Monday, April 07, 2008

Data Protection and Search Engines - The Article 29 Working Party Weighs In

The Article 29 Working Party has issued its long-awaited Opinion on Data Protection Issues Related to Search Engines. This is a substantial document and will need close consideration, but some highlights spring out and are worth excerpting.

The WP confirms that the Data Retention Directive (contrary to what has been claimed by some) does not apply to search engines:
Search engine services in the strict sense do not in general fall under the scope of the new regulatory framework for electronic communications of which the ePrivacy Directive is part. Article 2 sub c of the Framework Directive (2002/21/EC), which contains some of the general definitions for the regulatory framework, explicitly excludes services providing or exercising editorial control over content:
"Electronic communications service" means a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or mainly in the conveyance of signals on electronic communications networks;
Search engines therefore fall outside of the scope of the definition of electronic communication services.

A search engine provider can however offer an additional service that falls under the scope of an electronic communications service such as a publicly accessible email service which would be subject to ePrivacy Directive 2002/58/EC and Data Retention
Directive 2006/24/EC.

Article 5(2) of the Data Retention Directive specifically states that “No data revealing the content of the communication may be retained pursuant to this Directive”. Search queries themselves would be considered content rather than traffic data and the Directive would therefore not justify their retention. Consequently, any reference to the Data Retention Directive in connection with the storage of server logs generated through the offering of a search engine service is not justified.
Consent cannot be implied in the case of anonymous users:
Consent cannot be construed for anonymous users of the service and the personal data collected from users who have not chosen to authenticate themselves voluntarily. These data may not be processed or stored for any other purpose than acting upon a specific request with a list of search results.
The "necessary for the performance of a contract" exception will seldom be available:
Processing may also be necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This legal basis may be used by search engines to collect personal data that a user voluntarily provides in order to sign-up for a certain service, such as a user account. This basis may also be used, similar to consent, to process certain well-specified categories of personal data for well-specified legitimate purposes from authenticated users. Many internet companies also argue that a user enters into a de facto contractual relationship when using services offered on their website, such as a search form. However, such a general assumption does not meet the strict limitation of necessity as required in the Directive.
Personalised advertising raises particular problems:
Search engine providers that wish to provide personalised advertising in order to increase their revenues, may find a ground for the legitimate processing of some personal data in Article 7 (a) of the Directive (consent) or Article 7 (b) of the Directive (performance of a contract) but it is difficult to find a legitimate ground for this practice for users who have not specifically signed in based on specific information about the purpose of the processing. The Working Party has a clear preference for anonymised data.
Search engines may not store information purely on the basis that it may be useful in later criminal proceedings:
Law enforcement authorities may sometimes request user data from search engines in order to detect or prevent crime. Private parties may also try to obtain a court order addressing a search engine provider to hand over user data. When such requests follow valid legal procedures and result in valid legal orders, of course search engine providers will need to comply with them and supply the information that is necessary. However, this compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes. Moreover, large amounts of personal data in the hands of search engine providers may encourage law enforcement authorities and others to exercise their rights more often and more intensely which in turn might lead to loss of consumer confidence.
A maximum retention period of six months is permissible, and users must be informed in advance:
In practice, the major search engines retain data about their users in personally identifiable form for over a year (precise terms vary). The Working Party welcomes the recent reductions in retention periods of personal data by major search engine providers. However, the fact that leading companies in the field have been able to reduce their retention periods suggests that the previous terms were longer than necessary. In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months...

In case search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service. In all cases search engine providers must inform users about the applicable retention policies for all kinds of user data they process.
Update: Lilian Edwards has more on the Opinion, including the problems it poses for people search services.

Thursday, April 03, 2008

Filter or Else! Music Industry Sues Irish ISP

I've written a short update for the Society for Computers and Law on the music industry litigation against Eircom. Excerpt:
The music industry in Ireland started its campaign against peer-to-peer downloading and uploading in 2003/2004 when it started an education and awareness campaign. That campaign included national advertising aimed at end-users and specific warnings addressed to intermediaries such as companies and universities, as well as instant messages sent to users who were uploading particular songs.

In 2005 the music industry changed tack and brought the first action before the Irish courts (EMI and ors. v Eircom and ors. [2005] 4 IR 148) seeking to identify 17 individuals alleged to be illegally file-sharing. In that case the High Court granted disclosure of these identities under the Norwich Pharmacal [1974] AC 133 jurisdiction. Two further applications were made to the High Court in 2006 and 2007, identifying some 99 users in all. However, despite the significant publicity which these actions received, they do not appear to have any more than a short-term effect in deterring Irish users from sharing music.

At this point, and in line with the strategies pursued by the industry body IFPI elsewhere, the music industry in Ireland appears to have decided to shift the focus of its attention from the end-user towards the intermediary, and in particular towards seeking to compel ISPs to police the behaviour of their users.
The full text is available on the SCL site (no subscription required).