EU mandates Web sites delete personal data after six months

While the matter of whether that was enough of a reduction was being debated, Art. 29 was commissioned to set some ground rules as to whether legislative bodies can play a role. Under EU law, the community government must thoroughly demonstrate whether it can do a better job of setting rules than any or all of its member states acting individually, on a case-by-case basis, before it can issue rulings that could impact or conflict with member nations' respective, pre-existing laws.

To be thorough, Art. 29 decided it was necessary to explain from a legal perspective just what "personal data" was. The result was a surprisingly broad definition, that encompasses any kind of data whatsoever that can be traced back to an individual, even if that trace would require processes that don't actually exist yet.

That broad scope was extended to include IP addresses, even though it's clear now that individuals don't have IP addresses -- computers do. Last week, Art. 29 defended that extension, and perhaps even extended it a bit further, opting rather than to logically explain why an IP address counts as personal data, to instead challenge Internet service providers to come up with a logical reason why it doesn't. "Unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side," wrote Art. 29 last week, citing text from an earlier opinion.

As Google's Fleisher responded yesterday, "Based on our own analysis, we believe that whether or not an IP address is personal data depends on how the data is being used." Google's existing position on the matter is that, just because ISPs tend to associate leased IP addresses with paying subscribers, does not mean that every IP address in the world corresponds to a human being.

In a strange retort to that argument, Art. 29 contended last week that an IP address should be treated as personally identifying because law enforcement agencies use IP addresses in their efforts to locate wanted persons.

"Law enforcement and national security authorities can gain access to these data and in some Member States private parties have gained access also through civil litigation," wrote Art. 29. "Thus, in most cases - including cases with dynamic IP address allocation -- the necessary data will be available to identify the user(s) of the IP address."

While this debate continues, the mechanism which could theoretically be used in the future to enable Google to never store personal data on its own servers, entered its next stage of evolution just today. The Google App Engine could forseeably be used to create a smarter search client, where personal data is stored on personal systems at the time of the search. However, architects would argue, that data would not be portable; and as Google's own Apps demonstrate, there's a certain convenience factor in users' being able to access their own data from any client.