News : EU leaders clash with Google over the meaning of 'personal data'
With the EU crafting new laws governing how data collectors such as Google protect users' personal data, lawmakers there are clashing with US business leaders over how far that protection can and should extend.
A document currently being drafted by a group called the Article 29 Working Party (Art. 29) may extend the formal definition of "personal data" with regard to legal protections granted by the European Union government to its member states' citizens. Specifically, despite arguments by its own authors to the contrary, the document would extend the definition to include any kind of data that can be traced back to an individual.
The draft definition was the principal topic of a meeting yesterday of the Civil Liberties Committee of the European Parliament in Brussels, Belgium, made up of lawmakers from the states' respective governments. In attendance yesterday was Google's chief global privacy counsel, Peter Fleischer. Last May, Fleischer received a letter from Art. 29 Chairman and Germany's Federal Data Protection Commissioner Peter Schaar, suggesting that Google should amend its data retention policies not only to destroy the data it collects from Google users after 18 to 24 months, but its server logs as well, and perhaps even sooner.
"As you are aware, server logs are information that can be linked to an identified or identifiable person," Schaar wrote Fleischer last May (PDF available here), "and can therefore be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason their collection and storage must respect data protection rules.
"The Article 29 Working Party is concerned that Google has so far not sufficiently specified the purposes for which server logs need to be kept," Schaar continued. "Taking account of Google's market position and ever-growing importance, [Art. 29] would like further clarification as to why this long storage period was chosen. [Art. 29] would also be keen to hear Google's legal justification for the storage of server logs in general."
While Fleischer and Google may have had an explanation in mind to present yesterday morning, as the company apparently found itself faced with a head-on assault featuring submissions from the American Antitrust Institute regarding Google's planned merger with display ad services provider DoubleClick, as well as Art. 29's argument for expanding the draft to "any information related to an identified or identifiable natural person."
Art. 29 submitted several examples of data categories that would fall under this broader scope, including drug prescription data, video surveillance data, real estate evaluations, automobile warranty coverage data, employee telephone call logs, routing information for taxi cabs in which individuals may have ridden, minutes of public meetings, and references to individuals in online news stories. Next to last on Art. 29's list of examples of personal data that may deserve some type of legal protection is the IP address of computers an individual may have used.
American press sources seized upon the news this morning as though the meeting focused exclusively on the subject of IP addresses.
However, according to an EU government account of the meeting, a US Federal Trade Commission representative traveled all the way to Brussels to say the US doesn't really have a position on the matter one way or the other. And Google's Fleischer, according to the account, stated the ability of an IP address to reflect personal information "depended on the context and which personal information it reveals." His comments go to the heart of the original matter of whether Google, on account of its "market position and ever-growing importance," should be required by law to destroy its server logs after a year.
While there has been considerable disagreement with the notion that an IP address can be "pinned" to a person, especially since Internet users roam and addresses are still often assigned dynamically to short-term "lease" holders, Art. 29 cites evidence showing that individuals have been indicted for copyright violation and piracy, with IP addresses supplied by their ISPs as critical evidence pointing to their complicity.
"Especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by Copyright holders in order to prosecute computer users for violation of intellectual property rights)," reads a June 2007 Art. 29 opinion circulated yesterday (PDF available here), "the controller [the collector of the data] anticipates that the 'means likely reasonably to be used' [citing a 2000 opinion from a different working group] to identify the persons will be available e.g. through the courts appealed to (otherwise the collection of the information makes no sense), and therefore the information should be considered as personal data."
A document currently being drafted by a group called the Article 29 Working Party (Art. 29) may extend the formal definition of "personal data" with regard to legal protections granted by the European Union government to its member states' citizens. Specifically, despite arguments by its own authors to the contrary, the document would extend the definition to include any kind of data that can be traced back to an individual.
The draft definition was the principal topic of a meeting yesterday of the Civil Liberties Committee of the European Parliament in Brussels, Belgium, made up of lawmakers from the states' respective governments. In attendance yesterday was Google's chief global privacy counsel, Peter Fleischer. Last May, Fleischer received a letter from Art. 29 Chairman and Germany's Federal Data Protection Commissioner Peter Schaar, suggesting that Google should amend its data retention policies not only to destroy the data it collects from Google users after 18 to 24 months, but its server logs as well, and perhaps even sooner.
"As you are aware, server logs are information that can be linked to an identified or identifiable person," Schaar wrote Fleischer last May (PDF available here), "and can therefore be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason their collection and storage must respect data protection rules.
"The Article 29 Working Party is concerned that Google has so far not sufficiently specified the purposes for which server logs need to be kept," Schaar continued. "Taking account of Google's market position and ever-growing importance, [Art. 29] would like further clarification as to why this long storage period was chosen. [Art. 29] would also be keen to hear Google's legal justification for the storage of server logs in general."
While Fleischer and Google may have had an explanation in mind to present yesterday morning, as the company apparently found itself faced with a head-on assault featuring submissions from the American Antitrust Institute regarding Google's planned merger with display ad services provider DoubleClick, as well as Art. 29's argument for expanding the draft to "any information related to an identified or identifiable natural person."
Art. 29 submitted several examples of data categories that would fall under this broader scope, including drug prescription data, video surveillance data, real estate evaluations, automobile warranty coverage data, employee telephone call logs, routing information for taxi cabs in which individuals may have ridden, minutes of public meetings, and references to individuals in online news stories. Next to last on Art. 29's list of examples of personal data that may deserve some type of legal protection is the IP address of computers an individual may have used.
American press sources seized upon the news this morning as though the meeting focused exclusively on the subject of IP addresses.
However, according to an EU government account of the meeting, a US Federal Trade Commission representative traveled all the way to Brussels to say the US doesn't really have a position on the matter one way or the other. And Google's Fleischer, according to the account, stated the ability of an IP address to reflect personal information "depended on the context and which personal information it reveals." His comments go to the heart of the original matter of whether Google, on account of its "market position and ever-growing importance," should be required by law to destroy its server logs after a year.
While there has been considerable disagreement with the notion that an IP address can be "pinned" to a person, especially since Internet users roam and addresses are still often assigned dynamically to short-term "lease" holders, Art. 29 cites evidence showing that individuals have been indicted for copyright violation and piracy, with IP addresses supplied by their ISPs as critical evidence pointing to their complicity.
"Especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by Copyright holders in order to prosecute computer users for violation of intellectual property rights)," reads a June 2007 Art. 29 opinion circulated yesterday (PDF available here), "the controller [the collector of the data] anticipates that the 'means likely reasonably to be used' [citing a 2000 opinion from a different working group] to identify the persons will be available e.g. through the courts appealed to (otherwise the collection of the information makes no sense), and therefore the information should be considered as personal data."
As the June 2007 opinion from the Article 29 Working Group goes on, there are many technical reasons why an IP address can't identify its user, citing a borrowed computer in an Internet cafy as an example. But since the ISP for that computer probably doesn't know right off-hand that it's in an Internet cafy, if a court requisitioned the data for the personal user of that computer, it would do so anyway. Therefore, the group concluded, "unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side."
In other words, since an IP address doesn't provide enough information about itself to state whether it can or cannot be used to identify a user, since courts will likely treat IP addresses as though they could do so, they should be treated as though they could.
It's worth noting here that the EU's official account of the meeting mis-defined the concept of the IP address, calling it "a 32-bit numeric address that serves as an identifier for each computer, perhaps confusing it with a MAC address but also neglecting to acknowledge the existence of IPv6.
According to the AP's account of yesterday's meeting, Google's Fleischer responded to these arguments by stating that Google uses IP addresses to discern what country a user is operating in, and to tailor its search results to that country of origin. "If someone taps in 'football' you get different results in London than in New York," Fleischer said.
But he also added that Google uses those addresses later in conducting traffic pattern research, in such a way that individuals' privacy is not infringed, he argued.
"Non-aggregated data" is the final category on the Art. 29 list, and questions could arise as to whether Google's research qualifies as requiring legal protection, should the group's recommendations be adopted. The problem, Art. 29 wrote, is whether each datum used in the research sampling can somehow -- never mind how difficult it might be to do so -- be traced back to an individual source. "If the codes used are unique for each specific person," Art. 29 wrote, "the risk of identification occurs whenever it is possible to get access to the key used for the encryption. Therefore the risks of an external hack, the likelihood that someone within the sender's organization -- despite his professional secrecy -- would provide the key and the feasibility of indirect identification are factors to be taken into account to determine whether the persons can be identified taking into account all the means likely reasonably to be used by the controller or any other person, and therefore whether information should be considered as 'personal data.' If they are, the data protection rules will apply."
So with the broadening of the EU's data protection rules becoming a genuine possibility, and with opposition to the matter appearing to be limited to American corporations and almost indifferent US trade representatives, the question for Google and others becomes even murkier: Will it become illegal for any company that happens to be successful at its business to keep personally identifiable data in an online accessible location for longer than a year?
In other words, since an IP address doesn't provide enough information about itself to state whether it can or cannot be used to identify a user, since courts will likely treat IP addresses as though they could do so, they should be treated as though they could.
It's worth noting here that the EU's official account of the meeting mis-defined the concept of the IP address, calling it "a 32-bit numeric address that serves as an identifier for each computer, perhaps confusing it with a MAC address but also neglecting to acknowledge the existence of IPv6.
According to the AP's account of yesterday's meeting, Google's Fleischer responded to these arguments by stating that Google uses IP addresses to discern what country a user is operating in, and to tailor its search results to that country of origin. "If someone taps in 'football' you get different results in London than in New York," Fleischer said.
But he also added that Google uses those addresses later in conducting traffic pattern research, in such a way that individuals' privacy is not infringed, he argued.
"Non-aggregated data" is the final category on the Art. 29 list, and questions could arise as to whether Google's research qualifies as requiring legal protection, should the group's recommendations be adopted. The problem, Art. 29 wrote, is whether each datum used in the research sampling can somehow -- never mind how difficult it might be to do so -- be traced back to an individual source. "If the codes used are unique for each specific person," Art. 29 wrote, "the risk of identification occurs whenever it is possible to get access to the key used for the encryption. Therefore the risks of an external hack, the likelihood that someone within the sender's organization -- despite his professional secrecy -- would provide the key and the feasibility of indirect identification are factors to be taken into account to determine whether the persons can be identified taking into account all the means likely reasonably to be used by the controller or any other person, and therefore whether information should be considered as 'personal data.' If they are, the data protection rules will apply."
So with the broadening of the EU's data protection rules becoming a genuine possibility, and with opposition to the matter appearing to be limited to American corporations and almost indifferent US trade representatives, the question for Google and others becomes even murkier: Will it become illegal for any company that happens to be successful at its business to keep personally identifiable data in an online accessible location for longer than a year?
Labels: news google personal data laws protect webprofessional
posted by webprofessional at
10:03 AM
View blog reactions
0 Comments:
Post a Comment
<< Home