Wednesday, June 13, 2007

Google not covered by the Data Retention Directive

In the next stage of Google's saga, the Data Retention Directive 2006/24/EC does not cover search engine logs. According to Out-Law news:

Google is not bound by the Data Retention Directive when it comes to search engine logs, Europe's data protection committee has said. Google has used the Directive to justify keeping data, but OUT-LAW has learned that the law does not apply. Google has come under increasing pressure in Europe to anonymise its server data, but the company says that it will wait until 18–24 months have passed before anonymising. Among its reasons for this was the Data Retention Directive. However, a senior European data protection official told OUT-LAW today that Google cannot rely on that law as justification for its retention. "The Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems," said Philippos Mitletton. Mitletton works for the European Commission's Data Protection Unit, which itself is represented on the Article 29 Working Party, the committee of Europe's data protection authorities." Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof," he said. Google offers other services that will be caught by the Directive – notably its email service, Gmail, and its internet telephony
service, Google Talk. If Google's search function were caught by the Directive, it could alarm operators of any site with a search function – i.e. most large websites – because potentially they would be similarly caught and therefore need to store details of every search conducted and the addresses of the computers that instruct each search.

Whilst this provides clarity over the scope of the Data Retentions Directive, one should not forget that we have the Data Protection Directive 95/46/EC (DPD) that applies to the automated processing of personal information and to a lesser extent manual files (if it can be shown that it formed part of a filing system such as card indexes) and the Directive on Privacy and Electronic Communications 2002/58/EC (complementing the DPD). For more on this, visit the European Commission, FSJ website at

See also:

No comments: