EU Recommends Slashing Search Data Retention

Wayland writes "The European Union's Article 29 Working Group has completed its PDF report on data protection and search engines. The group recommends that search engines only be allowed to hold onto search data for six months. 'To hang onto data for longer, search engine operators will need to show that such data is "strictly necessary" to offer the service. Google and others have long said that they need to retain data in order to refine search results, prevent click fraud, and launch new services like spell check (which, in Google's case, was built from user search data). In addition, the data that is kept will need to be guarded more closely. The working group concluded that IP addresses could be used to identify individuals; if not by the search engine itself, then by law enforcement or after a subpoena.'"

DataProtection Act

[Kupfernigk]

In Europe we have Euronorms relating to data protection that must be embodied in the laws of every member state. The answer to your question is contained in those norms.

Briefly, so long as data is personally identifiable you must show that you are not retaining it longer than necessary. If I summarise or analyse data and remove information which makes it personally identifiable - names, addresses, telephone numbers, email accounts - then it is not covered.

IMHO the US stands in need of a Data Protection Act, as an amendment to the Constitution. The present Adnmninistration seems to be looking for ways of keeping track of its citizens which avoid the Constitution. Technically in Europe it is probably illegal to send personal data via GMail - because it is exporting it to a country that does not meet European standards for personal data protection.

Re:Tracking and identifying a piece of data.

[duvel]

Actually, the goal of the data protection law is that IT systems are not allowed to keep any 'personal' information longer then 6 months.

'Personal' information is any information that can be linked to a person. This can be an (IP-)address, phone number, birth date and other data that is generally seen as being personal, but also information like the URL's visited by a person, or the e-mails sent to a person. The 6 months start counting as soon as a system no longer absolutely needs the data for its day-to-day operation.

As an example, http-logs showing which ip-address visited what URL can maximum be retained for 6 months. If you send out snail-mails to a bunch of subscribers, then you are obligated to delete the address of your subscriber maximum 6 months after he unsubscribes (or after he dies). If you still need the personal data (e.g. you need people's addresses to be able to send them invoices as long as they still have a contract with your company) then you are of course allowed to store that data. It also means that any statistics that you need to make on customer related data, will have to be made before that data is deleted, and the statistics cannot contain any information which would allow them to be tied to a person.

Another part of the data protection law mandates that a person has to be informed of every storage of his personal data, and has to right to look into that data and update it if there's errors in it.

All in all, the law ensures that Europeans can be pretty certain that their (online) privacy isn't invaded (as long as they surf only European websites).

Re:Privacy-conscious search engines?

[xaxa]

Non-EU companies that trade in the EU are subject to the EU's laws.

For example, Facebook was immune from investigation into what they were doing with personal data. The established a London office (to sell adverts to EU people) and then they were investigated.

(Of course, Google could still keep the data of everyone else. It depends if it's easy for them to do this -- it probably is.)