16May
It's a surprise to find G****e resorting to the anti-EU rhetoric that's been the calling card of the British tabloid press for the past twenty years. Yet that is the advertising agency's ludicrous explanation for retaining user searches for two years. The behemoth grumbles,
G****e may be subject to the EU Data Retention Directive, which was passed last year [1], in the wake of the Madrid and London terrorist bombings [2], to help law enforcement in the investigation and prosecution of "serious crime". The Directive requires all EU Member States to pass data retention laws by 2009 with retention for periods between 6 and 24 months. Since these laws do not yet exist, and are only now being proposed and debated, it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability.
[1] December 2005. Not 2006.
[2] The proposal was first mooted in early 2001, some months before the plane crashes in New Amsterdam, and years before the explosions in Madrid and London.
Here's the rub, and we'll put it in nice, friendly, large letters:
The Data Retention Directive does not apply to search engine queries
Article 5.13 makes it as clear as can be:
This Directive relates only to data generated or processed as a consequence of a communication or a communication service and does not relate to data that are the content of the information communicated.
(Emphasis ours.) The company may have to retain the fact that it was contacted at such-and-such a time, by such-and-such an IP address, for whatever service (web, email, FTP....). But it won't have to retain or reconstruct the page it was asked for, or anything like that. The DRD explicitly excludes search engine queries, the content of emails, the content of files uploaded and downloaded.
That's not to say that authoritarian governments such as those in France or the UK might attempt to use the DRD as cover for their data fishing exploits - indeed, the UK government has already assumed powers far in excess of those in the Directive (but that is another argument). In the absence of actual legislation to the contrary, it is most prudent to assume that the status quo will remain.
It is, of course, cheering to hear that G****e is prepared to respect this piece of European legislation. Will they, we innocently wonder, also be respecting the Data Protection Directive, which insists that data may be kept for no longer than is necessary for the purposes for which the data were collected and that personal data shall be processed in accordance with the rights of data subjects? Because if they do, then we might be able to send something to G****e's email provision and not have it interrogated in order to display commercials. We know of no-one else who does not have a G****e email address, never mind who takes a principled stand and refuses to send to them.
Previously: we compared G****e's privacy policy against the Data Protection Directive, and pointed out the areas where it came up short.
