EU says URLS and Search Terms _are_ PECR data

Joel Harrison ukcrypto at chiark.greenend.org.uk
Wed, 16 Apr 2008 18:22:06 +0100 

Couple of points:

1.  I think the reference to PECR may be misleading, in that the
provision of 2002/58/EC to which the Commissioner refers - art. 5(1) -
is implemented in RIPA, not in PECR.

2.  If by "PECR data" you mean "traffic data" (as defined under PECR)
then I don't think it's correct to lump both URLs and search terms in
this category.  As I read the Commissioner's statement, it is only the
URLs that constitute traffic data, whereas the search terms are
communications[1].  But that doesn't matter for present purposes
because art. 5(1) requires Member States to prohibit the interception
of both communications and traffic data.

Joel

[1]  Of course, search terms may then form part of a URL in the form
of parameters passed to a search engine.  Whether this constitutes
traffic data isn't immediately obvious - that part of the URL isn't
necessarily used for the purpose of conveying the communication, but
rather determines the action that the server takes upon receiving the
communication.

On 4/16/08, Ian Batten <igb@batten.eu.org> wrote:
> Taken from a post to a Phorm inventor forum a few minutes ago.  I don't have
> a real source, I'm afraid.  This is an interesting contrast to Caspar's take
> on PECR last night.  The money shot is ``The data concerned in this
> particular matter i.e. the content of search queries, constitute
> communication within the meaning of this Directive and the URLs used in the
> packets constitute traffic data. This data should therefore be protected
> appropriately.''
>
> ian
>
> > Reply from EU Information, Society & Media Commissioner Viviane Reding
> >
> > The Commission is aware of the activities of the company Phorm in the UK,
> > concerning the analysis of internet traffic for advertising purposes, the
> > agreement between Phorm and major internet service providers in the UK and
> > the concerns that have beep raised about the effects on privacy of these
> > activities. Privacy and the protection of personal data are fundamental
> > rights of the citizens of the EU. They are enshrined in Articles 7 and 8
> of
> > the EU Charter of Fundamental Rights, and also protected by the European
> > Convention on Human Rights and the related instruments of the Council of
> > Europe, to which all EU Member States are signatories.
> >
> > The general principles for the protection of personal data are defined in
> > Directive 95/46/EC and complemented and particularized for electronic
> > communications by Directive 2002/58EC on privacy and electronic
> > communications (ePrivacy Directive).
> >
> > The ePrivacy Directive obliges Member States to ensue the confidentiality
> of
> > communications and related traffic data through national legislation. In
> > particular, they shall prohibit listening, tapping, storage or other kinds
> > of interception or surveillance of communication and the related traffic
> > data by persons other than the users without their consent, which must be
> > freely given, specific and informed indication of the user's wishes. The
> > data concerned in this particular matter i.e. the content of search
> queries,
> > constitute communication within the meaning of this Directive and the URLs
> > used in the packets constitute traffic data. This data should therefore be
> > protected appropriately.'
> >
>
>