The EC Strikes Back
It goes by the rather bureaucratic name of “Working Party set up under Article 29 of Directive 95/46/EC.” Its suggestions don’t have the force of law. But anyone ignoring its Opinion does so at their own peril.
“A key conclusion of this Opinion is that the Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EEA…” means that the EC is likely to impose the provisions of the Data Protection Directive on even the US-based search engines such as Google and Yahoo and hold them to the responsibilities of data controllers.
The Working Party refers to its earlier Opinion of June 2007 to re-affirm that “unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In other words, IP addresses are personal information and therefore the full weight of data protection laws applies. Google was, as one would expect, quick to defend its practices.
The Working Party covered a broad swath of issues, saying it expects search engines, among other things, to:
- Use personal data- ranging from search query histories to IP addresses and unique cookie identifiers- only for “legitimate purposes”
- Destroy and anonymise that data when it’s no longer legitimately useful
- Inform users about data collection and storage practices
- Set cookies to have a lifetime “no longer than demonstrably necessary”
- Dissociate a user’s IP address or other identifier from his or her stored search queries
- Allow users to see whatever “personal data” is being stored about them, whether it be their past search queries or other data “revealing their behaviour or origin”
- Respect Web site operators’ desires to opt out of having their properties crawled, indexed, and cached through use of mechanisms like the robots.txt file or the Noindex/NoArchive tags
- Do more to prevent personally identifiable information- such as Social Security numbers, credit card numbers, telephone numbers, and e-mail addresses- from creeping into search results
This could become a big deal…with huge implications for both search engines and people.