Google will anonymise the contents of its server logs when they are 18 months old in an attempt to satisfy privacy concerns raised by an European Union working party.
Google recently announced it would retain full logs for a period of 18 to 24 months, but the Article 29 Data Protection Working Party was of the opinion that this did "not seem to meet the requirements of the European data protection framework" as "Google has so far not sufficiently specified the purposes for which server logs need to be kept" as required by Data Protection Directive 95/46/EC.
The company defended its decision by referring to the need for log analysis to measure the quality of search results, to suggest alternative spellings for search terms, to help guard against malicious access and various types of spam.
Google also pointed to the difficulty of simultaneously complying with laws in multiple jurisdictions. The EU has directed member states to pass laws requiring the retention of data for periods between six and 24 months, and the US Department of Justice is seeking 24-month retention.
The company faces other obligations imposed by accounting requirements, contracts (eg, with advertisers) and compliance laws such as Sarbanes-Oxley in the US.
In the face of the Working Party's concern, Google agreed to shorten the period before log information is anonymised to 18 months, providing that future data retention laws do not require a longer period.
"We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months," wrote global privacy counsel Peter Fleisher in the company's formal response.
The company has yet to fully address the Working Group's concern about the longevity of cookies set by Google, but is "exploring ways to redesign cookies and to reduce their expiration without artificially forcing users to re-enter basic preferences such as language preference" with an announcement planned for "the coming months."
Google did not seem to fully respond to the Working Group that it considers a resolution of the International Data Protection and Privacy Commissioners' Conference which states in part that providers of search engines "shall not record any information about the search that can be linked to users or about the search engine users themselves. After the end of a search session, no data that can be linked to an individual user should be kept stored unless the user has given his explicit, informed consent to have data necessary to provide a service stored (eg, for use in future searches)."
This language appears to imply that data should be stored for the benefit of the user rather than the operational convenience of the search provider.
Read full article on itwire
Last update : 13-06-2007 06:20
|
News 
