The European Commission’s Article 29 Data Protection Working Party has released their long-awaited “Opinion on Data Protection Issues Related to Search Engines” (PDF), something I’ve debated here.
At first glance, it seems we’re in agreement that the Data Protection Directive applies to the processing of personal data by search engines. Here is the executive summary:
Search engines have become a part of the daily life of individuals using the Internet and nformation retrieval technologies. The Article 29 Working Party recognises the usefulness of search engines and acknowledges their importance.
In this Opinion the Working Party identifies a clear set of responsibilities under the Data protection Directive (95/46/EC) for search engine providers as controllers of user data. As providers of content data (i.e. the index of search results), European data protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals. The primary objective throughout the Opinion is to strike a balance between the legitimate business needs of the search engine providers and the protection of the personal data of internet users.
This Opinion addresses the definition of search engines, the kinds of data processed in the provision of search services, the legal framework, purposes/grounds for legitimate processing, the obligation to inform data subjects, and the rights of data subjects.
A key conclusion of this Opinion is that the Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EEA, and that the onus is on search engines in this position to clarify their role in the EEA and the scope of their responsibilities under the Directive. The Data Retention Directive (2006/24/EC) is clearly highlighted as not applicable to search engine providers.
This Opinion concludes that personal data must only be processed for legitimate purposes. Search engine providers must delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for and be capable of justifying retention and the longevity of cookies deployed at all times. The consent of the user must be sought for all planned cross-relation of user data, user profile enrichment exercises. Website editor opt-outs must be respected by search engines and requests from users to update/refresh caches must be complied with immediately. The Working Party recalls the obligation of search engines to clearly inform the users upfront of all intended uses of their data and to respect their right to readily access, inspect or correct their personal data in accordance with Article 12 of the Data Protection Directive (95/46/EC).
UPDATE: Google’s Peter Fleischer reacts/responds to the report here.