Google and European data protection authorities: time to collaborate

Google reaffirmed its wish to collaborate with European data protection authorities and announced that it will reduce its retention period to 9 months. But in substance, Google refuses for the moment to submit to the European data protection law.

Google reacts to the Article 29 Working Party oppinion published On April 4, 2008 about search engines, reaffirming the applicability of the European data protection law, recommending a maximum retention period of 6 months and indicating that web users must be able to provide consent to the exploitation of their data in particular for profiling purposes. The two announced changes are:

  1. From now on, IP addresses associated with the requests carried out on the search engine will be anonymized after 9 months (instead of 18 as it is now the case) .
  2. A link to Google’s privacy policy appears on its homepage.

Strong disagreements remain in some issues because Google:

  • Considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe.
  • Wishes to retain personal data of users beyond the 6 months period requested by the Article 29 Working Party, without any justification.
  • Does not make any improvement to its anonymization mechanisms, which are still insufficient.
  • Considers that IP addresses are confidential data but not personal data, which prevents granting certain rights to its users.
  • Does not express the willingness to improve and clarify the methods that are used to gather the consent of its users.

What is the Article 29 Data Protection Working Party

The Working Party has been established by Article 29 of Directive 95/46/EC. It is the independent EU Advisory Body on Data Protection and Privacy. Its tasks are laid down in Article 30 of Directive 95/46/EC and in Article 14 of Directive 97/66/EC. It is composed by the Data Protection Authority of the 27 European Member States.

The Working Party was set up to achieve several primary objectives:

  • To provide expert opinion from member state level to the Commission on questions of data protection.
  • To promote the uniform application of the general principles of the Directives in all Member States through co-operation between data protection supervisory authorities.
  • To advise the Commission on any Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and privacy.
  • To make recommendations to the public at large, and in particular to Community institutions on matters relating to the protection of persons with regard to the processing of personal data and privacy in the European Community.