Four major search engine operators are scheduled to sit down at a plenary meeting next month with Article 29 Working Party to work through the findings of Art29WP’s Opinion of 4 April 2008.
The business model for search engines is to increase advertising revenues and refine search results and this is clearly best achieved by building up knowledge about the context of an individual search query. The question though is to what extent does this involve or create personal data and what are a search engine’s obligations, if any?
The Opinion clearly thinks they should be regulated. Art29WP’s view is that, even though an IP address may not be directly identifiable, other associated information is often available which can identify the user behind that IP address. Cookie unique IDs may also reveal further personal data. Unless an operator can establish “with absolute certainty” that data can’t be associated with users, they say caution should be taken and all such data must be treated as personal.
It further concluded that operators based outside of the EEA are still subject to European data protection laws if they make use of equipment for data processing in the territory of a Member State…and that this could include “a personal computer” (for example where cookies are used)!
Datonomy expects it to be a loooong meeting which many internet companies based outside of Europe and not just search engines should cross their fingers for in terms of outcome…..