• retent

    Regarding..

    “Google Keeps Data Up To 24 Months Because The EU Tells It To: Some EU members may require companies to retain data up to two years…All this seems pretty easily knowable by the Working Group, and asking about it feels like a bit of written theater.”

    Dude, if you want to understand the EU Data Retention saga, read this paper
    http://www.law.ed.ac.uk/ahrc/script-ed/vol3-4/rauhofer.asp

    The point is that EU Data Retention applies to ISPs and telcos, and there’s some argument about webmail. No way does it apply to search engines, and nobody ever suggested it did until Google started blowing this smoke. Contrary to the Google Art.29 reply, there is no ambiguity about whether a search engine is an “electronic communication service provider” – it ain’t, and that’s settled terminology across three other Directives.

    The Directive is here
    http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf

    …and the retention obligations on ISPs and telcos are in Article 5 – it’s obvious they don’t apply to search engines (only references to “Internet access, Internet e-mail and Internet telephony”)

    Moreover

    “Recital 13: This Directive relates only to data generated or processed as a consequence of a communication or a communication service and does not relate to data that are the content of the information communicated…”

    “Recital 23: Given that the obligations on providers of electronic communications services should be proportionate, this Directive requires that they retain only such data as are generated or processed in the process of supplying their communications services. To the extent that such data are not generated or processed by those providers, there is no obligation to retain them…”

    The EU cannot prohibit individual EU countries imposing further (“national security”) requirements which *could* include search engine logs (or my pet tortoise’s iris scan), but no country has done so, and if they did they would have to explain to the European Court of Human Rights (nothing to do with EU BTW) why that was “necessary” in a democratic society.

  • http://searchengineland.com Danny Sullivan

    Thanks for the links. I gather Google will disagree on the blowing smoke part, but perhaps you’re right.

    Let’s assume so. Issue still doesn’t go away. Why restrict Google from keeping server logs that are relatively incomplete about particular people (they only see a limited amount of what you do) when ISPs are being told to keep more complete data longer. Making Google (or any site) destroy the data faster than ISPs doesn’t necessarily protect privacy, when that data is still accessible (and leakable) by ISPs.

    Moreover, it still doesn’t let the Working Group off the hook, sorry. If they know this isn’t applicable to search engines, then again, why not say that right up front in the letter (IE: Please don’t argue that point). And again, why not again go after other major search engines at the same time. It still smack of political theater.

  • retent

    “Why restrict Google from keeping server logs that are relatively incomplete about particular people (they only see a limited amount of what you do) when ISPs are being told to keep more complete data longer”

    - The Data Retention Directive means ISPs will have to retain logs of the changing dynamic IP addresses assigned to customers, BUT ISPs don’t have to retain web traffic passing through. In fact it would be illegal for them to do so under Data *Protection* Directive, and this is reinforced and made explicit by Recitals 12 and 23 above.

    “Making Google (or any site) destroy the data faster than ISPs doesn’t necessarily protect privacy, when that data is still accessible (and leakable) by ISPs.”

    - now you see from previous why that’s not true? The Retention Directive is a privacy monstrosity, but not anything like as monstrous as search retention

    “..doesn’t let the Working Group off the hook, sorry. If they know this isn’t applicable to search engines, then again, why not say that right up front in the letter”

    - the Art.29 letter to Google doesn’t mention the *Retention* Directive at all! Why should they tell Google pre-emptively not to cite some manifestly inapplicable law?

  • http://searchengineland.com Danny Sullivan

    Thanks again for the points. If the data retention law really doesn’t require ISP to maintain records of web traffic going through them, yep, less of an issue. It’s odd that press accounts report the opposite — and even odder, then, why the law was passed at all. ISPs would have relatively little info of use.

    Why mention the data retention act at all? Because the Working Group knows it would come up.

    That’s the main point I have in all this. I’m not — NOT — saying that Google has no privacy issues. But I am saying that this Working Group letter was stage theater. Everything they asked, they could get answers to directly from statements Google has already published, first-hand statements. So why ask what’s been answered? Answer, to look like you are doing something. And they did — they got Google to cut back to 18 months from 24.

    Big whoop. Microsoft and Yahoo still keep far longer than that, but the Working Group doesn’t seem to care, because neither was in the news recently. That’s how I interpret their letter. And that’s disappointing to me, because if there were real concerns they had about Google, they were applicable to others and similar letters should have gone out. That’s not an excuse for Google to say, “We’re just going what others do.” It’s a criticism for this group for not stepping up and doing what I presume its job actually is.

  • http://sethf.com/ Seth Finkelstein

    “It’s odd that press accounts report the opposite …”

    Danny, how often do *US* press account of a *European* law get it right? I’ve got an email tax for you.

    Google plays geeks like a fiddle. They’ve practically fabricated that EU retention directive reason, and no amount of experts pointing out that it is a fabricated reason makes a significant dent in the packaged-for-public-fear story.

  • retent

    Seth nailed it

    Google can’t say there weren’t warned – they were at the conference where this was decided in Nov 2006
    http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_google_annex_16_05_07_en.pdf

    “Many IP-logs, especially when combined with respective data stored with access providers, allow for the identification of users…

    [search engines] …specifically, they shall not record any information about the search that ***can*** be linked to users or about the search engine users themselves. After the end of a search session, ***no*** data that can be linked to an individual user should be kept stored unless the user has given his
    explicit, informed consent to have data necessary to provide a service stored (e.g. for use in future searches)”

    There’s a pretty big gap between search queries with identifiable IP-addresses for 18 months, rather than NONE AT ALL (identifiable) without express consent. This has all been a big 6-month snow job by Google to make believe 18 months compulsory retention is other than insane. And PI whacked ‘em off course in mid-flack. Good on PI.

  • http://searchengineland.com Danny Sullivan

    Reality check. They didn’t do this because of PI. They did this because of the EU. If anything, PI is simply riding in on the EU’s coattails.

    Then it’s a snowjob by Google? Hey they have flacks, they do PR, sure. But then again, they are the only major search engine to first come out with a 2 year limit, which is now 18 month. Can’t say Microsoft and Yahoo weren’t warned, either.

    What you can say is that when Google actually did something to reduce data retention, it got a big PR brick in the eye from the EU.

    Microsoft and Yahoo got to keep doing whatever they want without any attention or public pressure, despite them being on par as privacy threats. Heck, both of them have user data going back years longer than Google, since they are older companies.

    I can’t keep repeating over and over that I agree Google has privacy issues. I’m not excusing them of that. But why cut slack on the EU privacy group that attacks the only company that actually did something, for reasons that frankly smack of publicity generating than actually trying to protect users? And how long does the EU keep server data again? Because when I looked, that wasn’t listed on their site.

  • retent

    http://europa.eu/geninfo/legal_notices_en.htm#personaldata

    That’s an excellent point – they don’t. Maybe it would be fun for your next blog on this stuff to complain to :

    http://www.edps.europa.eu/EDPSWEB/Jahia/lang/en/pid/32
    (it’s their job to regulate)

    Would make an interesting story for someone from US to argue a beef with European privacy

  • retent

    http://www.out-law.com/page-8147
    Data retention laws do not cover Google searches, says Europe”

    Google is not bound by the Data Retention Directive when it comes to search engine logs, Europe’s data protection committee has said. Google has used the Directive to justify keeping data, but OUT-LAW has learned that the law does not apply.

  • http://searchengineland.com Danny Sullivan

    I’m based out of the UK, so I might not be the best for that test case :)

    That’s a great article. I cut all but the opening paragraph since we can’t reprint without permission, but yep, that seems to settle Google’s questions about whether that particular law applies. But see — someone from the Data Retention group was also on the Data Protection group. So when sending that letter to Google, why not say something from the start like:

    “We don’t know why you are storing this data so long. We’ve seen you justify this in part by suggesting EU law might require it, but that’s not the case according to blah blah.”

    Anyway, apparently the Working Group is happy. From the AP:

    The EU justice and home affairs commissioner welcomed a letter sent by Google officials to an independent EU data protection panel earlier this week in which the company said it would raise its data privacy standards for all users.

    “It is indeed a good step, I have appreciated the commitment of Google not only to meet our expectations in terms of protection of privacy or better on cutting the time and reducing the time of retention of personal data,” Frattini said.