Google privacy chief talks
OUT-LAW Radio, 05/07/2007
We hear why Google privacy chief Peter Fleischer thinks European
data protection officials should stop meddling with its search log
retention policies.
A text transcription follows.
This transcript is for anyone with a hearing impairment or who
for any other reason cannot listen to the MP3 audio file.
The following is the text spoken by OUT-LAW journalist Matthew
Magee.
Hello and welcome to OUT-LAW Radio, the weekly podcast that
keeps you up-to-date on all the twists and turns in the world of
technology law. Every week we bring you the latest news and
in-depth features that help you to make sense of the ever-changing
laws that govern technology today.
My name is Matthew Magee, and this week we have an exclusive
interview with a man at the centre of some of the most critical
privacy debates in the world. Google’s global privacy Counsel Peter
Fleisher.
But first, the news.
- Police search engineering firm for music piracy; and
- computer waste law comes into force.
Police and UK music industry body the BPI executed a search
warrant at engineering firm Honeywell this week amid allegations
that thousands of music files are being shared illegally on the
company’s computer system.
According to a BPI statement, an employee of the company’s
premises in Motherwell, Scotland reported illegal file sharing to
the trade body. A two month investigation followed and a number of
employees are reported to be assisting the police with their
enquiries. A report will be issued to the Procurator Fiscal
according to the BPI.
This is the first time that the BPI has investigated a company
on suspicion of digital music piracy in the workplace.
A spokeswoman for Honeywell told OUT-LAW: “Honeywell
considers copyright infringement a very serious matter and has
rigorous policies intended to prevent such activity taking place on
its premises. We will continue to fully cooperate with
investigators and with the BPI.”
Manufacturers, importers and retailers of domestic appliances,
IT equipment and gadgets face new legal duties to ensure the proper
disposal of old products. Key parts of the Waste Electrical and
Electronic Equipment Regulations came into force this week.
The legislation, derived from a European Directive was intended
to boost recycling instead of adding to landfill. Last year two
million tons of electrical waste was generated in the UK alone,
enough to fill the new Wembley Stadium six times over, according to
the new Department for Business Enterprise and Regulatory Reform,
which has taken over the responsibilities for the former Department
for Trade and Industry (DTI).
The Regulations came into effect in January and their provisions
have been phased in. As of this week, producers have to finance the
costs associated with the treatment, recovery and disposal of WEEE.
Take back duties also came into force on Sunday 1st July. Business
and household consumers buying electrical and electronic products
should be offered free take back of old products.
That was this week's OUT-LAW news.
Google’s influence on our online lives has become so pervasive
that the sprawling titan beings to make Microsoft look like your
local corner shop. It’s not just our search anymore but our e mail,
our chat software, our purchasing, our word processing and even how
we get from A to B: Google controls it all.
Google is the big guy now, and with this comes set of serious
responsibilities that the company must come to terms with. For
regulators and lawmakers Google and its policies are now target
number one, as the still young company is just finding out.
The latest spat centres on Google’s retention of the queries we
put into its search engine. The company, like all search companies
keeps that information plus data that could be used to identify
you, notably the internet protocol address from which the query was
made. It announced earlier this year that it would anonymise this
information after between 18 and 24 months, later reducing that to
18 months.
Despite the fact that the firm was voluntarily cutting down on
the retention time, the decision sparked an outcry amongst privacy
activists and data protection officials. The Article 29 working
party, a committee of Europe’s privacy watchdogs, wrote to the
company asking that it not keep logs for that long, and a very
public argument began. Google says that it has taken a balanced
approach, and that the data retention directive mandates keeping
data for up to two years. The working party disagrees: It says
that the directive only applies to communications data and not to
search terms at all.
The man at the centre of the controversy is Peter Fleischer,
Google’s global privacy Counsel. He told OUT-LAW Radio that
it is not yet clear whether or not the directive will apply.
Magee: The working party told us that in their view the
data retention directive doesn’t apply at all to search queries,
logs. What’s your view of that? Do you think it applies?
Fleischer: You know, my view is that we don’t know the
answer to that question yet and I’ve asked numerous outside counsel
across Europe and here’s what they’re telling me. Well, the first
is that you have to wait to have this implemented in legislation in
every single member state because one of the things that we know is
that the member states will implement the directive differently.
Each country has to decide what is an electronic communication
service provider and that will be decided differently from country
to country. And so we won’t know for sure until this process is
over.
The working party insists that the directive definitely does not
apply and has asked Google to anonymise data far earlier, but
Fleischer says that the issue is not even really any of the working
party’s business.
Fleischer: Remember the data retention directive comes out
of the security side of government, not out of the data protection
side. So, it’s interesting for me to hear what an official from the
data protection world thinks about data retention. But it’s like
asking somebody who works for the railway what they think of
airline regulation, it just not their field.
Strong words, well we asked the European Commissioner for
Justice, Freedom and Security, whether he intends that the
directive cover search queries. His office agreed with the data
protection officials that queries are not covered by the directive.
It also said that there are no plans to modify it so that it does
cover such material.
In the end the directive may not even be relevant, since
Fleischer said his company will pursue its own plans
regardless.
Fleischer: But I would point out that even if the data
retention directive were repealed tomorrow, our decision of the
factors that went in to the right period to retain server logs, the
decision to keep them for 18 months and then to anonymise them. It
will be the same decision even if data retention were repealed
tomorrow.
There is another potential privacy problem with Google’s search
query storage. If it keeps all this information and links it to an
IP address that could identify you, does it inform you clearly
enough that it’s doing this?
The data protection directive insists that data gathered about a
person is subject to what it calls ‘fair use’. A basic principle of
this is that a company tell you when it’s gathering data and what
it will use it for, usually in a privacy policy.
Google gathers certain data about you on its search front page,
yet there is no privacy policy linked to from there. What’s more,
when you do find a privacy policy, it does not list all the uses to
which Google will put the data.
Magee: Why is there not a link on the front page of Google?
So from the place where you put in your search query to the privacy
policy outlining all of these uses that the information is put
to?
Fleischer: Well, we have a very clear and transparent
privacy policy. I spent a lot of time focussing on it and how to
make it as clear and easy to understand as possible for our users.
Google has a very sparse homepage. It’s one of the things that
we’re very proud about. It’s kind of clean and zen-like. Last I
counted I think we had something like 35 words on our homepage. On
ours with only 35 words, we had to keep it very sparse. Now of
course we’re a search engine, so anybody who wants to see our
privacy policy can type Google privacy policy and, trust me, it
will come up as result number one. It’s not hard to find. We’re a
search company. We don’t believe in pushing things into people’s
face. We keep it easy and simple to find.
The search for it yourself argument is unlikely to cut a lot of
mustard with privacy experts, who will also point out that even if
you do find it, the privacy does not detail all the many uses for
your data that Fleischer listed in his letters to the Article 29
working party. He says he believes it does give enough
information.
Fleischer: We do, of course, say in our privacy policy that
we use these things to improve our service and that we use these
things to protect our service. So it’s all there. Now if your
question is: could we improve the language in certain ways? We’re
always trying to think about ways to improve the language. We’re
always trying to find ways to provide information in a clear and
comprehensible way for users. That’s an ongoing process and I think
every company should be focussing on that.
Struan Robertson is a technology lawyer with Pinsent Masons, the
law firm behind OUT-LAW. He says that the circumstances in which
Google will break data protection laws by having no front page link
are actually quite limited.
Robertson: If Google matches search queries to IP address
or to cookies, in order to identify individuals with particular
preferences, even if they are only doing that by using their search
habits and without knowing the person’s name, they need to display
a link to the privacy policy on their homepage as an absolute
minimum. Now I don’t know if Google is doing that when you don’t
have any account with Google. I know that when you do get an
account with Google, you are directed to a privacy policy. The
issue is whether what they’re doing when you don’t have an account
brings in this data protection issue. But if they’re just
displaying an ad, chosen solely according to single search query,
there is no privacy issue, there is no profile but if they’re
tailoring ads according to that person’s history of searches and
they create a profile about each searcher from that then the data
protection rules come into play. Commercially, I think, there’s
strong arguments why they should stick in a link to the privacy
policy on the homepage anyway. I think it gives users more
confidence and it would also help them to silence some of their
critics.
There is a major challenge here, and that is that Google wants
its search engine and indeed all of its services to be the same all
over the world. But every country has its own laws and demands. How
does it square that circle? Fleisher says it’s fairly
difficult.
Fleischer: As I talk to policymakers and regulators and
others, one of the things that I really stress is that the internet
is a global medium and the policies that companies implement and
the regulations that companies have to respect need to be thought
about in a global context. What we can’t do is implement completely
different policies in Belgium and Norway and Greece and so on. And
I think people understand that. That’s just the nature of the
internet.
Privacy, data retention and the anonymising of search logs are
just some of the issues which Google and the world’s lawmakers will
have will have to negotiate over in the coming years. On data
retention laws and whether they will apply to Google’s
controversial search logs, Fleischer says the picture is still not
clear, but that he is glad he raised the issue.
Fleischer: What I’m trying to do, is highlight for broader
discussion what exactly what will be the scope of our culpability
of the data retention to a company like Google and other companies
because I think its really unclear. I think there’s just a lot of
ambiguous things around that particular directive and more clarity
is needed.
That's all we have time for this week, thanks for listening.
Why not get in touch with OUT-LAW Radio? Do you know of a
technology law story? We'd love to hear from you on radio@out-law.com.
Make sure you tune in next week; for now, goodbye
OUT-LAW Radio was produced and presented by Matthew
Magee for international law firm Pinsent Masons
