Privacy & Information Security Law Blog

In a letter to the U.S. Federal Trade Commission dated May 26, 2010, the Article 29 Working Party expressed concerns regarding the retention and anonymization policies of Google, Yahoo! and Microsoft.  Specifically, the Working Party requested that the FTC examine the compatibility of the three search engine providers’ actions with provisions of Section 5 of the FTC Act which prohibits unfair or deceptive trade practices.

The Working Party’s request references individual letters sent to Google, Yahoo! and Microsoft, also dated May 26, 2010, in which the Working Party stated that Yahoo! and Microsoft had not provided sufficient information about their anonymization practices to allow the Working Party to assess the quality of their policies, and Google’s existing policies were insufficient to guarantee adequate anonymization.  As a result, the Working Party could not conclude that the three companies’ retention and anonymization policies complied with the EU Data Protection Directive.

These concerns were first raised in March 2008, when the Working Party issued a detailed Opinion about search engines (Opinion 1/2008 - WP 148), which attempted to clarify and harmonize specific obligations for search engine providers with respect to the EU Data Protection Directive.  The Opinion also highlighted the Working Party’s concerns over the sensitivity of personal data related to search queries and the treatment of such personal data by search engine operators.  It urged companies to review their retention policies and bring them in line with the recommended maximum period of six months.  Following various consultations with the service providers in February 2009, the companies pledged their commitment to reduce retention periods (with limited exceptions) and announced steps to improve their anonymization procedures.

The Working Party urged all three service providers to review their anonymization claims and make the process verifiable.  To this end, the Working Party strongly suggested the use of audit procedures involving external and independent auditors.

In addition to the letter to the FTC, the Working Party also sent a copy of the service providers’ letters to Commissioner Viviane Reding in an effort to contribute in a meaningful way to the development and better enforcement of adequate, transatlantic data protection principles.