EU leaders clash with Google over the meaning of 'personal data'

With the EU crafting new laws governing how data collectors such as Google protect users' personal data, lawmakers there are clashing with US business leaders over how far that protection can and should extend.

A document currently being drafted by a group called the Article 29 Working Party (Art. 29) may extend the formal definition of "personal data" with regard to legal protections granted by the European Union government to its member states' citizens. Specifically, despite arguments by its own authors to the contrary, the document would extend the definition to include any kind of data that can be traced back to an individual.

The draft definition was the principal topic of a meeting yesterday of the Civil Liberties Committee of the European Parliament in Brussels, Belgium, made up of lawmakers from the states' respective governments. In attendance yesterday was Google's chief global privacy counsel, Peter Fleischer. Last May, Fleischer received a letter from Art. 29 Chairman and Germany's Federal Data Protection Commissioner Peter Schaar, suggesting that Google should amend its data retention policies not only to destroy the data it collects from Google users after 18 to 24 months, but its server logs as well, and perhaps even sooner.

"As you are aware, server logs are information that can be linked to an identified or identifiable person," Schaar wrote Fleischer last May (PDF available here), "and can therefore be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason their collection and storage must respect data protection rules.

"The Article 29 Working Party is concerned that Google has so far not sufficiently specified the purposes for which server logs need to be kept," Schaar continued. "Taking account of Google's market position and ever-growing importance, [Art. 29] would like further clarification as to why this long storage period was chosen. [Art. 29] would also be keen to hear Google's legal justification for the storage of server logs in general."

While Fleischer and Google may have had an explanation in mind to present yesterday morning, as the company apparently found itself faced with a head-on assault featuring submissions from the American Antitrust Institute regarding Google's planned merger with display ad services provider DoubleClick, as well as Art. 29's argument for expanding the draft to "any information related to an identified or identifiable natural person."

Art. 29 submitted several examples of data categories that would fall under this broader scope, including drug prescription data, video surveillance data, real estate evaluations, automobile warranty coverage data, employee telephone call logs, routing information for taxi cabs in which individuals may have ridden, minutes of public meetings, and references to individuals in online news stories. Next to last on Art. 29's list of examples of personal data that may deserve some type of legal protection is the IP address of computers an individual may have used.

American press sources seized upon the news this morning as though the meeting focused exclusively on the subject of IP addresses.

However, according to an EU government account of the meeting, a US Federal Trade Commission representative traveled all the way to Brussels to say the US doesn't really have a position on the matter one way or the other. And Google's Fleischer, according to the account, stated the ability of an IP address to reflect personal information "depended on the context and which personal information it reveals." His comments go to the heart of the original matter of whether Google, on account of its "market position and ever-growing importance," should be required by law to destroy its server logs after a year.

While there has been considerable disagreement with the notion that an IP address can be "pinned" to a person, especially since Internet users roam and addresses are still often assigned dynamically to short-term "lease" holders, Art. 29 cites evidence showing that individuals have been indicted for copyright violation and piracy, with IP addresses supplied by their ISPs as critical evidence pointing to their complicity.

"Especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by Copyright holders in order to prosecute computer users for violation of intellectual property rights)," reads a June 2007 Art. 29 opinion circulated yesterday (PDF available here), "the controller [the collector of the data] anticipates that the 'means likely reasonably to be used' [citing a 2000 opinion from a different working group] to identify the persons will be available e.g. through the courts appealed to (otherwise the collection of the information makes no sense), and therefore the information should be considered as personal data."

Next: Those pesky dynamic IP addresses get in the way of the law