Abstract
Nowadays, Internet users are depending on various search engines in order to be able to find requested information on the Web. Although most users feel that they are and remain anonymous when they place their search queries, reality proves otherwise. The increasing importance of search engines for the location of the desired information on the Internet usually leads to considerable inroads into the privacy of users. A heated debate is currently ongoing at European level regarding the question if search engine providers that are established outside the European Union are covered by the European data protection framework and the obligations it imposes on entities that process personal data. The scope of this paper is to examine the applicability of the European data protection legislation to non-EU-based search engine providers and to study the main privacy issues with regard to search engines, such as the character of search logs, their anonymisation and their retention period. Ixquick, a privacy-friendly meta-search engine, will be presented as an alternative to privacy intrusive existing practices of search engines.
Similar content being viewed by others
Notes
The so-called “chilling effect” refers to the concern that constitutionally protected freedom of information will be inhibited by the potential for individuals and authorities to engage in forms of post hoc surveillance of search data and may refrain users from searching, receiving and imparting information.
Under Article 29 of the Data Protection Directive, a Working Party on the Protection of Individuals with regard to the Processing of Personal Data is established, made up of the Data Protection Commissioners from the Member States together with a representative of the European Commission. The Working Party is independent and acts in an advisory capacity. The Working Party seeks to harmonize the application of data protection rules throughout the EU, and publishes opinions and recommendations on various data protection topics.
Actually the Directive refers not to the EU but to the European Economic Area (EEA). For the convenience of the reader, however, we refer to EU instead of EEA.
For the analysis that will follow, it is helpful to clarify that according to the European data protection legislation “data controller”, is the person or the authority, which alone or jointly with others “determines the purposes and means of the processing of personal data” [16].
Cookies are packets of information transmitted from a server to the web browser of users and are transmitted back to the server every time the user accesses a server’s page using the same browser.
Art. 6(1)(e) Data Protection Directive.
Registered users are the users who have created a specific user account. In these cases, consent may be used as the legitimate ground for the processing of certain well-specified categories of personal data for well-specified legitimate purposes, including retention of data for a limited period of time. Such consent cannot be construed for anonymous (unregistered users) [18].
Art 1(2) and 5(2) Data Retention Directive.
References
Nielsen Wire (2009) Top U.S. online search providers. May 2009. http://blog.nielsen.com/nielsenwire/online_mobile/top-us-online-search-providers-may-2009
Younger K (1972) Report of the committee on privacy (Cmnd. 5012, Her Majesty’s Stationery Office, London), p 178
Spanish Data Protection Agency (Agencia Española de Protección de Datos) (2007) Statement on internet search engines. http://tinyurl.com/dkopph. Accessed 01 Dec 2007
Church P, Kon GM (2007) Google at the heart of data protection storm. CLSR 23:461–465
28th International Data Protection and Privacy Commissioners’ Conference: Resolution on Privacy Protection and Search Engines, 02-03.11.2006, London United Kingdom (2006)
Steiner P (1993) On the internet, nobody knows you’re a dog. New Yorker 69(20):61
Pass G, Chowdhury A, Torgeson C (2006) A picture of search. The first international conference on scalable information systems, Hong Kong
Barbaro M, Zeller T Jr (2006) A face is exposed for AOL searcher No. 4417749. The New York Times (09 August 2006)
Privacy International (2007) A race to the bottom: privacy ranking of internet service companies—a consultation report. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961 Accessed 09 June 2007
Bentham J (1995) The panopticon writings. In: Bozovic M (ed) Verso, London
Rochford M (2008) Designing for the social: avoiding anti-social networks. In: Presentation given at IA Summit, 14 Apr 2008 and UPA London, 24 Apr 2008. http://www.slideshare.net/rochford/designing-for-the-social-avoiding-antisocial-networks
Wood D (2006) A report on the surveillance society for the (UK) information commissioner. Surveillance Studies Network
Article 29 Working Party (2009, Press Release): Search engines, Brussels. http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_12_02_09_en.pdf. Accessed 12 Feb 2009
International working group on data protection in telecommunications (IWGDPT): common position on privacy protection and search engines first adopted at the 23rd Meeting in Hong Kong SAR, China (15 April 1998)—revised and updated at the 39th meeting, 6–7 April 2006, Washington D.C.
Somers G (2008) Zoekmachines en privacy, Computerrecht, 6 p. 23 ff
European Parliament and the Council of the European Union (1995) Directive 1995/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), O.J. L 281/31, 23 Nov 1995
Kuner C (2007) European data protection law—corporate compliance and regulation, 2nd edn. Oxford University Press, Oxford
Article 29 Data Protection Working Party (2008) Opinion on data protection issues related to search engines, WP 148, 04 Apr 2008
Fleischer P (2008) Response to the Article 29 Working Party opinion on data protection issues related to search engines, 08 Sep 2008
Article 29 Data Protection Working Party (2002) Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites, WP56, 30 May 2002
Glasner J (2005) What search sites know about you. http://www.wired.com/politics/security/news/2005/04/67062
Bygrave L (2000) Determining applicable law pursuant to European data protection legislation. Comput Law Secur Rep 16:252–257
Search Log Sample: Google Appliance (2006) (http://rosenfeldmedia.com/books/searchanalytics/blog/ log_sample_google_appliance/)
Fry J (2006) Google’s privacy responsibilities at home and abroad. J Librariansh Inf Sci 38(3):135
European Parliament and the Council of the European Union (2006) Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (Data Retention Directive), O.J. L105/54, 13.04.06
Helft M (2008) Yahoo limits retention of search data, NY Times.com. http://www.nytimes.com/2008/12/18/technology/internet/18yahoo.html?_r=1&ref=technology. Accessed 17 Dec 2008
Rottenberg M (2008) Executive director of the electronic privacy information center (EPIC), as quoted in Singel R. Yahoo to anonymize user data after 90 days. http://blog.wired.com/business/2008/12/yahoo-to-anonym.html Accessed 17 Feb 2008
Microsoft’s Privacy Principles for Live Search and Online Ad Targeting. http://tinyurl.com/ck9zq7, 23 July 2007
Meta-Search Engine Definition from Wikipedia at http://en.wikipedia.org/wiki/Metasearch_engine
Personal communication with John Borking on the evaluation report he prepared with Robert-Jan Dijkman on Ixquick, 20 January 2008
Ixquick’s Privacy Q&A, http://www.ixquick.com/uk/protect_privacy.html#q
Borking Consultancy (2009) Ixquick evaluation short public report (Recertification). http://tinyurl.com/bo7b43, 27 Jan 2009
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kosta, E., Kalloniatis, C., Mitrou, L. et al. The “Panopticon” of search engines: the response of the European data protection framework. Requirements Eng 16, 47–54 (2011). https://doi.org/10.1007/s00766-010-0107-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00766-010-0107-7