Since the AOL incident, there has been a lot of discussion in privacy circles about the storage of search string data. The discussions generally focus on the time period during which such data is retained by the service provider, and whether or not data protection concepts should limit that time period. I have seen almost no discussion about whether or not the Data Retention Directive will require search string data it to be retained. So, again, we are seeing a conflict between data protection and data retention requirements. Here are a few thoughts.
What does a search engine like Google collect when a user conducts a search? Google explains this on its site:
“4. What are server logs?
Like most Web sites, our servers automatically record the page requests made when users visit our sites. These "server logs" typically include your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.
Here is an example of a typical log entry where the search is for "cars", followed by a breakdown of its parts:
220.127.116.11 - 25/Mar/2003 10:15:32 - http://www.google.com/search?q=cars - Firefox 1.0.7; Windows NT 5.1 - 740674ce2123e969
• 18.104.22.168 is the Internet Protocol address assigned to the user by the user's ISP; depending on the user's service, a different address may be assigned to the user by their service provider each time they connect to the Internet;
• 25/Mar/2003 10:15:32 is the date and time of the query;
• http://www.google.com/search?q=cars is the requested URL, including the search query;
• Firefox 1.0.7; Windows NT 5.1 is the browser and operating system being used; and
• 740674ce2123a969 is the unique cookie ID assigned to this particular computer the first time it visited Google. (Cookies can be deleted by users. If the user has deleted the cookie from the computer since the last time s/he visited Google, then it will be the unique cookie ID assigned to the user the next time s/he visits Google from that particular computer). “
So, every time a user conducts a search, a so-called “server log” is collected by the search engine. How does the new Data Retention Directive apply to this?
In 2006, the EU passed the Data Retention Directive, which obligates certain types of network operators to retain certain types of data for mandatory periods, in order to make them available on request to law enforcement agencies. The Directive applies to “providers of publicly available electronic communications services” and “public communications networks”, but these terms are interpreted differently in the various Member States that have to implement the Directive, which gives rise to questions of interpretation. For example, in France and Italy, it is expected that the implementation of the Directive will apply to Internet cafes, bars, restaurants, hotels, and airports, to the extent that they provide services such as public Internet terminals. On the other hand, preliminary discussions in other Member States, such as Germany and Spain, indicate that they are likely to adopt a narrower interpretation which will include only entities that directly provide telecommunications and Internet access services.
So, it is possible that data retention requirements could also apply to a search engine operator such as Google in certain Member States. Given the ubiquity of Internet search engines, it is hard to believe that law enforcement authorities may not at some point turn to a search engine operator to request personal data in order to fulfill some law enforcement interests. While the Data Retention Directive does not specifically mention search string data, it does require the retention of certain types of data about the user’s Internet connection (sometimes called “traffic data”) that can be so closely intertwined with search string data that it may be nearly impossible to separate them.
The Directive gives the EU Member States the option of requiring retention of the data between six and twenty-four months, and in exceptional cases even longer. Not all Member States have so far implemented the Directive, but the implementations that have so far been enacted, and the legislative proposals for implementation, indicate that many Member States are likely to select a mandatory retention period of at least one year, or even longer. For instance, in The Netherlands, a retention period of 18 months has been proposed, while legislation and proposals in the Czech Republic, France, Spain and the UK set it at one year. The length of these periods indicate that personal data may need to be kept for a substantially longer period than data protection rules may imply. In addition, the US Department of Justice has called for a two-year mandatory data retention proposal.
The differing approaches to the retention of search engine data under data protection law and data retention law demonstrate the tension between these two areas, and also show that the retention of search engine data must be judged under both of them. This is hardly the first example of a conflict between data retention and data protection, but it deserves more discussion in the context of search.