established period of 18 to 24 months. We believe that we can still address our legitimate interests in security, innovation and anti-fraud efforts with this shorter period. However, we must point out that future data retention laws may obligate us to raise the retention period to 24 months. We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months. … As we build new products and services, we look forward to continuing our discussion with the Article 29 Working Party and with privacy stakeholders around the world. Our common goal is to improve privacy protections for our users.

The full text of Google’s letter is here (pdf), and it is plainly a step in the right direction. However, OUT-LAW (republished in the Register) has questioned whether Google can rely on the data retention justification:

However, a senior European data protection official told OUT-LAW today that Google cannot rely on that law as justification for its retention.

“The Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems,” said Philippos Mitletton. Mitletton works for the European Commission’s Data Protection Unit, which itself is represented on the Article 29 Working Party, the committee of Europe’s data protection authorities.

“Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof,” he said.

Oh dear. Admittedly, Google can still rely on security concerns (as explained by their Global Privacy Counsel Peter Fleischer on his own blog). But that can bring them only so far in retaining personal data. Moreover, limiting the amount of time online companies hold data about us is only one element of the necessary response. We (those who generate or are the subjects of the data being storted) should be able to have greater control over what the online companies hold. Moreover, if these companies do not themselves move towards establishing an ombudsman (see suggestions to this effect here and here) or other equivalent office, then thought will have to be given to developing a strong independent privacy czar who can oversee such companies and assert and protect the privacy of those who generated or are the subject of the data those companies are storing. Finally, there should in principle be a relatively simple meachanism by which we can opt out of any such storage, and an ombudsman or indepdent czar will be necessary to ensure that such opt outs are respected.