EU

Data Retention, Protection, and Privacy

/ Christopher Parsons / 2 Comments

Data retention is always a sensitive issue; what is retained, for how long, under what conditions, and who can access the data? Recently, Ireland’s Memorandum of Understanding (MoU) between the government and telecommunications providers was leaked, providing members of the public with a non-redacted view of what these MoU’s look like and how they integrate with the European data retention directive. In this post, I want to give a quick primer on the EU data retention directive, identify some key elements of Ireland’s MoU and the Article 29 Data Protection Working Group’s evaluation of the directive more generally. Finally, I’ll offer a few comments concerning data protection versus privacy protection and use the EU data protection directive as an example. The aim of this post is to identify a few deficiencies in both data retention and data protection laws and argue that  privacy advocates and government officials to defend privacy first, approaching data protection as a tool rather than an end-in-itself.

A Quick Primer on EU Data Retention

In Europe, Directive 2006/24/EC (the Data Retention Directive, or DRD) required member-nations to pass legislation mandating retention of particular telecommunications data. Law enforcement sees retained data as useful for public safety reasons. A community-level effort was required to facilitate harmonized data retention; differences in members’ national laws meant that the EU was unlikely to have broadly compatible cross-national retention standards. As we will see, this concern remains well after the Directive’s passage. Continue reading

Fear, Uncertainty, Doubt and Google Corporation

/ Christopher Parsons

In recent months more and more attention has been directed towards Google’s data retention policies. In May of 2007 Peter Fleishcher of Google’s global privacy counsel established three key reasons for why his company had to maintain search records:

  1. To improve their services. Specifically, he writes “Search companies like Google are constantly trying to improve the quality of their search services. Analyzing logs data is an important tool to help our engineers refine search quality and build helpful new services . . . The ability of a search company to continue to improve its services is essential, and represents a normal and expected use of such data.”
  2. To maintain security and prevent fraud and abuse. “Data protection laws around the world require Internet companies to maintain adequate security measures to protect the personal data of their users. Immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk. Historical logs information can also be a useful tool to help us detect and prevent phishing, scripting attacks, and spam, including query click spam and ads click spam.”
  3. To comply with legal obligations to retrieve data. “Search companies like Google are also subject to laws that sometimes conflict with data protection regulations, like data retention for law enforcement purposes.” (Source)

Continue reading