Search engines and data protection
On 4.4.2008, the Article 29 Committee of Directive 95/46 issued an opinion on privacy issues on Internet search engines.
The latter have become an indispensable aid to Internet users as they provide guidance to the multitude of Internet information. Their functionality is thus very important when browsing the Internet, especially as they are incorporated as a toolbox in browsers, while the Google Chrome browser integrates their functions into the address bar.
But it is a fact that search engines can also act as a "backdoor" for violating personal data. That is why they are at the heart of her researchArticle 29 of Directive 95/46 / EC.
The Committee notes that Directive 95/46 on the protection of personal data also applies to the processing of data by search engine providers when they collect search data or, in particular, when providing caching or Internet user profiles .
However, Directive 2006/24 on data retention in search engines does not apply.
The relevant document analyzes extensively search engine services and the legal framework of data protection, and draws a number of conclusions. First of all, personal data must be collected and processed for legitimate reasons and, when it is no longer necessary, must be deleted or anonymized.
Data retention periods should be short and proportionate to the intended purpose. This also applies to cookies and flash cookies, for which users need to be updated. Attention is particularly drawn to the collection of additional data for users in order to create a profile. Users should be consulted for data processing.
Lastly, it should be noted that users should be given rights under the Directive (information, access, correction, etc.).
In particular, the conclusions of the opinion are as follows:
Applicability of EC Directives
1. The Data Protection Directive (95/46 / EC) generally applies to the processing of personal data by search engines even when their headquarters are outside the EEA.
2. Non-EEA based search engine providers should inform their users about the conditions under which they must comply with the Data Protection Directive, whether by establishment or by the use of equipment.
3. The Data Retention Directive (2006/24 / EC) does not apply to internet search engines.
Obligations on search engine providers
4. Search engines may only process personal data for legitimate purposes and the amount of data has to be relevant and not excessive in respect of the various purposes to be achieved.
5. Search engine providers must delete or anonymise (in an irreversible and efficient way) personal data once they are no longer necessary for the purpose for which they were collected. The Working Party calls for the development of appropriate anonymisation schemes by search engine providers.
6. Retention periods should be minimised and be proportionate to each purpose put forward by search engine providers. In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months. However, national legislation may require earlier deletion of personal data. In case search engine providers retain personal data longer than 6 months, they must demonstrate comprehensively that it is strictly necessary for the service. In any case, the information about the data retention period chosen by search engine providers should be easily accessible from their homepage.
7. While search engine providers inevitably collect some personal data about the users of their services, such as their IP address, resulting from standard HTTP traffic, it is not necessary to collect additional personal data from individual users in order to be able to perform the service of delivering search results and advertisements.
8. If search engine providers use cookies, their lifetime should be no longer than demonstrably necessary. Similarly to web cookies, flash cookies should only be installed if transparent information is provided about the purpose for which they are installed and how to access, edit and delete this information.
9. Search engine providers must give users clear and intelligible information about their identity and location and about the data they intend to collect, store or transmit, as well as the purpose for which they are collected.
10. Enrichment of user profiles with data not provided by the users themselves is to be based on the consent of the users.
11. If search engine providers provide means to retain the individual search history, they should make sure they have the consent of the user.
12. Search engines should respect website editor opt-outs indicating that the website should not be crawled and indexed or included in the search engines’ caches.
13. When search engine providers provide a cache, in which personal data are being made available for longer than the original publication, they must respect the right of data subjects to have excessive and inaccurate data removed from their cache.
27 The Working Party recommends a layered model for privacy policy as described in the WP Opinion on More Harmonised Information Provisions
14. Search engine providers that specialise in the creation of value added operations, such as profiles of natural persons (so called ‘people search engines’) and facial recognition software on images must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing.
Rights of users
15. Users of search engine services have the right to access, inspect and correct if necessary, according to Article 12 of the Data Protection Directive (95/46/EC), all their personal data, including their profiles and search history.
16. Cross-correlation of data originating from different services belonging to the search engine provider may only be performed if consent has been granted by the user for that specific service.
The latter have become an indispensable aid to Internet users as they provide guidance to the multitude of Internet information. Their functionality is thus very important when browsing the Internet, especially as they are incorporated as a toolbox in browsers, while the Google Chrome browser integrates their functions into the address bar.
But it is a fact that search engines can also act as a "backdoor" for violating personal data. That is why they are at the heart of her researchArticle 29 of Directive 95/46 / EC.
The Committee notes that Directive 95/46 on the protection of personal data also applies to the processing of data by search engine providers when they collect search data or, in particular, when providing caching or Internet user profiles .
However, Directive 2006/24 on data retention in search engines does not apply.
The relevant document analyzes extensively search engine services and the legal framework of data protection, and draws a number of conclusions. First of all, personal data must be collected and processed for legitimate reasons and, when it is no longer necessary, must be deleted or anonymized.
Data retention periods should be short and proportionate to the intended purpose. This also applies to cookies and flash cookies, for which users need to be updated. Attention is particularly drawn to the collection of additional data for users in order to create a profile. Users should be consulted for data processing.
Lastly, it should be noted that users should be given rights under the Directive (information, access, correction, etc.).
In particular, the conclusions of the opinion are as follows:
Applicability of EC Directives
1. The Data Protection Directive (95/46 / EC) generally applies to the processing of personal data by search engines even when their headquarters are outside the EEA.
2. Non-EEA based search engine providers should inform their users about the conditions under which they must comply with the Data Protection Directive, whether by establishment or by the use of equipment.
3. The Data Retention Directive (2006/24 / EC) does not apply to internet search engines.
Obligations on search engine providers
4. Search engines may only process personal data for legitimate purposes and the amount of data has to be relevant and not excessive in respect of the various purposes to be achieved.
5. Search engine providers must delete or anonymise (in an irreversible and efficient way) personal data once they are no longer necessary for the purpose for which they were collected. The Working Party calls for the development of appropriate anonymisation schemes by search engine providers.
6. Retention periods should be minimised and be proportionate to each purpose put forward by search engine providers. In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months. However, national legislation may require earlier deletion of personal data. In case search engine providers retain personal data longer than 6 months, they must demonstrate comprehensively that it is strictly necessary for the service. In any case, the information about the data retention period chosen by search engine providers should be easily accessible from their homepage.
7. While search engine providers inevitably collect some personal data about the users of their services, such as their IP address, resulting from standard HTTP traffic, it is not necessary to collect additional personal data from individual users in order to be able to perform the service of delivering search results and advertisements.
8. If search engine providers use cookies, their lifetime should be no longer than demonstrably necessary. Similarly to web cookies, flash cookies should only be installed if transparent information is provided about the purpose for which they are installed and how to access, edit and delete this information.
9. Search engine providers must give users clear and intelligible information about their identity and location and about the data they intend to collect, store or transmit, as well as the purpose for which they are collected.
10. Enrichment of user profiles with data not provided by the users themselves is to be based on the consent of the users.
11. If search engine providers provide means to retain the individual search history, they should make sure they have the consent of the user.
12. Search engines should respect website editor opt-outs indicating that the website should not be crawled and indexed or included in the search engines’ caches.
13. When search engine providers provide a cache, in which personal data are being made available for longer than the original publication, they must respect the right of data subjects to have excessive and inaccurate data removed from their cache.
27 The Working Party recommends a layered model for privacy policy as described in the WP Opinion on More Harmonised Information Provisions
14. Search engine providers that specialise in the creation of value added operations, such as profiles of natural persons (so called ‘people search engines’) and facial recognition software on images must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing.
Rights of users
15. Users of search engine services have the right to access, inspect and correct if necessary, according to Article 12 of the Data Protection Directive (95/46/EC), all their personal data, including their profiles and search history.
16. Cross-correlation of data originating from different services belonging to the search engine provider may only be performed if consent has been granted by the user for that specific service.
About Jhon Petter
No comments