Data protection and data retention two different things, claims search giant.
The retention of search engine query data is a security matter and not one for Europe’s data protection officials, according to Google’s global privacy chief.
Peter Fleischer, Google’s top global privacy counsel, said data retention issues are of no concern to a European privacy watchdog group.
Speaking to weekly technology law podcast OUT-LAW Radio, Fleischer said it is interesting to hear the views of the committee of Europe’s privacy watchdogs the Article 29 Working Party, but that the matter is not up to them.
Remember the Data Retention Directive comes out of the security side of government, not the data protection side, said Fleischer. “So it is interesting to me to hear what an official from the data protection world thinks about data retention, but it is like asking somebody who works for the railroad what they think of airline regulation. It is just not their field.”
Google has been embroiled in controversy over the fact that it stores records of what users have searched for along with internet protocol addresses that could be used to identify the searcher.
Data protection and data retention occupy different parts of the overall online security picture. When the Article 29 Working Party in Europe expressed its concerns about data retention, Google shifted its retention policy to an 18 month period, after which it would anonymize the data.
Google said it had to keep the records because the Data Retention Directive demanded it, but as OUT-LAW.com recently revealed, the Article 29 Working Party said the Directive does not apply.
“The Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems,” Philippos Mitletton, who works for the European Commission’s Data Protection Unit, which itself is represented on the Article 29 Working Party, told OUT-LAW.COM.
“Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof,” he said.
However, Jamie Cowper, European marketing director at encryption firm PGP Corporation, believes that data protection experts should have a voice in the data retention debate.
“If the information held by Google or other service providers and search engines can be used to identify an individual, and possibly abet a phishing scam or ID theft, it is important that the security and availability of the data is considered,” he said.
“The growing number of data breaches demonstrates the need for companies to properly protect customer-related data, whether they are covered by data retention legislation or not.”
Fleischer said he believed the security part of European government was the relevant department, but even the Office of the Commissioner for Justice, Freedom and Security has also weighed into the debate, insisting that the Data Retention Directive applies to public information, not search logs.
“The Data Retention Directive only covers providers of public electronic communications services or networks and it does not therefore cover providers of information society services.”
“Search engines are providers of information society services rather than public electronic communication services/networks and are therefore outside the scope of the Directive,” a spokeswoman for the Commissioner for Justice, Freedom and Security told OUT-LAW.com.
“Moreover search queries are content, and not traffic or location data, and the Data Retention Directive does not cover content. The Commission has no plans to make search engines retain search queries,” she said.
Google said originally that it would store user search records for between 18 and 24 months, reducing that to 18 months following concerns from the Article 29 Working Party. But, despite this climb down; Fleischer hinted that Google may pursue its own retention policy regardless of EU law.
“I would point out that our decision on the factors that went into the right period to retain server logs, the decision to keep them for 18 months and then to anonymise them, would be the same even if the Data Retention Directive were repealed tomorrow,” he told Out-Law.com.