Google recently introduced a policy that it would anonymise
records of use of its services after between 18 and 24 months. The
Article 29 Working Party, a committee of European data protection
officers, objected and asked Google to explain why it needed to
keep the data for so long before it was anonymised.
Google has now responded by saying that it will shorten the
period before anonymisation to 18 months. But the company did say
that it may have to reverse that policy to comply with European or
US law.
In Europe the Data Retention Directive requires EU member states
to implement laws ordering that telecoms data be retained. It says
each country can choose a retention period of between six and
24 months. That, said Google, could force it to reverse its new
policy.
"Since not many member states have implemented the Directive
thus far, it is too early to know the final retention time periods,
the jurisdictional impact, and the scope of applicability," said
Peter Fleischer, global privacy counsel at Google in a letter to
the Working Party. "Because Google may be subject to the
requirements of the Directive in some member states, under the
principle of legality, we have no choice but to be prepared to
retain log server data for up to 24 months."
Google said that it had to retain server logs in order to
perform many of its functions, such as helping users refine their
queries based on other users' experiences. It also said that it
needed to keep user activity data to help it detect fraud, which it
said was a growing problem on the internet.
"In determining a retention period, we closely examined the
evolution of search engine services, and the needs of our engineers
to ensure the security of Google services," said Fleischer. "The
period chosen, 18 to 24 months, represents a period lengthy enough
to achieve these purposes without being excessive. We therefore
believe that this is a proportionate period for the retention of
log server data."
Fleischer said that the firm would reduce the period of time
after which the data would be anonymised to 18 months, but that the
main problem in Europe was a lack of clarity on what its legal
obligations actually are.
"There is tremendous confusion in legal circles across Europe on
these issues, and both individuals and companies would benefit from
greater clarity from authorities responsible for the Data Retention
Directive to answer these very fundamental questions," he wrote. "A
public discussion is needed between officials working in data
protection and law enforcement to resolve these issues."
The Article 29 Working Party had also asked Google for
clarification on its anonymising process. Google assured the
Working Party that its process of deleting the final, identifying
digits of an internet address was irreversible, and that even
Google engineers could not retrieve that information once it was
deleted.
Google was also asked to explain how its cookie policy fitted
with data protection rules. "The lifetime of this cookie, which has
a validity of approximately 30 years, is disproportionate with
respect to the purpose of the data processing which is performed,"
write the Working Party to Google.
Google said that because users control their own cookies, data
retention law is not relevant. "We believe that cookies data
management in a user’s browser is fundamentally a browser/client
issue, not a service/server issue. Therefore, the lifetime of a
cookie does not indicate or imply any enforcement of data
retention," wrote Fleischer. "We also believe that cookie lifetimes
should not be so short as to expire and force users to re-enter
basic preferences (such as language preference). Nonetheless, we
acknowledge that cookie lifetimes should be 'proportionate' to the
data processing being performed."
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
