EU mulls new measures to protect privacy on the Web


European institutions have a range of initiatives in store which could lead to the imposition of clearer limits for the conservation of personal information by useful but occasionally privacy-breaching Internet technologies such as search engines.

A range of privacy issues related to web usage are currently being investigated by data protection agencies across Europe (see our Links Dossier on internet security).

In December last year, the Spanish Data Protection Agency demanded a tougher stance against potential abuses in private data management. “It is necessary to limit the use and conservation of personal data,” reads a statement issued by the agency, which also defines the filtering of information for purposes other than virus and spam protection as “not in conformity with Spanish law”.

Google, the biggest worldwide search engine, filters its users’ emails to provide them with targeted ads. To show restraint, the IT giant recently announced plans to partially delete IP addresses from its database after 18 months and create automatically expiring cookies with a duration of just two years, instead of the current 30 years.

Search engines in the spotlight

At its next meeting on 18 February, the EU body which brings together the 27 national data protection agencies, the Article 29 Working Party, will examine the issue and possibly approve an opinion on privacy and search engines.

The debate raised by the proposed merger between two of the biggest Internet data controllers, Google and DoubleClick, and the recent tougher positions of some national authorities, particularly in Spain, may lead to a proposal for new restrictive measures.

Low awareness among citizens

In the coming weeks, the Commission will publish the results of a new EU-wide survey to monitor citizens’ attitudes toward privacy and data management. According to preliminary findings, an overwhelming majority consider public awareness about the issues to be low, but at the same time almost 75% of respondents say they are worried about leaving personal information on the Internet.

The Commission is well aware of the problems posed by citizens’ scanty knowledge of data protection laws and personal rights. Indeed, Brussels is aiming to increase funding for awareness-raising campaigns and technologies which improve privacy protection (see EURACTIV 5/12/2007).

Moreover, the traditional Internet is not the only sphere in which data protection issues are emerging. The so-called ‘Internet of things’ created by Radio Frequency Identification technologies (RFID) also raises privacy-related concerns (see EURACTIV 11/10/2006, and our Links Dossier on RFID). 

By March, the Commission will issue a document on the specific implications of RFID development. At the moment, discussions are underway as to whether it will be a binding regulation or recommendation. In addition, the European institutions will this year discuss the proposal issued by the Commission in November 2007 to review the e-Privacy Directive. The European Data Protection Supervisor, an EU advisory body, issued a position on RFID in December.

The issue of low public awareness of the risks and the rights of personal data management is acknowledged by Commission Vice President and Justice and Home Affairs Commissioner Franco Frattini: "Data protection laws are designed to ensure that personal data is treated with the respect and care it deserves. But legal rights and protections are only useful if people know that they exist, and [know] how they can invoke their rights," he said in a recent speech.

"We are determined to make sure that the existing legal framework is properly applied, and that everyone, and in particular those that are handling data, is aware of their rights and obligations," Frattini added.

"The majority of people think that what it is done on the Internet is much more private than it actually is," according the representatives of BEUC, the European consumer organisation.

"The requirements on transparency on the collection/processing of personal data exist. There is no new territory here, only faster technology," reads a position paper issued by FEDMA, the Federation of European Direct & Interactive Marketing. At the same time, the paper acknowledges that "there is always more that can be done to ensure that consumers know where to find information about their rights and how their data may be used".

However, the concept of private data itself remains under scrutiny. "There is no black or white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals," said Google Global Privacy Counsel Peter Fleischer at a hearing organised by the European Parliament in January.

Existing EU legislation foresees that "data that identifies individuals must not be kept longer than necessary". This vague provision allows data controllers to store personal information for long periods, and often for purposes not fully in line with European rules.

Search engines may store personal data such as queries posed by users, IP addresses or cookies, sometimes for months or even years. In some cases, this information is also used to provide targeted advertising.

In exchange, internet users receive free and useful services, but are often unaware that their personal data is being used and stored. A Eurobarometer poll, to be published in the coming weeks, reveals that 82% of European citizens consider the level of public awareness about personal data protection in their country to be low.

  • 18 March 2008: Meeting of the Article 29 Working Party. An opinion on privacy and search engines is on the table.
  • In the coming weeks, the Commission will publish the complete figures of a recent Eurobarometer poll on citizens and data protection.
  • By March 2008, the Commission will issue a document on privacy and RFID.
  • In 2008, legislative procedures will continue regarding a Commission proposal to review the e-Privacy Directive. 

Subscribe to our newsletters