Google slams EU data protection bodies

By Matt Chapman on Jul 9, 2007 1:28 PM
Filed under Security

Data protection and data retention two different things, claims search giant.

Google's global privacy counsel has stated that Europe's data protection bodies have no business worrying about data retention.

Peter Fleischer said during an interview on Out-Law.com radio that data retention is "just not their field".

The views of the Article 29 Working Party, which comprises Europe's privacy watchdogs, are " interesting", according to Fleischer, but data retention is "not up to them".

"The Data Retention Directive comes out of the security side of government, not the data protection side," he said.

"So it is interesting to hear what an official from the data protection world thinks about data retention. It is like asking somebody who works for the railroad what they think of airline regulation."

However, Jamie Cowper, European marketing director at encryption firm PGP Corporation, believes that data protection experts should have a voice in the data retention debate.

"If the information held by Google or other service providers and search engines can be used to identify an individual, and possibly abet a phishing scam or ID theft, it is important that the security and availability of the data is considered," he said.

"The growing number of data breaches demonstrates the need for companies properly to protect customer-related data, whether they are covered by data retention legislation or not."

The Office of the Commissioner for Justice, Freedom and Security has also weighed into the debate, insisting that the Data Retention Directive applies to public information, not search logs.

"Search engines are providers of information society services rather than public electronic communication services or networks, and are therefore outside the scope of the Directive," a spokeswoman told Out-Law.com.

Google said originally that it would store user search records for between 18 and 24 months, reducing that to 18 months following concerns from the Article 29 Working Party.

But, despite this climb down, Fleischer hinted that Google may pursue its own retention policy regardless of EU law.

"I would point out that our decision on the factors that went into the right period to retain server logs, the decision to keep them for 18 months and then to anonymise them, would be the same even if the Data Retention Directive were repealed tomorrow," he told Out-Law.com.