Out-Law News 3 min. read
28 May 2010, 11:47 am
The Article 29 Data Protection Working Party has also written to the chief executive of each company, calling on them to improve the protection of the online privacy of their users.
The Working Party is an independent advisory body without any direct powers of enforcement, but its members are the data protection authorities across the EU that do have enforcement powers.
"Besides limiting the retention period of personal data, measures [that the Working Party recommends] include a reduction of the possibility to identify users in the search logs and the creation of an external audit process to reassure users that you are delivering on your privacy promises, i.e. by involving an independent and external auditing entity," says the letter to each company.
The letters explain that a person's search history contains a footprint of that person's interests, relations, and intentions "and should rightly be treated as highly confidential personal data."
"Pursuant to the data protection directive the retention period should be no longer than necessary for the specific purposes of the processing, after which the data should be deleted," they say.
Each search engine operator previously undertook to anonymise the data they collect about searches but on different terms. In a formal opinion about search engines, published in 2008, the Working Party warned that such anonymisation must be complete. "Even where an IP [internet protocol] address and cookie are replaced by a unique identifier, the correlation of stored search queries may allow individuals to be identified," said that Opinion.
In response to that Opinion, Google vowed to anonymise IP addresses in its server logs after nine months by deleting the last octet of the IP address. The Working Party says that deleting the last octet "does not prevent identifiability of data subjects".
It also criticized Google for only anonymising cookies in its search engine logs after 18 months. "This would allow for the correlation of individual search queries for a considerable length of time," says the letter to CEO Eric Schmidt, dated 26th May. "It also appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months."
"Therefore WP29 cannot conclude your company complies with the European data protection directive," it said, adding that its "apparent lack of focus on privacy in this area is concerning."
Yahoo! had previously committed to anonymising its search logs after 90 days "with limited exceptions for fraud, security and legal obligations." That commitment included deleting full IP addresses, not just the last octet.
However, the Working Party's letter to Yahoo! says that "a partial deletion of the personal data contained in search logs does not constitute true anonymisation."
It also said that Yahoo! has not provided enough information about its techniques for anonymising user identifiers and cookies. "Therefore, WP29 cannot conclude your company complies with the European data protection directive," it told Yahoo! CEO Carol Bartz.
Microsoft had previously said that immediately after a search query it de-identifies cookies, that after six months it will delete the IP address associated with the search query and that after 18 months it will remove the de-identified cookie ID and any other remaining cross session-identifiers.
The letter to CEO Steve Balmer welcomes Microsoft's policy of deleting IP addresses completely after six months. "However, in order to be able to point to true privacy protection in this area, you should apply the same procedure to all cookies," it says.
"According to a technical paper describing the process of de-identification, you apply a de-identification procedure and hash to the cookies from registered users after 6 months, but you apparently retain the cookies of unregistered users for a period of 18 months," says the Working Party. "The word ‘anonymous ID’ does not seem to be adequate, since it still appears to allow for the cross-matching of search queries for a considerable length of time."
"Secondly, you have not provided enough information about the techniques of hashing to technically assess the quality of your anonymisation policy," says the Working Party. "Therefore, WP29 cannot conclude your company complies with the European data protection directive."
The Working Party has also written to the Federal Trade Commission, asking it to examine the compatibility of the search companies' behaviour with Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts of practices in the marketplace.
"We respectfully offer our assistance in any possible steps you might want to take in finding a constructive solution to protect the private life of everybody that conducts searches on the Internet," it says.
