Monday, January 15, 2007

Privacy Laws & Business Q&A on Search Queries

I'm a fan of Privacy Laws & Business. They publish a terrific International Newsletter.
They gave me permission to re-print here their Q&A on the privacy aspects of search queries, from Issue 84, October 2006.

Google’s privacy policy relates to many of its services. Peter Fleischer, the company’s
Privacy Counsel Europe, gives PL&B an insight into its approach. By Asher Dresner.
Question: Do you interpret any country’s data protection laws as meaning that search terms constitute personal data?
Answer: This is not a simple yes/no question. To answer it, you need to analyse both the source of a query and its content. Regarding the source, a query can be made either by a human being, or by a machine. The latter are sometimes called “bot” queries. Regarding the content, a query can be made on almost any topic that can be entered into a computer, such as words, numbers, even code strings. Some search queries may relate to an identifiable human being, eg, a query for “Bill Clinton”, and in that sense may constitute “personal data” about the data subject, which may or may not be subject to data protection laws. Most queries do not relate to an identifiable human being, such as a query for “weather in London”. In short, this is context-specific.
Question: Do you consider search terms to be personal data a) internally and b) externally? If so, do you have a policy for what you can and can’t do with search terms?
Answer: Our privacy policy governs how we handle “server logs”, which include the query text. Our FAQ explain the contents of those server logs:
Moreover, we have a policy never to share search queries with anyone outside of Google if they contain personally-identifiable information. For example, we post anonymous and statistical information about our searches on our site Zeitgeist:
Question: Under what circumstances would you authorise the release of search terms?
Answer: This would be governed by our Privacy Policy on “information sharing”:
Information sharing
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances: We have your consent. We require opt-in consent for the sharing of any sensitive personal information. We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures. We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law. If Google becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will provide notice before personal information is transferred and becomes subject to a different privacy policy. We may share with third parties certain pieces of aggregated, nonpersonal information, such as the number of users who searched for a particular term, for example, or how many users clicked on a particular advertisement. Such information does not identify you individually.
Question: Do these circumstances differ in different countries or areas with different privacy laws?
Answer: Yes, because, as pursuant to the clause above, there are differences amongst countries with regards to: any applicable law, regulation, legal process or enforceable governmental request
Question: I understand that the information Google collects on users differs according to which Google product they are using (eg Google account, toolbar, Gmail, accelerator, etc). Could Google cross-reference this information with searches made from these products to find out who searched for what? For example, if a searcher has a Google account, can you identify which account a search term comes from (quite apart from the IP address)? If so, is this done, and under what circumstances?
Answer: From our Privacy Policy: Information you provide - When you sign up for a Google Account or other Google service or promotion that requires registration, we ask you for personal information (such as your name, e-mail address and an account password). For certain services, such as our advertising programs, we also request credit card or other payment account information which we maintain in encrypted form on secure servers. We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information.
Question: If this information can be cross-referenced, under what circumstances would you authorise the release of search terms cross-referenced with the personal data users provided when they signed up to these services? For example if you had a US Justice Department request to release the search terms of all Google account holders whose sign-in name matched that of a terrorist suspect, would you release the terms?
Answer: As explained in our privacy policy, we will respect a valid legal order. The legal system has mechanisms to address/resolve questions relating to the specificity of the information being demanded.
Question: Does this situation differ in areas or countries with different privacy laws?
Answer: See answer to fourth question.
Question: If a resident of country A searches for something using a computer in country B, and their search term is stored in country C, which area’s privacy laws apply?
Answer: Resolving questions of jurisdiction in an international context is a complicated process, which takes into account numerous factors, such as the location of the person using the service, the location of the company providing the service, the location of the data, and other factors. Google’s Terms of Service are subject to the laws of the State of California, where Google is headquartered (see
Nonetheless, we are committed to being respectful of the laws of the various countries in which we do business.
Question: Do you have an internal policy governing what Google employees can do with search terms, and which employees have access to them? If so, would you please provide me with a copy of that policy?
Answer: Yes, we have a policy and a written confidentiality agreement which we require those employees to sign who have access to search terms (i.e., to server logs data). We do not share that externally.
Question: When a user of one of your services cancels the service (eg deletes their gmail account or uninstalls toolbar), for how long do you keep their personal data? Does this period differ according to the jurisdiction in which they are resident?
Answer: When a user terminates a Google service, the length of period that their personal data is retained will vary from one service to another, and depending on the type of information. For example, some types of personal data are retained for legal/tax/ accounting reasons, such as purchase records using our CheckOut service, and those retention periods are often dictated by applicable laws or regulatory practices. Other types of personal data, such as content that a user uploads to our service (such as Video) may remain on the service notwithstanding the cancellation of the user’s account. Other types of user personal data, such as the e-mails in a person’s Gmail account, should be deleted within a short period of time after the user closes his/her account. The retention periods do not currently differ according to the jurisdiction in which the user is resident, but it is possible that such changes will be made in the future.

No comments: