You may not have heard of the Article 29 Data Protection Working Group, a collaboration between all the information and data protection watchdogs within the European Union. But you will have heard of the internet company with which it has been doing battle for the past few months: Google.

The world’s largest search engine kick-started a debate about internet privacy back in May, when it announced what it described as “improvements” to its policies on holding personal information about its customers. The announcement related to Google’s server logs ­ the information a browser sends back to Google when somebody visits a site.

The company said its new policy, to be implemented within the next year, would be to make its records about users’ searches anonymous after 18 to 24 months. At present, the search engine retains a log of every search indefinitely, including information ­ such as the unique computer address, browser type and language ­ which could be traced back to a particular computer. It may also include the specific search request and its time and date.

Maintaining anonymity

Under the new policy, server logs would still be retained, but would be “anonymised” so that they could not be matched with individual users. Although the move towards anonymisation could be seen as a step in the right direction, many privacy campaigners felt it did not go far enough. And their hackles were raised further when Eric Schmidt, Google’s chief executive, told delegates at a conference the same month: “The goal is to enable Google users to be able to ask the question, such as, ‘What shall I do tomorrow?’ and ‘What job shall I take?’

“We are very early in the total information we have within Google. The algorithms [software] will get better, and we will get better at personalisation.”

Peter Schaar, chair of Article 29, says Google’s approach raises a number of concerns. “One of the main principles of international data protection is that data should not be stored for a longer period than necessary,” he says. “So the question is, why does a company need this data for a service that is free? What is the purpose of the storage?”

Schaar, who is also Germany’s federal commissioner for freedom of information, put these concerns in a letter to Peter Fleischer of Google’s global privacy law team back in May. “Taking account of Google’s market position and ever-growing importance, the Article 29 Working Party would like further clarification as to why this long storage period was chosen,” he wrote. “The Working Party would also be keen to hear Google’s legal justification for the storage of server logs in general.”

In his response, Fleischer argued that retaining server logs for up to two years was both “proportionate” and “necessary” to improve the quality of its services for customers, protect both the company’s systems and customers from fraud and abuse, and ­ ironically ­ comply with possible data-retention requirements. He wrote: “Clearly, some period of retention is necessary. A policy of immediate deletion would not serve the interests of our users and would breach many of our legal and ethical obligations to protect our users and their data, and our company records and our systems.” He added that a period of 18 to 24 months “has a sound legal and practical basis, and strikes the right balance”.

However, Fleischer appears to have taken on board at least some of Article 29’s concerns and announced Google’s intention to drop the period after which users’ details are made anonymous to 18 months, rather than between 18 and 24 months.
Schaar told IWR that while the move was a step in the right direction, it did not go far enough. “I welcome this,” says Schaar. “It is an improvement, but this is not the end. Why does a search engine need the data after it has answered the search request? There is no need to trace the request. We would prefer the data to be deleted or anonymised after the first use by default.”

The Article 29 chair acknowledges there are obligations for internet access providers to store the data of internet users, mainly so that law enforcement agencies and those working on behalf of the music industry can trace any illegal activity back to an individual user. But he argues that search engines such as Google are not obliged to store such information, and that there are very real dangers if they continue to do so.

“The purpose of data protection law is that every individual has a right of self determination, so he or she can decide how much third parties know about their interests and personal information,” Schaar explains. “Every internet search is very sensitive, and the more they record, the more sensitive it becomes. You have a profile of when [a person] works, from which network or private access provider.

You know about his interests, health problems and searches. If you put this together with an individual’s other data, perhaps collected for the provision of different services, you could combine this and build quite a detailed profile.”
The Article 29 Working Group is the EU’s independent advisory body on data protection and privacy. It was set up in October 1995 under Article 29 of Directive 95/46/EC, which seeks to harmonise rules within the EU on “the protection of individuals with regard to the processing of personal data and the free movement of such data”. The group is tasked with the balancing act of removing potential obstacles to the flow of information between member states on one hand, while also protecting individuals’ personal data on the other.

Article 29 meets five times a year ­ once every two months, with a break during the summer. It also works with non-EU countries and produces regular reports on international data protection issues. All 27 nations within the EU have a legal obligation to send representatives to the working group ­ in most cases their information or data protection commissioner, or a representative from that department.

Because of the long gaps between meetings, much of the group’s work takes place in subgroups on a range of topics, which meet more frequently, conduct the necessary research and draft guidance, or an “opinion”, which is then circulated among members for comment. More formal discussion takes place at the plenary meetings, where agreement is sought from all 27 commissioners before an opinion can be adopted. “By then it’s usually a yes because we are working on a topic that’s in our interests,” says Emma Butler, manager of the UK Information Commissioner’s international team, who frequently attends the group’s meetings alongside the information commissioner, Richard Thomas, or his deputy, David Smith.

“It’s such a collaborative process that by the time an opinion reaches the meeting it has taken into account everybody’s view so that it won’t cause problems for any one country. The aim is to get to a general opinion that represents the view of the data protection commissioners of Europe,” Butler says.

Recent opinions include guidelines on the agreement by the EU to pass on information about air passengers to the US Department of Homeland Security; the use of biometric data; the processing of health records; and the use of personal data by multinational companies. Although Article 29 does not have the legal powers to enforce its guidance, it does appear to be taken seriously. One information expert, who does not want to be named, says: “Its opinions are treated seriously by EU institutions, but perhaps less seriously by national governments when it comes to vital interests such as security. But practitioners in the field of data protection, and the lawyers who advise them, do listen.”

Butler agrees. “The opinions aren’t legally binding, but they are the opinion of a group of experts, so it’s going to be a pretty solid opinion,” she says. “It’s going to be good practice and good business sense to look at it and make sure [you are working] along the right lines. While all the laws on data protection within Europe come from the European directive, there are differences in terms of implementation because of the differences in national laws. People need to be able to do business across borders, which is why we are working towards harmonisation. We don’t want to make life any more complicated by having 27 different approaches.”

The fact that the members of Article 29 are commissioners with legislative powers in their home countries, and enjoy the co-operation of their various data-protection authorities, is a major reason for their ability to get things done.

But dealing with multinationals such as the £77bn Google may be more of a challenge. Even after its concession to Article 29’s concerns, Google still retains identifiable information about its customers for up to a year and a half. While Google has pledged to limit its use of sensitive information (a commitment that may be stretched by its purchase of advertising targeting company DoubleClick), privacy campaigners fear that the retention of such information leaves the way open for law enforcement agencies and other bodies to demand information that could identify users.

According to the World Privacy Forum, in 2005 the US Department of Justice subpoenaed, or tried to compel, search engine companies Google, Yahoo, MSN and AOL to hand over tens of millions of users’ search queries. While Google successfully fought the request, and was able to limit the information it supplied, it is not known how much data the other companies supplied.

The following year, AOL published about 20 million search queries from more than half a million of its users on the internet. Reporters from a US newspaper were able to identify a user from the search queries, and other experts have identified others.

The cookie crumbles

As well as retaining server logs, Google also collects a range of other information about the people that use its services, from the details customers provide when they sign up for a Google account to the “cookies” (small files) sent to their computers to identify an individual browser ­ a situation that has led the London-based campaigning group Privacy International to label it “an endemic threat to privacy”.

Equally worrying, internet experts have pointed out that the anonymisation that Google has committed to it is only partial, and that a determined technician could still re-identify data at a later date.

Other search engines also store personal data, albeit for different periods of time and under different conditions. An investigation of the five leading search engines by CNET News.com in August found a varied picture. As the only search engine that said it did not record what users type into its search engine, Ask.com was the most protective of privacy. It also said it did not engage in behavioural targeting ­ the practice of offering advertisements based on previous searches. Microsoft said it “permanently and irreversibly” splits users’ internet addresses and cookies from the search terms after 18 months, but Microsoft does engage in behavioural targeting, while Google does not. Yahoo and AOL were similarly mixed.

A standard approach

Article 29 is determined to address such divergent approaches. One of its subgroups, the internet taskforce, is compiling a questionnaire for all the major search engines. Schaar is clear that whether they are based in Europe or not, search engine companies must comply with EU data protection standards. In the case of Google, which has data processing centres in Ireland and the Netherlands, this is particularly pertinent. “This is not just a Google question,” says Schaar. “It’s a general question about data privacy on the internet. Our general principle is to minimise the amount of personal data stored by internet companies. We are not against improving services by collecting data, but the question is how far it can be identifiable. We don’t want to get into a situation where data could be sold on, or used to profile individuals.”