Following criticism from privacy groups, Google is again
revising its policy on how long its servers will retain search data generated
from users of its websites. Under its new policy, Google will anonymize its log
data after 18 months.
The move was fuelled by a letter from the
European Union in May, warning the search giant that its data retention
policies may be in violation of EU laws. Months earlier, in March,
Google said that it was changing its practice from keeping user data
indefinitely to only 18 to 24 months. After that period, Google would remove
the last eight bits of a user’s IP address, with all the remaining bits
retained for the purpose of approximating user information for authorities.
In this latest change, Google will cut its retention by up to
eight months by keeping logs for a maximum of 18 months. Peter Fleischer, global
privacy counsel for Google, writes in the official
blog, “The Article 29 Working Party, an advisory panel composed of
representatives from all of the E.U.'s national data protection authorities,
has sent us a letter in response to our commitment to anonymize server logs.
In it, they're asking us to provide further information about our new policy,
and to explain why we feel that the time period of 18 to 24 months is ‘proportionate’
under European data protection principles.”
Google explained to the EU that its server logs are used to
improve its search algorithms, defending systems from attacks, protecting users
from spam, phishing and to respond and aid law enforcement.
“After considering the Working Party's concerns, we are
announcing a new policy: to anonymize our search server logs after 18 months,
rather than the previously-established period of 18 to 24 months. We believe
that we can still address our legitimate interests in security, innovation and
anti-fraud efforts with this shorter period,” writes Fleischer. “However, we
must point out that future data retention laws may obligate us to raise the
retention period to 24 months. We also firmly reject any suggestions that we
could meet our legitimate interests in security, innovation and anti-fraud
efforts with any retention period shorter than 18 months.”
Fleischer also says that the company is considering the
Working Party's concerns regarding cookie expiration periods, and will make an
announcement on its new and improved digital baked goods in the coming months.