EU: Search Engines Under EU Rules from the Associated Press reports that European data privacy regulators said search engines outside the EU have to comply with the EU’s privacy regulations.
EU rules require that users give consent before personal information is collected and that they have the right to object to collection or can verify their information. The group of regulators, known as the Article 29 Working Party, said that collecting IP addresses or search history is gathering personal information.
How exactly search engines will be required to comply with getting consent remains to be seen, but a full report from the working group that should provide more specifics is due in April.
Google and Microsoft are waiting to see the report, but Google added that it “didn’t change its position and it is committed to working with privacy and consumer advocates as well as EU regulators to improve privacy online for all users,” according to the AP.
Postscript From Danny: Are IP addresses personal? from Google covers how the company says that in many cases, IP addresses are in no way personal information. I agree with this, as I did when the rumor that the EU might treat IP addresses as personal information first came out. My Google Anonymizing Search Records To Protect Privacy covers how IP logging works (and is fairly anonymous already) in more detail. I’d also recommend watching the Google Video on IP logging covered here, as, aside from some quibbles, it is a very clear explanation.
Here’s the key thing. The Article 29 Working Group seems to have been acting in a knee-jerk fashion since Google announced it was going to make IP data more anonymous last year. First, the group decided that Google dropping data retention from forever to two years might not be enough. Then, after criticism that it was being Google-centric, it decided to look at the other major search engines. Now it feels like the working group wants a “result” of all the effort it has put in. But there’s a problem. It’s not just search engines that log IP addresses. Virtually every web site does, and that almost certainly includes the working group’s own site. If IP addresses are personal in the EU, then ANY web site — not just search engines — is going to need consent to log them.