Article 29 WP asks more data protection from search engine operators

By EDRi · June 2, 2010

This article is also available in:
Deutsch: [Artikel 29-Gruppe fordert mehr Datenschutz von Suchmaschinenbetreibern |]

In a letter addressed to the three big IT companies Google, Yahoo and
Microsoft on 26 May 2010, the EU independent group of privacy regulators
Article 29 Working Party (WP29) shows concerns related to data protection
issues and urges the companies to improve online privacy.

The group’s letter explains that a person’s search history contains a
footprint of that person’s interests, relations, and intentions “and should
rightly be treated as highly confidential personal data” and calls for the
limitation of the retention period of personal data, a reduction of the
possibility to identify users in the search logs and the creation of an
audit process involving an independent, external auditing entity.

WP29’s action comes following the analysis of the answer received from the
search engine operators after WP29 issued an opinion in March 2008 in which
it was explaining the specific obligations for search engine providers in
terms of the EU data protection directive.

The opinion of WP29 was addressing the risks of incomplete anonymisation of
the users. “Even where an IP address and cookie are replaced by a unique
identifier, the correlation of stored search queries may allow individuals
to be identified.”

Google committed to anonymise IP addresses in its server logs after nine
months by deleting the last octet of the IP address but WP29 believes that
this measure “does not prevent identifiability of data subjects”. After
analysing Google’s answer, WP29 welcomed the company’s commitment to a
reduced retention period but strongly suggested that it should review its
policy in order to “bring it into line with the recommended period of a
maximum of 6 months” of the European data retention law. “Pursuant to the
data protection directive the retention period should be no longer than
necessary for the specific purposes of the processing, after which the data
should be deleted,” said the recent letter.

Another criticism to Google is that the company retains cookies for a period
of 18 months. “This would allow for the correlation of individual search
queries for a considerable length of time. It also appears to allow for easy
retrieval of IP-addresses, every time a user makes a new query within those
18 months.” WP29 concludes that the company does not comply with the
European data protection directive.

Yahoo! had committed to anonymising its search logs after 90 days “with
limited exceptions for fraud, security and legal obligations” and to
deleting full IP addresses, not just the last octet but WP29 reached the
conclusion that “a partial deletion of the personal data contained in search
logs does not constitute true anonymisation.” The letter also expressed the
concern that the company hadn’t provided enough information related to its
techniques of anonymising users’ identifiers and cookies. And concluded that
Yahoo! did not comply with the European data protection directive either.

Microsoft’s commitment was to de-identify cookies immediately after a search
query, to delete the IP address associated with the search query after six
months and to remove the de-identified cookie ID and any other remaining
cross session-identifiers after 18 months. WP29 however believes that all
cookies should be deleted after six months. “According to a technical paper
describing the process of de-identification, you apply a de-identification
procedure and hash to the cookies from registered users after 6 months, but
you apparently retain the cookies of unregistered users for a period of 18
months,” says the letter adding that the word “anonymous ID” is not quite
appropriate as it seems to allow for the cross-matching of search queries
for a rather long time. “Secondly, you have not provided enough information
about the techniques of hashing to technically assess the quality of your
anonymisation policy,” says WP29 concluding that Microsoft does not comply
with the European data protection directive either.

The group sent a copy of the letter to the US Federal Trade Commission and
asked the US body to verify the behaviour of the three companies in terms
of the Federal Trade Commission Act which prohibits unfair or deceptive
acts of practices in the marketplace.

A copy of the letter was also sent to Viviane Reding, vice-president of the
European Commission responsible for justice, fundamental rights and

Article 29 Working Party letters related to search engine operators

Data protection watchdogs escalate complaints against search engines

Internet search engines scolded by EU regulators (27.05.2010)