Page last updated at 17:36 GMT, Monday, 7 April 2008 18:36 UK

Search engines warned over data

By Darren Waters
Technology editor, BBC News website

Independent front page
Google has faced criticism in the past

Search engines should delete personal data held about their users within six months, a European Commission advisory body on data protection has said.

The recommendation is likely to be accepted by the European Commission and could lead to a clash with search giants like Google, Yahoo and MSN.

Google and MSN anonymise user data after 18 months, while Yahoo does the same after 13 months.

The body said search companies were not clear enough on data protection.

Google said its privacy policy "strikes the right balance" between privacy, security and innovation.

Peter Fleischer, Google's global privacy counsel, said in a statement: "Google takes privacy incredibly seriously; protecting our users' privacy is at the heart of all our products.

Search engine providers must delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for
Article 29 Working Party report

"It is the reason we were the first company to commit to anonymising our search logs, and also why we dramatically shortened our preference cookie lifetime."

In a statement Yahoo said it was reviewing the details of the body's recommendations.

"We remain committed to striking the right balance between protecting user privacy, providing the most compelling online experience, meeting our legal obligations and preventing fraud," the firm said.

Many search engines currently collect and store information from each search query, holding information about the search query itself, the unique PC address (known as an IP number), and details about how a user makes their searches, such as the web browser that is being used.

Users who create an account with a search engine hand over more data to the firms, including search history. Some search engines also enrich personal data held on their users with information from third parties.

The report from the Article 29 Data Protection Working Party said search engine providers had "insufficiently explained" why they were storing and processing personal data to their users.

It said "search engine providers must delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for".

The report said the personal data of users should not be stored or processed "beyond providing search results" if the user had not created an account or registered with the search engine.

The advisory body also said it preferred search engines did not collect and use personal data to serve personalised adverts unless the user had consented and signed up to the service.

Yahoo is one of the world's leading search engines

The body was set up to provide expert opinion to the European Commission and to make recommendations in the areas of personal data and privacy. The Commission usually adopts the recommendations the body makes.

The report also said search engines did not need to gather additional personal data, beyond the IP address of a machine being used, in order to deliver basic search results and advertisements.

It added: "Because many search engine providers mention many different purposes for the processing, it is not clear to what extent data are reprocessed for another purpose that is incompatible with the purpose for which they were originally collected."

It said search engines should not use personally identifiable data to improve their services or for accountancy purposes.

Personal data stored for security purposes should not also be used to improve services, the body recommended.

The report issued a set of obligations to search engines firms, including:

  • Search engines should get informed consent from users if they correlate personal data across different services, such as desktop search
  • Search engine providers must delete or anonymise (in an irreversible and efficient way) personal data once they are no longer necessary for the purpose for which they were collected
  • Personal data should not be held by search engines for longer than six months
  • In case search engine providers retain personal data longer than six months, they must demonstrate comprehensively that it is strictly necessary for the service
  • It is not necessary to collect additional personal data from individual users in order to be able to perform the service of delivering search results and advertisements
  • If search engine providers use cookies, their lifetime should be no longer than demonstrably necessary
  • Search engine providers must give users clear and intelligible information about their identity and location and about the data they intend to collect store or transmit, as well as the purpose for which they are collected

The report also warned that if search engines enriched personal data about users from third parties they could be breaking the law unless customers had given explicit consent.

It said users had the right to access, inspect and correct all the personal data about themselves held by search engines, including their profiles and search history.

'Illegal' ad system scrutinised
04 Apr 08 |  Technology
Google cuts data retention times
12 Jun 07 |  Technology
Google privacy policy 'is vague'
31 May 07 |  Technology
UK rapped on data retention law
24 Feb 06 |  Technology
Yahoo lukewarm on Microsoft bid
07 Apr 08 |  Business
Yahoo makes semantic search shift
14 Mar 08 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific