[Politech] Privacy International continues anti-Google campaign [priv]

From: Declan McCullagh (declan@private)
Date: Tue Apr 20 2004 - 21:27:00 PDT

  • Next message: Declan McCullagh: "[Politech] Diebold knew of legal risks of its voting machines [priv]"

    -------- Original Message --------
    Subject: 	Gmail complaint text
    Date: 	Mon, 19 Apr 2004 18:02:40 +0100
    From: 	Simon Davies <s.g.davies@private>
    To: 	declan.mccullagh
    Full text of complaint
    Privacy International
    Complaints Filed in Sixteen Countries Against Google
    Privacy watchdog vows to bring Gmail to heel
    Monday, 19th April 2004
    For immediate release
    The watchdog group Privacy International has today simultaneously filed
    complaints with privacy regulators in sixteen countries against Google's
    controversial Gmail service.
    The move creates Google's biggest challenge yet in the short but
    turbulent public debate over its new email service.
    Complaints have been filed with the privacy and data protection
    regulators of France, Germany, the Netherlands, Greece, Italy, Spain,
    Czech Republic, Belgium, Denmark, Sweden, Ireland, Portugal, Poland,
    Austria, Australia and Canada along with the European Commission and the
    EU Commissioners internal Article 29 Data Protection Working Group.
    Privacy International alleges that the Gmail service violates privacy
    law, both in Europe and in other countries. The complaint identifies a
    wide range of possible breaches of EU law. The 4,000 word complaint
    levels numerous charges against the new service, including:
    ... Inadequacy, unfairness and lack of safeguards or redress in the
    Gmail Terms of Use
    ... An absence of contractual commitment to the security of data
    ... Breaches of law concerning the interception and scanning of emails
    ... Absence of adequate customer control over data
    ... Breaches of law concerning indefinite and unspecified retention of
    deleted emails
    ... Confidentiality issues
    ... Violation of the rights of third parties
    ... Breaches of legal conditions relating to offshore processing of
    personal data
    ... Fundamental problems in achieving lawful customer consent
    ... Problems relating to the processing of Sensitive personal
    Privacy International had recently lodged a test complaint with the UK
    Information Commissioner. The Commissioner last week decided to delay
    taking action on the complaint after assurances from Google that the
    company would "consult" with officials before it offered the service in
    the UK.
    Privacy International decided to take global action against Google after
    it became clear that a similar assurance to meet US privacy advocates
    was not honoured. The watchdog will lodge complaints with a further
    thirteen countries in the next two weeks.
    Privacy International's Director, Simon Davies, warned Google that it
    should tread with great caution.
    "Google is showing its true colours. The company pays lip service to
    privacy but in this case has demonstrated no real commitment to it" he
    said. "I am beginning to suspect that Google looks at privacy in the
    same way that a worm looks at a fishhook".
    "Google deservedly has a sound reputation for the quality and
    functionality of its traditional products. It would be a pity to see
    that reputation washed down the toilet because of hostility to privacy"
    said Mr Davies.
    Davies challenged Google to "come out from its bunker and meet the
    "Company reputations stand or fall at moments like this" he added.
    "Google should face up to the privacy challenge and do the right thing
    by its customers. Otherwise the companies reputation will soon turn to
    ___________________________ _
    - Simon Davies of Privacy International can be reached for comment on
    - Privacy International (PI) www.privacyinternational.org is a human
    rights group formed in 1990 as a watchdog on surveillance by governments
    and corporations. PI is based in London, and has an office in
    Washington, D.C.  Together with members in 40 countries, PI has
    conducted campaigns throughout the world on issues ranging from
    wiretapping and national security activities, to ID cards, video
    surveillance, data matching, police information systems, and medical
    privacy, and works with a wide range of parliamentary and
    inter-governmental organisations such as the European Parliament, the
    House of Lords and UNESCO.
    Complaint filed with privacy & data protection regulators of France,
    Germany, the Netherlands, Greece, Italy, Spain, Czech Republic, Belgium,
    Denmark, Sweden, Ireland, Portugal, Poland, Austria, Australia and
    Canada along with the European Commission and the EU Commissioners
    internal Article 29 Data Protection Working Group (amended according to
    the relevant national legal environment)
    Privacy International
    Complaint:  Google Inc - Gmail email service.
    19th April 2004
    I am writing with regard to a new Webmail service that is being
    established at an international level by Google Inc, a US based company
    that operates the world's most popular Internet search engine.
    You may be aware that Google announced on April 1st this year that it
    will offer an email service which will provide each customer with one
    gigabyte of storage space. That is, around 500,000 pages of email per
    user. The service is being promoted as a means of creating a centralised
    and permanent archive of all email. Gmail says "Google believes people
    should be able to hold onto their mail forever." (1) While this may not
    currently be possible even at the one gigabyte level, the availability
    of the Gmail service will entice many users to maintain a single
    account, rather than having several, as many currently do.
    However, the Gmail service will electronically scan the subject headers
    and contents of all these private emails to generate targeted
    advertisements relevant to the email content.
    The Gmail service has already prompted substantial criticism from
    privacy and consumer groups both in the US and in Europe. (2) It has
    also generated a considerable amount of media controversy (3). Privacy
    International and many of its members across Europe are concerned that
    this service, currently in its Beta testing stage, violates a number of
    elements of Data Protection law.
    This complaint is made under subject rights set out in Data Protection
    legislation, and also within the terms of Article 20 of Directive
    95/46/EC of the European Parliament and of the Council (the Data
    Protection Directive) that stipulates:
    1. Member States shall determine the processing operations likely to
    present specific risks to the rights and freedoms of data subjects and
    shall check that these processing operations are examined prior to the
    start thereof. (4)
    The market for webmail services is substantial. The top three webmail
    companies have well in excess of 250 million unique users worldwide with
    a probable total market of a hundred million users in Europe. Google's
    supremacy in the search market will ensure that it stands a strong
    chance of challenging the major players.
    While the majority of Gmail users are likely to be individuals, there
    will be a substantial number of small businesses and other enterprises
    using the system - in time possibly numbering in the millions within
    Europe. These organisations are required to fulfil a range of conditions
    under data protection law. It is our contention that the Gmail service
    will not allow these requirements to be fulfilled.
    The precedent set by Google is likely to lead to a global trend to
    greater US based centralisation and storage of personal emails and a
    more comprehensive linkage between content and advertising. Google's
    competitors have already moved to increase their storage capacity.(5)
    This increased storage and functionality will fundamentally change the
    privacy expectation for electronic communication and will create
    additional security and data protection threats.
    You may be aware that data storage devices have been increasing in
    capacity even faster than computing power. The capacity of underlying
    recording media has been roughly doubling in size by area every 12
    months . This should continue over the next few years, leading to an
    approximate 30-fold increase in capacity over five years. The price of
    storage has now dropped to the point where it has become at most a
    secondary cost-factor in large systems. This is why the Gmail offering
    is likely to eventually extend throughout the entire email market.
    Such a large increase in storage space not only allows the creation of
    greater reserves of data, but it will also facilitate the retention of
    more precise and finely grained levels of data (e.g. higher resolution
    and frame rate video).
    Increased storage capacity will also make possible the retention of
    entirely new types of data.(6)
    Hence, we believe it is crucial at this stage to assess this type of
    service with a view to ensuring that all necessary protections and
    safeguards required by the EU Data Protection Directive and national
    laws have been implemented. While we understand that the Gmail contract
    may be freely entered into by customers, and that Google has provided a
    degree of openness about its intentions, the conditions must be in place
    to ensure that privacy rights are protected.
    You may be aware that n its Working document "Privacy on the Internet",
    the Article 29 Data Protection Working Party identified a clear need to
    specify the concrete application of the rule on applicable law of the
    general data protection directive (Article 4 paragraph 1 (c)), in
    particular to on-line processing of personal data by a controller
    established outside the Community. This complaint is pursuant to this
    I am writing to set out our concerns and to ask that you investigate the
    Gmail service with regard to compliance with Data Protection.
    If you determine that the planned service violates Data Protection law I
    would request that you notify Google that the service should be
    modified, and that regulatory action may be taken to prevent the service
    being offered. If the outcome of this process in not satisfactory I
    would request that an order may be made to prohibit the export of
    personal data to Google.
    The Service
    Google will offer users one gigabyte of email space. This is an
    unprecedented level of storage. Costs of the service will be recovered
    through the generation of targeted advertisements that will appear - as
    they currently do with Google searches - in the right hand margin of the
    The service employs technology that automatically scans the content of
    emails and then uses a keyword-matching programme that sifts the
    placements of Gmail advertisers. Relevant advertisements will appear not
    just on the computers of Gmail account holders, but also on the
    computers of other Gmail customers they communicate with.
    The practicalities of the Gmail search & target system have been
    described as follows:
    A colleague who also got an early Gmail account received a link to
    Newsday, apparently because an e-mail in his inbox had references to The
    New York Times and National Public Radio. When he mentioned this to me
    in yet another Gmail message, I received links to the New York Post
    online edition and to a site called TheFirstTwins.com. As we continued
    the dialogue, I got sponsored links to the Times, plus newspapers from
    the United Kingdom. (8)
    The service will utilise a unique combination of conventional
    technologies and techniques already being employed both by Google and by
    other search and email services.
    It should be remembered that a large amount of associated and
    inferential information is connected to use of such services. Google
    announced last week that it is now selling geographically targeted ads
    for its search engine ad placements. So, if a user lives in London, then
    London advertisers can purchase ads just for that geographic area. This
    is being done through geographic analysis based upon the logged IP
    address of the user. The point here is that Google is targeting ads
    closely. Gmail will greatly help it in doing this via the cookie and IP
    Additionally, Google has a history of logging consumer information via
    its search site. It logs users' search terms by IP address and unique
    cookies. One can see this easily (at least the IP logging and keyword
    logging) via Google Zeitgeist, a page where Google lists the most
    popular terms that individuals across the world have used for the past
    years. This data is aggregate. But the material they sell to advertisers
    is quite sophisticated. Gmail would be no different, except that the
    data could be tied to an individual for the first time on a mass scale.
    The issues we raise in this complaint are not all unique to Gmail.
    However, it is the scale and functionality of the Gmail service that
    poses a heightened level of threat to the rights of individuals and to
    the security and privacy of communications. At a more general level, the
    service - like others of its type operating in the US where there is an
    absence of equivalent legal protections - appears to violate EU data
    protection law.
    The Google Privacy Policy & Terms of Service
    The Google Privacy Policy (9) and Terms of Use (10) provide an insight
    into the environment in which Gmail will operate. These documents give
    rise to a range of concerns about the ability of the Gmail service to
    comply with European data protection provisions. While the privacy
    policy appears to provide many of the conditions and notifications that
    we would expect from such a service, the Terms of Use leave much to be
    While a number of the issues below are outside the jurisdiction of most
    data protection regulators, we feel they are important indicators to
    establish the circumstances surrounding the operation and use of the
    Gmail service.
    Stability of the contract
    The Google contract is unstable. Customers should be confident that the
    safeguards and protections contained in a contract would be maintained.
    However, the Gmail Terms of Use state:
    Google may, in its sole discretion, modify or revise these terms and
    conditions and policies at any time, and you agree to be bound by such
    modifications or revisions. If you do not accept and abide by this
    Agreement, you may not use the Gmail service.
    This condition gives rise to some concern. A service that will create a
    central reserve of a user's emails over many years must be afforded long
    term protection. It is a highly sensitive, valuable and vulnerable
    resource, and must be subject to a guarantee of long-term safeguards.
    It is usual for companies offering "free" services to feel they can
    impose such conditions. However, the Terms of Use represent an agreement
    of mutual benefit to both the company and to the user. It is thus a
    contract involving binding conditions. Under the traditional law of
    contract there should be a minimum of disruption to these terms.
    Certainly, any change should be conditional upon a degree of
    foreseability. No such conditions exist in the contractual environment
    set out by Google.
    The following conditions also involves a serious degree of uncertainty
    and unreliability:
    Google also reserves the right to modify, suspend or discontinue the
    Service with or without notice at any time and without any liability to
    And also:
    Google reserves the right to refuse service to anyone at any time
    without notice for any reason.
    While we accept that similar conditions have been instituted by other
    communications providers we feel the unequivocal nature of these clauses
    require modification. It is certainly true that communications providers
    in Europe have imposed similar conditions, but the rights of consumers
    can be enforced through local law. Such is not the case when dealing
    with a non-EU provider. This is why the Gmail contract must be more
    detailed and rigorous than would be the case if it were based in the EU.
    The contractual solutions pursued by the EU with regard to offshore
    processing reflect this imperative.
    Security of data
    Under Section VIII article 17 of the EU Data Protection Directive a data
    controller must take full responsibility and accept liability for the
    security of personal information. This applies equally when the data is
    processed outside the EU. However, the Gmail Terms of Use state:
    Google disclaims all responsibility and liability for the availability,
    timeliness, security or reliability of the Service.
    This is an unacceptable condition. In our view security must be accorded
    considerably greater weight within the contract.
    Interception and disclosure of content
    The privacy of the content of communications must be assured, and any
    violation of privacy must be subject to due process. However, the Gmail
    contract states:
    Google reserves the right, but shall have no obligation, to investigate
    your use of the Service in order to determine whether a violation of the
    Agreement has occurred or to comply with any applicable law, regulation,
    legal process or governmental request.
    This condition, in our view, invites abuses. More attention to detail is
    necessary. The word "request" implies a potential for omission of the
    due process that would be required in the EU and in many other
    Some clarification is offered in the following clause:
    Google may monitor, edit or disclose your personal information,
    including the content of your emails, if required to do so in order to
    comply with any valid legal process or governmental request (such as a
    search warrant, subpoena, statute, or court order), or as otherwise
    provided in these Terms of Use and the Gmail Privacy Policy.
    Note the use of the conjunctive "or". The word "request" remains
    undefined. The conditions imposed by US legislation such as the PATRIOT
    Act could provide a range of opportunities for US agencies to seize
    content without judicial authority  (11)
    Additional concerns arise from the following conditions:
    Google also reserves the right to access, read, preserve, and disclose
    any information as it reasonably believes is necessary to (a) satisfy
    any applicable law, regulation, legal process or governmental request,
    (b) enforce this Agreement, including investigation of potential
    violations hereof, (c) detect, prevent, or otherwise address fraud,
    security or technical issues (including, without limitation, the
    filtering of spam), (d) respond to user support requests, or (e) protect
    the rights, property or safety of Google, its users and the public.
    Google will not be responsible or liable for the exercise or
    non-exercise of its rights under this Agreement.
    This sweeping condition should be contrasted with the view of the
    Article 29 group:
    The content of e-mail has to be kept secret and must not be read either
    by any intermediary or by the Mail Service Provider, even for so called
    "network security purposes". (12)
    As noted by the Article 29 Group in its guidelines on privacy & the
    The confidentiality of communications is protected by Article 5 of
    Directive 97/66/EC. Under this provision, no third party should be
    allowed to read the contents of e-mail between two parties.
    The Article 29 Group provided further elaboration on the question of
    email interception:
    The Article 29 Working Party has dealt with the privacy aspects of
    interception of communications in its recommendation 2/9956. In this
    recommendation, the Working Party points out that each interception of
    telecommunications, defined as a third party acquiring knowledge of the
    content and/or traffic data relating to private telecommunications
    between two or more correspondents, and in particular of traffic data
    concerning the use of telecommunications services, constitutes a
    violation of an individual's right to privacy and of the confidentiality
    of correspondence. It follows that interceptions are unacceptable unless
    they fulfill three fundamental criteria, in accordance with Article 8
    (2) of the European Convention for the Protection of Human Rights and
    Fundamental Freedoms of 4 November 195057, and the European Court of
    Human Rights' interpretation of this provision: a legal basis, the need
    for such a measure in a democratic society, and conformity with one of
    the legitimate aims listed in the Convention.
    Everyone has the right to send a mail to everybody else without that
    mail being read by a third party. Article 5 of Directive 97/66/EC, which
    covers communications and related traffic data for example sent by
    e-mail, lays down obligations as to the confidentiality of
    communications. In addition to these obligations, Article 4 of the same
    directive obliges the providers of telecommunications services to take
    appropriate technical and organisational measures to safeguard the
    security of their services and to inform users about a particular risk
    of a breach of security and any possible remedies, including the costs
    The Gmail Terms of Use do not recognise these fundamental rights and
    conditions, nor do the terms set specific parameters for the reading or
    interception of email content.
    Subject control over data
    Data Protection law ensures that an individual will have the ability to
    control her own data. The following clause indicates that this right may
    breach the Terms of Use for Gmail:
    Accordingly, you agree that you will not copy, reproduce, alter, modify,
    or create derivative works from the Service. You also agree that you
    will not use any robot, spider, other automated device, or manual
    process to monitor, cache, or copy any content from the Service.
    One Internet expert has interpreted this to mean:
    You can't use a program -- or even a secretary, or a personal plan or
    habit -- to pull your own email out of the service! If you want to
    terminate and move your mail elsewhere, you can't extract or keep copies
    of your own email. (13)
    This condition would violate core principles of data protection.
    Given the extremely valuable and extensive reserve of communications
    data that Google wishes its target customers to amass, the following
    conditions (while not unusual) are unacceptable:
    Google may at any time and for any reason terminate the Services,
    terminate this Agreement, or suspend or terminate your account. In the
    event of termination, your account will be disabled and you may not be
    granted access to your account or any files or other content contained
    in your account although residual copies of information may remain in
    our system.
    The issue of data retention is dealt with below.
    Specific data protection issues in the complaint
    Searching of email content
    The core sniffing and searching function of Gmail gives rise to a range
    of concerns. The Article 29 Group has observed:
    If sniffing is carried out at central knots or junctions in the Internet
    this could allow for large-scale interception and surveillance of e-mail
    content and/or traffic data by choosing certain characteristics,
    typically the presence of keywords. Sniffing, as a general and
    exploratory surveillance activity, even if conducted by government
    agencies, can only be allowed if it is carried out in accordance with
    the conditions imposed by Article 8 of the European Convention on Human
    Users have come to expect that the content of their emails may be read
    to detect spam. The Gmail process does not merely extend this function,
    it takes it into a new context. We believe that the sifting of email
    content, whether achieved manually or automatically, raises a number of
    serious data protection concerns.
    Indefinite Retention
    Gmail's Terms of Use state:
    In the event of termination, your account will be disabled and you may
    not be granted access to your account or any files or other content
    contained in your account although residual copies of information may
    remain in our system.
    No time frame for the retention of deleted files is mentioned. It is
    common for email providers to maintain back-up copies to protect against
    technical failure, though the backup for a system as large as Gmail
    should operate close to real-time. Nothing in the Terms of Use limit
    Google's retention of emails to this specific circumstance. As currently
    stated, the Terms of Use imply that the retention is indefinite.
    Article 6 of the Directive states that data should be:
    1 (e) kept in a form which permits identification of data subjects for
    no longer than is necessary for the purposes for which the data were
    collected or for which they are further processed. Member States shall
    lay down appropriate safeguards for personal data stored for longer
    periods for historical, statistical or scientific use.
    The Article 29 Group has observed:
    Another privacy risk associated with e-mail is related to the inability
    of a user to easily and effectively remove an e-mail message that has
    either been sent or received as the operation of the delete function
    will not necessarily expunge a mail from the system. It can in that case
    be relatively easy for another user of the same machine or a system
    manager in the case of a networked machine to retrieve a message that
    the original user intended to delete and believes has been removed from
    the system. This issue is obviously not confined to e-mail but it is
    particularly significant in this context. In order to address this issue
    systems should be designed so that the operation of the delete function
    actually expunges information from the system.
    Section VIII, article 16 of the Directive (Confidentiality of
    processing) requires that:
    Any person acting under the authority of the controller or of the
    processor, including the processor himself, who has access to personal
    data must not process them except on instructions from the controller,
    unless he is required to do so by law.
    The Gmail Terms of Use are in conflict with this provision.
    Third party issues
    The Gmail system does not operate within a closed universe. Anyone can
    communicate with a Gmail customer. The emails of third parties will be
    subject to the same conditions as those applying to Gmail customers.
    That is, the email will be scanned and indefinitely retained. This
    raises a wide spectrum of issues.
    Article 14 of the Directive (The data subject's right to object)
    Member States shall grant the data subject the right:
    (a) at least in the cases referred to in Article 7 (e) and (f), to
    object at any time on compelling legitimate grounds relating to his
    particular situation to the processing of data relating to him, save
    where otherwise provided by national legislation. Where there is a
    justified objection, the processing instigated by the controller may no
    longer involve those data;
    (b) to object, on request and free of charge, to the processing of
    personal data relating to him which the controller anticipates being
    processed for the purposes of direct marketing, or to be informed before
    personal data are disclosed for the first time to third parties or used
    on their behalf for the purposes of direct marketing, and to be
    expressly offered the right to object free of charge to such disclosures
    or uses.
    These conditions cannot be guaranteed by Google. They are even more
    uncertain for third parties who communicate with a Gmail user.
    Article 12 of the Directive has particular application. It stipulates
    that data should be subject to certain controls:
    (b) as appropriate the rectification, erasure or blocking of data the
    processing of which does not comply with the provisions of this
    Directive, in particular because of the incomplete or inaccurate nature
    of the data;
    Offshore processing of data
    As evidenced by the analysis above, there are grounds for concluding
    that the processing of data by Google may not achieve the standards
    required within the EU. Article 25 of Chapter IV of the Directive
    (Transfer Of Personal Data To Third Countries) states:
    1. The Member States shall provide that the transfer to a third country
    of personal data which are undergoing processing or are intended for
    processing after transfer may take place only if, without prejudice to
    compliance with the national provisions adopted pursuant to the other
    provisions of this Directive, the third country in question ensures an
    adequate level of protection,
    We would like to draw your attention to the Article 29 Working Group
    paper "Working document on determining the international application of
    EU data protection law to personal data processing on the Internet by
    non-EU based web sites". (14) This document clearly identifies the legal
    right of the EU to establish criteria for processing of data via non-EU
    It should be noted that according to the list provided by the US
    Department of Commerce, Google has not joined the Safe Harbor scheme.
    (15) Nor, in our view, has the company satisfied many of the
    requirements contained in the EU Directive or in the law of EU member
    Consent issues
    Article 7 of the Directive requires that Member States shall provide
    that personal data may be processed only if the data subject has
    unambiguously given his consent. This consent, as you will understand,
    must be given in full knowledge of the circumstances of the processing.
    We believe that such informed consent cannot be possible under the
    current Gmail contract. Customers must be explicitly warned that their
    data will not be afforded the level of protection that applies in the
    It appears that the Gmail service is in material breach of the consent
    provisions of data protection law. As mentioned above, consent can only
    be given by a Gmail account-holder. Those who send email to a Gmail
    customer will have no opportunity to consent to having their email read
    for keywords.
    Sensitive data
    Article 8 of the Directive (The processing of special categories of
    data) stipulates:
    1. Member States shall prohibit the processing of personal data
    revealing racial or ethnic origin, political opinions, religious or
    philosophical beliefs, trade-union membership, and the processing of
    data concerning health or sex life.
    2. Paragraph 1 shall not apply where:
    (a) the data subject has given his explicit consent to the processing of
    those data, except where the laws of the Member State provide that the
    prohibition referred to in paragraph 1 may not be lifted by the data
    subject's giving his consent;
    These provisions raise important and complex questions. To what extent
    can or should Gmail (or any other email service provider) conform to
    these requirements? Because of its scale, Gmail can be used by a range
    of organisations as the primary communications medium.
    We believe the Gmail service involves significant and far-reaching
    privacy implications. The precedent set by the service, its enhanced
    functionality and the likelihood of unexpected future changes to the
    system require serious consideration of data protection issues. We urge
    you to prospectively investigate this system with a view to establishing
    appropriate privacy safeguards.
    Yours sincerely
    Simon Davies
    Privacy International
    ________________ _
    1) Google press release, April 1, 2004
    2) See letter signed by 28 advocates and organisations at
    3) A selection of coverage can be viewed at
    4) The text of the Directive can be read at
    5) Four days after the announcement of the Gmail service spymac.com
    launched a free one gigabyte service
    6) The UK "Memories for life" research challenge, for example, has
    proposed a system that would store and index users' "digital memories" -
    photographs, videos and communications - over their entire lifetime .
    7) A snapshot of the ad placement can be seen at
    8) Edward C Baig, Targeted ads tied to Gmail's super space, USA Today,
    14th April 2004.
    9) Google's Privacy Policy
    10) Gmail's Terms of Use
    11) The potential for interference with US based communications services
    under the provisions of the PATRIOT and other Acts has been the subject
    of media commentary. See, for example,
    and http://www.fortwayne.com/mld/newssentinel/news/editorial/8439289.htm
    12) Article 29 Data Protection Working Party; Working Document: Privacy
    on the Internet- An integrated EU Approach to On-line Data Protection-
    5063/00/EN/FINAL WP 37. November 2000
    13) John Gilmore; assessment of Gmail Terms of Use, 7 April 2004
    Working document on determining the international application of EU data
    protection law to personal data processing on the Internet by non-EU
    based web sites Adopted on 30 May 2002
    15) US Department of Commerce; Safe Harbor list
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)

    This archive was generated by hypermail 2b30 : Tue Apr 20 2004 - 21:52:13 PDT