EU Recommends Slashing Search Data Retention

Wayland writes "The European Union's Article 29 Working Group has completed its PDF report on data protection and search engines. The group recommends that search engines only be allowed to hold onto search data for six months. 'To hang onto data for longer, search engine operators will need to show that such data is "strictly necessary" to offer the service. Google and others have long said that they need to retain data in order to refine search results, prevent click fraud, and launch new services like spell check (which, in Google's case, was built from user search data). In addition, the data that is kept will need to be guarded more closely. The working group concluded that IP addresses could be used to identify individuals; if not by the search engine itself, then by law enforcement or after a subpoena.'"

DataProtection Act

[Kupfernigk]

In Europe we have Euronorms relating to data protection that must be embodied in the laws of every member state. The answer to your question is contained in those norms.

Briefly, so long as data is personally identifiable you must show that you are not retaining it longer than necessary. If I summarise or analyse data and remove information which makes it personally identifiable - names, addresses, telephone numbers, email accounts - then it is not covered.

IMHO the US stands in need of a Data Protection Act, as an amendment to the Constitution. The present Adnmninistration seems to be looking for ways of keeping track of its citizens which avoid the Constitution. Technically in Europe it is probably illegal to send personal data via GMail - because it is exporting it to a country that does not meet European standards for personal data protection.

Re:This isn't SE-exclusive

[FornaxChemica]

The referrer field also contains the line from the search engine by which the user came to your site. So if someone types "child porn" and for some reason ends up in your non-malevolent site, you can see his query and his IP.

Re:Tracking and identifying a piece of data.

[duvel]

Actually, the goal of the data protection law is that IT systems are not allowed to keep any 'personal' information longer then 6 months.

'Personal' information is any information that can be linked to a person. This can be an (IP-)address, phone number, birth date and other data that is generally seen as being personal, but also information like the URL's visited by a person, or the e-mails sent to a person. The 6 months start counting as soon as a system no longer absolutely needs the data for its day-to-day operation.

As an example, http-logs showing which ip-address visited what URL can maximum be retained for 6 months. If you send out snail-mails to a bunch of subscribers, then you are obligated to delete the address of your subscriber maximum 6 months after he unsubscribes (or after he dies). If you still need the personal data (e.g. you need people's addresses to be able to send them invoices as long as they still have a contract with your company) then you are of course allowed to store that data. It also means that any statistics that you need to make on customer related data, will have to be made before that data is deleted, and the statistics cannot contain any information which would allow them to be tied to a person.

Another part of the data protection law mandates that a person has to be informed of every storage of his personal data, and has to right to look into that data and update it if there's errors in it.

All in all, the law ensures that Europeans can be pretty certain that their (online) privacy isn't invaded (as long as they surf only European websites).

Re:Privacy-conscious search engines?

[xaxa]

Non-EU companies that trade in the EU are subject to the EU's laws.

For example, Facebook was immune from investigation into what they were doing with personal data. The established a London office (to sell adverts to EU people) and then they were investigated.

(Of course, Google could still keep the data of everyone else. It depends if it's easy for them to do this -- it probably is.)

Re:Tracking and identifying a piece of data.

[unlametheweak]

How does this affect Google Groups, which archives the last ~20 years of Usenet messages? Doubtful it would have an effect, as:
(1) It would be making a law retro-active (with respect to historical documents)
(2) It is implicit in usenet that this information is being published and is made public (Ignorance is no excuse, one could say). Usenet is a public forum.

IANAL of course, so who knows, but common sense and common knowledge of the way laws are enforced in the West leads me to believe that usenet should not be affected by data retention laws. I will emphasize; publishing to usenet means publishing your IP, email address, etc (however real they may be). The issues presented here are for people who do not intend (or even know) that their personal details will be kept. The significant difference being that in usenet you publish, but when doing a Web search their is no intent to publish.

Re:Tracking and identifying a piece of data.

[unlametheweak]

I'll add one important factor that I missed. The laws in question are concerned with search data (and search engines), and not published data. In that respect, the WayBackEngine, or any Website could be affected; which seems quite ridiculous (and extremely over-reaching).

I will be tactful in saying that there is some logic to your question (a bit naive from my perspective, I must admit), but I think such questions should be asked. Sometimes the best of us miss the obvious.

Best regards,

UTW