Internet search engines should not Keep Personal Data More Than Six Months

Posted by Benjamin Nicolau, eBAM Lawyers

Among the main issues addressed in the Opinion of the Article 29 Working Party, and as pointed out in the AEPD previous report on search engines, it reflects the need to limit the period of data retention, which currently stands at large Seekers for periods ranging from 13 to 18 months, once the information is no longer necessary for the purposes of the service, such as improved service, system security or fraud prevention.

In this sense, the European Authorities believe that the retention periods have not been reduced enough and the GT29 states that should be limited to a maximum period of 6 months.

The Working Group Article 29 does not see a legal basis for data retention over 6 months. Should search engines retain data for longer periods, they must demonstrate comprehensively that it is necessary to enable the service. However, national laws may require shorter retention periods.

Furthermore, in relation to user data processed and retained the report states Seekers 2 roles:

- As service providers: try a lot of personal data, or data is provided by users to actively enroll in a service or generated by the use of their services, such as IP addresses or search histories, including data generated by technical means such as cookies.

At this point the GT Opinion 29, notes that the search engines do not sufficiently explain the nature and purpose of these operations to users.

- As content providers Seekers help make information more accessible. While search engines are not responsible for this information, the GT29 out that by pooling information from several types of the same person, search engines can make a profile with an increased risk that if the information is scattered, and can affect especially to people if the data are incorrect, incomplete or excessive.

Given these circumstances, the Working Group stated in its Article 29 report, besides the need to limit the retention period, the following

conclusions:

• The Data Protection Directive generally applies to the processing of personal data by search engines even if their core businesses are outside Europe.

• Seekers should only collect personal data for legitimate purposes and the amount of data collected provided and not excessive in relation to the purpose.

• Directive 2006/24/EC on data retention does not apply to the Seekers.

• Search engines should delete or irreversibly anonymize a data once they no longer serve the purpose for which they were collected.

• It also establishes that if the Internet search engines use cookies your life should not be longer than necessary, and these should be installed only if it offers clear information on the purpose for which they were installed and how to access, edit and delete the information.

• Internet search engines should provide users with clear and understandable information about their identity and location data and try to collect, store or transmit as well as the purpose for which they were collected.

• Users of the search engines should be entitled to access, inspect and correct all personal information including profiles and search history.

It also states that Member States may include the right of citizens opposed to treatment "for legitimate reasons of their own particular situation? (Considering also that the laws governing society services information empower competent authorities to take measures necessary to interrupt the service or to remove the infringing data).

• The enrichment of the profiles of the users whose data was not provided by the users themselves must be based on the consent of users.

• When a search using a "cache?, In which personal data are made available for longer than the original publication, must respect the right of users to eliminate excessive and outdated data.

• The correlation data of registered users of different search services can only be accomplished by ensuring the user's consent for each service. The diversification of the profiles of users with data that they have not contributed only be based on consent and clear information.

Working Party Article 29

The Working Group Article 29, is the advisory group that brings together the Data Protection Authorities of Member States, which issues opinions and views on different matters submitted to it and which necessarily must rule on all regulatory proposals European affecting the right to protection of personal data.

To carry out this review the Group has carried out a study on privacy and data retention of the major Internet search engines worldwide.