EU Takes Search Engines to Task on Data Retention

The European Union’s Article 29 Working Party has sent letters to Google, Yahoo!, and Microsoft telling them that they must cease retaining personal data of search engine users for more than six months and must improve their anonymization procedures. It also asked the companies to appoint outside auditors to review their procedures for anonymizing data to ensure that they truly prevent identification of the users behind the data. In addition, the Party sent copies of the letters to the U.S. Federal Trade Commission and asked it to investigate whether the companies’ data retention practices were “unfair” or “deceptive” within the meaning of the FTC Act.

Canada Moves A Step Closer to Mandatory Data Breach Notification

Canada’s Ministry of Industry has proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) that would require private sector entities to notify the Office of the Privacy Commissioner of breaches of personal data, and to notify affected individuals directly if the breach creates a “real risk of significant harm.” The proposal will now be considered by Parliament. The Privacy Office in the past has opposed mandatory notification, but this time around has said it welcomes the proposal. Chances thus seem fairly good that Canada will join the breach notification club.