The company, which has come under fire for the volume of
information it gathers and keeps on users, has published a detailed
response to EU privacy regulators' group the Article 29 Working
Party's criticisms of its policies.
The company argues that EU law does not apply to its processing
of data because that processing is controlled by its US parent. One
data protection expert has called the argument "optimistic".
The dispute is over the records, or logs, of users' search
queries. Google keeps them and uses them, it says, to improve the
quality of search results, to fight fraud and to improve data
security.
The Working Party, though, has called for data to be deleted
after just six months. In a report published in April of this year
it said that companies keeping data for longer risked breaching
data protection laws based on the EU's Data Protection
Directive.
"If personal data are stored, the retention period should be no
longer than necessary for the specific purposes of the processing,"
said the Working Party's April report. "In view of the initial
explanations given by search engine providers on the possible
purposes for collecting personal data, the Working Party does not
see a basis for a retention period beyond 6 months."
Google has now said that EU laws do not apply to its retention
of search data, though. It has published a response to the Working
Party written by Peter Fleischer, the company's global privacy
counsel in which he argues that EU data protection law is focused
on the 'controller' of the data, and that the controller in
Google's case is its US parent company, Google Inc.
"Google Inc must be regarded as the controller in connection
with the processing of users’ data irrespective of where the data
is collected or stored," said its response. "Accordingly, Google
Inc – as the parent company of all Google entities – has made a
commitment to ensuring that the privacy practices of Google are
globally consistent whilst locally compliant."
"If the collection, storage or analysis of search logs or any
other associated activity involving the processing of personal data
were carried out by one of the Google entities established in the
EEA [European Economic Area] in their capacity as controllers of
the information, that entity would be subject to EU data protection
law (i.e. the national data protection law of the territory where
it is based) in respect of that processing," said Google's
response.
"However, as evidenced above, the fact that a global search
engine provider, like Google, has legal entities formed under the
law of an EEA member state or branches located within the EEA does
not necessarily bring all data processing operations of that search
engine provider within the scope of application of EU law. For that
to happen, the EEA-based entity or branch of the search engine
provider must (a) be involved in the actual processing of personal
data, and (b) do so as a controller," it said.
Google said that local EU based entities are likely to carry out
limited functions, and that those will be as a processor of data on
behalf of the US controller.
"Despite the fact that Google may have establishments within the
EEA, given the nature of the commercial activities being undertaken
in those establishments, they will not fall within the jurisdiction
of EU data protection law as far as the processing of Google users’
data is concerned," the company's response said.
William Malcolm, a data protection specialist at Pinsent Masons,
the law firm behind OUT-LAW.COM, said he doubted that these
arguments would find favour in court.
"It's an interesting legal argument although a little optimistic
from Google's perspective," he said. "The Article 29 Working Party,
national regulators and the courts are likely to interpret both the
Directive and local implementing legislation in such a way as to
ensure that they have jurisdiction over these issues in the
interests of protecting the citizens of EU countries."
"Google has substantial business operations across Europe and is
clearly established in many countries. This may well be enough for
the processing to fall subject to the Directive and local laws," he
said.
Google has also renounced one if its key arguments in favour of
keeping the logs. Fleischer had previously claimed that the EU's
Data Retention Directive forced it to keep details for between six
and 24 months. The Working Party said that this was not the case
because data retention laws only applied to telecoms firms.
"We agree with the Working Party that search logs are outside of
the scope of the Data Retention Directive," said Fleischer in
Google's just-published response document.
In July Google made another concession to privacy activists. It
agreed to publish a link to its privacy policy on its front page
after calls from regulators to do so.
As part of this week's announcement it also agreed to reduce the
length of time for which it retains a record of who used its search
engine for what purposes.
"Today, we're announcing a new logs retention policy: we'll
anonymize IP addresses on our server logs after 9 months," said the
company announcement by Fleischer, senior privacy counsel Jane
Horvath and software engineer Alma Whitten.
"We're significantly shortening our previous 18-month retention
policy to address regulatory concerns and to take another step to
improve privacy for our users," they said.
Though Google's response document claimed that EU law often did
not apply to it, it said that it wanted to meet EU data protection
requirements.
"Google Inc. may be subject to the national data protection laws
of the EU countries where its data centres are based due to its use
of equipment in those countries to store and process user data via
local data centres," it said. "Notwithstanding these legal, or
indeed legalistic, observations, Google is committed to complying
with EU data protection principles for the benefit of our users in
Europe."
