As EU privacy regulators maintain their focus on search engines, Internet giant Google pushed for harmonisation of EU and global rules on data protection during the first meeting of a new European Commission expert group designed to review current legislation.
The main piece of EU legislation governing data protection at present is a directive adopted in 1995, when the Internet was in its infancy and many of today’s new technologies did not exist.
Despite the adoption of a new directive in 2002, aimed exclusively at controlling privacy in electronic media, the EU data protection regulatory landscape looks outdated and requires renewed examination.
However, views differ widely as to the precise orientation that the proposed review should take. National privacy regulators want to extend the concept of personal data to user information collected online. In particular, they insist that IP addresses should be considered private data because they allow profiles of Internet users to be drawn up by putting together their location and queries on search engines. Regulators will discuss the issue again on 10 December during the meeting of the Article 29 Working Party, which brings together all 27 privacy authorities.
Google, by far the world’s primary search engine and the one which relies on user data the most, argues that the information it gathers cannot be used to identify a person.
Indeed, personal data of Web users (their name linked to the IP address) is only held by Internet service providers, such as Tiscali or Belgacom. The problem is that public authorities can always request the disclosure of such information by issuing legal orders, as happened in the United States after 9/11, for example.
When state departments get their hands on such aggregated data, they access a mine of personal information and are able not only to identify a person, but also to find out about their interests and daily movements.
It is thus possible to consider IP addresses as personal data, however dormant such data may be. Google refuses to accept that there is a problem and argues that legal orders to hand over information can be rejected.
Morevorer, the American giant is arguing that the way forward must be harmonisation of EU and international rules, establishing a clearly defined framework under which legal orders can be issued and data can be disclosed.
Google will fight for EU rules to be modernised along these principles within the new Commission expert group, of which Google is one of five members together with chipmaker Intel, two lawyers and a representative of privacy authorities. “A European regulator for data protection would be the way forward,” said Google’s Peter Fleischer.
An intermediate solution might be to “improve the methods used to gather the consent of users” to collect their data, as requested by the group of EU privacy regulators. But Google opposes the idea of allowing users to give their explicit prior consent to use data which it does not recognise as personal.