Google Gets Special Message from E.U. Regulators on Data Retention

Major search engines are breaching European data protection laws by ineffectively anonymizing data on users’ search activity, according to E.U. regulators. Google was singled out for disregarding the group’s guidance on IP address storage.

The Article 29 working party – a group of data protection officials that advises the European Commission – sent public letters to Google, Yahoo, and Microsoft this week arguing their methods for the deletion of search logs do not meet E.U. privacy laws.

The European Commission currently recommends users’ IP-addresses should be deleted completely after a period of six months. However, the working party argued that most major search providers retain cookie information on users for considerably longer, meaning they can easily retrieve IP addresses every time a user makes a new query. “WP29 cannot conclude your company complies with the European data protection directive,” the group said. It added that a third party should be put in place “to reassure users that [search engines” are delivering on privacy promises.”

Jacob Kohnstamm, chairman of the working party, said he has also notified the FTC of its concerns. “I have asked the FTC to use its authority to examine the compatibility of this behavior with section 5 of the Federal Trade Commission Act.”

In its correspondence with Google specifically, the group also criticized the company for objecting to cut its IP address retention period to six months. Yahoo, Microsoft, and Ask have all agreed to meet this request, but Google currently holds on to data for nine months, claiming the period represents “the right balance between user privacy and maintaining the security and innovation of [Google’s” underlying systems.” The group said it “strongly suggests” Google should review its retention policy to bring it into line with the recommended period of a maximum of six months.

Earlier this month the working party also sent a letter to Facebook criticizing its privacy practices, suggesting the group is stepping up its scrutiny to match the increased concerns of users regarding the security of their personal information online.

Related reading