The company, which has come under fire for the volume of information it gathers and keeps on users, has published a detailed response to EU privacy regulators' group the Article 29 Working Party's criticisms of its policies.
The company argues that EU law does not apply to its processing of data because that processing is controlled by its US parent. One data protection expert has called the argument "optimistic".
The dispute is over the records, or logs, of users' search queries. Google keeps them and uses them, it says, to improve the quality of search results, to fight fraud and to improve data security.
The Working Party, though, has called for data to be deleted after just six months. In a report published in April of this year it said that companies keeping data for longer risked breaching data protection laws based on the EU's Data Protection Directive.
"If personal data are stored, the retention period should be no longer than necessary for the specific purposes of the processing," said the Working Party's April report. "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months."
Google has now said that EU laws do not apply to its retention of search data, though. It has published a response to the Working Party written by Peter Fleischer, the company's global privacy counsel in which he argues that EU data protection law is focused on the 'controller' of the data, and that the controller in Google's case is its US parent company, Google Inc.
"Google Inc must be regarded as the controller in connection with the processing of users’ data irrespective of where the data is collected or stored," said its response. "Accordingly, Google Inc – as the parent company of all Google entities – has made a commitment to ensuring that the privacy practices of Google are globally consistent whilst locally compliant."
"If the collection, storage or analysis of search logs or any other associated activity involving the processing of personal data were carried out by one of the Google entities established in the EEA [European Economic Area] in their capacity as controllers of the information, that entity would be subject to EU data protection law (i.e. the national data protection law of the territory where it is based) in respect of that processing," said Google's response.
"However, as evidenced above, the fact that a global search engine provider, like Google, has legal entities formed under the law of an EEA member state or branches located within the EEA does not necessarily bring all data processing operations of that search engine provider within the scope of application of EU law. For that to happen, the EEA-based entity or branch of the search engine provider must (a) be involved in the actual processing of personal data, and (b) do so as a controller," it said.
Google said that local EU based entities are likely to carry out limited functions, and that those will be as a processor of data on behalf of the US controller.
"Despite the fact that Google may have establishments within the EEA, given the nature of the commercial activities being undertaken in those establishments, they will not fall within the jurisdiction of EU data protection law as far as the processing of Google users’ data is concerned," the company's response said.
William Malcolm, a data protection specialist at Pinsent Masons, the law firm behind OUT-LAW.COM, said he doubted that these arguments would find favour in court.
"It's an interesting legal argument although a little optimistic from Google's perspective," he said. "The Article 29 Working Party, national regulators and the courts are likely to interpret both the Directive and local implementing legislation in such a way as to ensure that they have jurisdiction over these issues in the interests of protecting the citizens of EU countries."
"Google has substantial business operations across Europe and is clearly established in many countries. This may well be enough for the processing to fall subject to the Directive and local laws," he said.
Google has also renounced one if its key arguments in favour of keeping the logs. Fleischer had previously claimed that the EU's Data Retention Directive forced it to keep details for between six and 24 months. The Working Party said that this was not the case because data retention laws only applied to telecoms firms.
"We agree with the Working Party that search logs are outside of the scope of the Data Retention Directive," said Fleischer in Google's just-published response document.
In July Google made another concession to privacy activists. It agreed to publish a link to its privacy policy on its front page after calls from regulators to do so.
As part of this week's announcement it also agreed to reduce the length of time for which it retains a record of who used its search engine for what purposes.
"Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months," said the company announcement by Fleischer, senior privacy counsel Jane Horvath and software engineer Alma Whitten.
"We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users," they said.
Though Google's response document claimed that EU law often did not apply to it, it said that it wanted to meet EU data protection requirements.
"Google Inc. may be subject to the national data protection laws of the EU countries where its data centres are based due to its use of equipment in those countries to store and process user data via local data centres," it said. "Notwithstanding these legal, or indeed legalistic, observations, Google is committed to complying with EU data protection principles for the benefit of our users in Europe."
