Skip to main content
SpringerLink
Log in

The “Panopticon” of search engines: the response of the European data protection framework

  • Digital Privacy
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Nowadays, Internet users are depending on various search engines in order to be able to find requested information on the Web. Although most users feel that they are and remain anonymous when they place their search queries, reality proves otherwise. The increasing importance of search engines for the location of the desired information on the Internet usually leads to considerable inroads into the privacy of users. A heated debate is currently ongoing at European level regarding the question if search engine providers that are established outside the European Union are covered by the European data protection framework and the obligations it imposes on entities that process personal data. The scope of this paper is to examine the applicability of the European data protection legislation to non-EU-based search engine providers and to study the main privacy issues with regard to search engines, such as the character of search logs, their anonymisation and their retention period. Ixquick, a privacy-friendly meta-search engine, will be presented as an alternative to privacy intrusive existing practices of search engines.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. The so-called “chilling effect” refers to the concern that constitutionally protected freedom of information will be inhibited by the potential for individuals and authorities to engage in forms of post hoc surveillance of search data and may refrain users from searching, receiving and imparting information.

  2. Under Article 29 of the Data Protection Directive, a Working Party on the Protection of Individuals with regard to the Processing of Personal Data is established, made up of the Data Protection Commissioners from the Member States together with a representative of the European Commission. The Working Party is independent and acts in an advisory capacity. The Working Party seeks to harmonize the application of data protection rules throughout the EU, and publishes opinions and recommendations on various data protection topics.

  3. Actually the Directive refers not to the EU but to the European Economic Area (EEA). For the convenience of the reader, however, we refer to EU instead of EEA.

  4. For the analysis that will follow, it is helpful to clarify that according to the European data protection legislation “data controller”, is the person or the authority, which alone or jointly with others “determines the purposes and means of the processing of personal data” [16].

  5. Cookies are packets of information transmitted from a server to the web browser of users and are transmitted back to the server every time the user accesses a server’s page using the same browser.

  6. Art. 6(1)(e) Data Protection Directive.

  7. Registered users are the users who have created a specific user account. In these cases, consent may be used as the legitimate ground for the processing of certain well-specified categories of personal data for well-specified legitimate purposes, including retention of data for a limited period of time. Such consent cannot be construed for anonymous (unregistered users) [18].

  8. Art 1(2) and 5(2) Data Retention Directive.

References

  1. Nielsen Wire (2009) Top U.S. online search providers. May 2009. http://blog.nielsen.com/nielsenwire/online_mobile/top-us-online-search-providers-may-2009

  2. Younger K (1972) Report of the committee on privacy (Cmnd. 5012, Her Majesty’s Stationery Office, London), p 178

  3. Spanish Data Protection Agency (Agencia Española de Protección de Datos) (2007) Statement on internet search engines. http://tinyurl.com/dkopph. Accessed 01 Dec 2007

  4. Church P, Kon GM (2007) Google at the heart of data protection storm. CLSR 23:461–465

    Google Scholar 

  5. 28th International Data Protection and Privacy Commissioners’ Conference: Resolution on Privacy Protection and Search Engines, 02-03.11.2006, London United Kingdom (2006)

  6. Steiner P (1993) On the internet, nobody knows you’re a dog. New Yorker 69(20):61

    Google Scholar 

  7. Pass G, Chowdhury A, Torgeson C (2006) A picture of search. The first international conference on scalable information systems, Hong Kong

  8. Barbaro M, Zeller T Jr (2006) A face is exposed for AOL searcher No. 4417749. The New York Times (09 August 2006)

  9. Privacy International (2007) A race to the bottom: privacy ranking of internet service companies—a consultation report. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961 Accessed 09 June 2007

  10. Bentham J (1995) The panopticon writings. In: Bozovic M (ed) Verso, London

  11. Rochford M (2008) Designing for the social: avoiding anti-social networks. In: Presentation given at IA Summit, 14 Apr 2008 and UPA London, 24 Apr 2008. http://www.slideshare.net/rochford/designing-for-the-social-avoiding-antisocial-networks

  12. Wood D (2006) A report on the surveillance society for the (UK) information commissioner. Surveillance Studies Network

  13. Article 29 Working Party (2009, Press Release): Search engines, Brussels. http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_12_02_09_en.pdf. Accessed 12 Feb 2009

  14. International working group on data protection in telecommunications (IWGDPT): common position on privacy protection and search engines first adopted at the 23rd Meeting in Hong Kong SAR, China (15 April 1998)—revised and updated at the 39th meeting, 6–7 April 2006, Washington D.C.

  15. Somers G (2008) Zoekmachines en privacy, Computerrecht, 6 p. 23 ff

  16. European Parliament and the Council of the European Union (1995) Directive 1995/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), O.J. L 281/31, 23 Nov 1995

  17. Kuner C (2007) European data protection law—corporate compliance and regulation, 2nd edn. Oxford University Press, Oxford

    Google Scholar 

  18. Article 29 Data Protection Working Party (2008) Opinion on data protection issues related to search engines, WP 148, 04 Apr 2008

  19. Fleischer P (2008) Response to the Article 29 Working Party opinion on data protection issues related to search engines, 08 Sep 2008

  20. Article 29 Data Protection Working Party (2002) Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites, WP56, 30 May 2002

  21. Glasner J (2005) What search sites know about you. http://www.wired.com/politics/security/news/2005/04/67062

  22. Bygrave L (2000) Determining applicable law pursuant to European data protection legislation. Comput Law Secur Rep 16:252–257

    Article  Google Scholar 

  23. Search Log Sample: Google Appliance (2006) (http://rosenfeldmedia.com/books/searchanalytics/blog/ log_sample_google_appliance/)

  24. Fry J (2006) Google’s privacy responsibilities at home and abroad. J Librariansh Inf Sci 38(3):135

    Article  Google Scholar 

  25. European Parliament and the Council of the European Union (2006) Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (Data Retention Directive), O.J. L105/54, 13.04.06

  26. Helft M (2008) Yahoo limits retention of search data, NY Times.com. http://www.nytimes.com/2008/12/18/technology/internet/18yahoo.html?_r=1&ref=technology. Accessed 17 Dec 2008

  27. Rottenberg M (2008) Executive director of the electronic privacy information center (EPIC), as quoted in Singel R. Yahoo to anonymize user data after 90 days. http://blog.wired.com/business/2008/12/yahoo-to-anonym.html Accessed 17 Feb 2008

  28. Microsoft’s Privacy Principles for Live Search and Online Ad Targeting. http://tinyurl.com/ck9zq7, 23 July 2007

  29. Meta-Search Engine Definition from Wikipedia at http://en.wikipedia.org/wiki/Metasearch_engine

  30. Personal communication with John Borking on the evaluation report he prepared with Robert-Jan Dijkman on Ixquick, 20 January 2008

  31. Ixquick’s Privacy Q&A, http://www.ixquick.com/uk/protect_privacy.html#q

  32. Borking Consultancy (2009) Ixquick evaluation short public report (Recertification). http://tinyurl.com/bo7b43, 27 Jan 2009

Download references

Author information

Authors and Affiliations

  1. Interdisciplinary Centre for Law and ICT (ICRI), Katholieke Universiteit Leuven, Sint-Michielsstraat 6, 3000, Leuven, Belgium

    Eleni Kosta

  2. Cultural Informatics Laboratory, Department of Cultural Technology and Communication, University of the Aegean, Harilaou Trikoupi & Faonos Str., 81100, Mytilene, Greece

    Christos Kalloniatis & Evangelia Kavakli

  3. Information and Communication Systems Security Laboratory, Department of Information and Communications Systems Engineering, University of the Aegean, 83200, Samos, Greece

    Lilian Mitrou

Authors
  1. Eleni Kosta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christos Kalloniatis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lilian Mitrou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Evangelia Kavakli
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eleni Kosta.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kosta, E., Kalloniatis, C., Mitrou, L. et al. The “Panopticon” of search engines: the response of the European data protection framework. Requirements Eng 16, 47–54 (2011). https://doi.org/10.1007/s00766-010-0107-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-010-0107-7

Keywords

Search

Navigation