European Data Protection Officials Warn Google
Data protection officials from 27 European countries have warned Google it is storing data on people's searches for too long -- but Europe's top privacy guardian, the European Data Protection Supervisor Peter Hustinx, believes Google's efforts to respect the privacy of European citizens in its Internet search software "is not just window dressing."
His comments at a conference in Amsterdam on Thursday come a week after the data protection officials wrote to the company, expressing concerns that the company could be breaching European laws by holding on to details about people's Internet searches for too long.
The officials from each of the 27 member states of the European Union sit on a Europe-wide data protection committee called the Article 29 Working Group, which is chaired by Hustinx.
The group has asked Google to justify why it needs to retain the data for up to two years, and whether the company has "fulfilled all the necessary requirements" on data protection.
European Justice and Home Affairs Commissioner Franco Frattini said Friday that the questions posed in that letter are "legitimate."
But speaking on the sidelines of a data protection conference in Amsterdam, which Google's global privacy chief Peter Fleischer was also attending, Hustinx played down the inquiry.
"I see a company which has very powerful tools, thinking about integrating privacy solutions -- that's the big picture," he said.
Google's efforts to respect people's privacy "isn't just window dressing, but we will hold them to what they are saying," he added.
His comments came directly after Fleischer made a presentation explaining how Google's personal search function works. Users can opt in to this more refined search tool, using a log-in identity and password. Once they have done so, the search engine takes their Internet searching history into consideration when picking results for new searches.
For example, if you have been searching for cars recently and you tap in the search term "golf", the results will focus on cars of that model rather than on the sport, Fleischer explained.
Users of the personalized search function can delete searches they made in the past, in order to prevent them influencing the search results they get in future, Fleischer added.
By allowing people to opt in to the personalized search function and by giving them the ability to customize their search history, Google was respecting people's privacy, Fleischer said.
Google stores information about all searches, both personalized and normal, he said, but details of normal searches can't be linked to an individual.
"Google does have the information but it can't link it to you," he said.
In the past, Fleischer has said that the company needs to keep details of people's searches for security reasons, to help guard against hacking.
Information about people's searches can also help track criminal activity such as child porn rings, but security agencies are mainly interested in the information Google stores on the users of its e-mail service, Gmail, he said.
The police aren't interested in the information about people's general searches, he said. He declined to comment on whether details about subscribers to the personalized search function had been accessed by the authorities.
European data protection law limits the amount of time companies can hold on to personal data gleaned from electronic networks to the amount of time the information is required for billing purposes. The law was written mainly with fixed and mobile phone technology in mind, but it also applies to data gathered from Internet searches.
Fleischer said the law, passed in 1995 when Google hadn't been born, is totally out of date and he urged European lawmakers to update it to take account of new technologies.
"The technical architecture has changed a lot since 1995, even though the basic principles of privacy still apply. The time has come to re-think some of this process," he said.
In particular, the way the law deals with international transfers of data has to be reviewed, he said. Europe has one of the toughest data protection regimes in the world. The law forbids the passing of personal information about European citizens to other parts of the world with more lax data protection regimes.
The U.S. is considered to offer inferior data protection, so companies operating on both sides of the Atlantic have to sign complicated get-out clauses in order to pass information about their staff or customers to offices in the U.S.
"The Internet is all about international transfers," Fleischer said. He wants the different parts of the world to cooperate in order to create a single approach to data protection "We as a company have a single approach to privacy right across the world. We can't run a system that has different privacy levels for, say Google.com and the Dutch site Google.nl -- that would be crazy.
"So if we can do it why can't policymakers?" he asked.
He called for a global privacy treaty. "It will be complicated and will probably take a decade, but the technology of the internet has been a wake-up call for policymakers that this is needed. We need to start talking now. We in the industry have to start the debate," he said.