Google adjusts privacy policy -- slightly

In response to criticism from the European Union and Privacy International, Google will anonymize data after 18 months instead of its previous target of 18-24 months

Google has decided to make the data it stores about end-users anonymous in its server logs after 18 months, according to a blog posted Monday by the company's global privacy counsel.

Previously, Google had said it would make the data anonymous after 18 to 24 months.

The decision comes in response to a letter the company received last month from a European Union data protection working group regarding Google's privacy policies.

Separately, a report released last week by Privacy International ranked Google worse than any other Internet company in protecting the privacy of its users.

In its letter, the Article 29 Working Party, an advisory panel of representatives from the E.U.'s national data protection authorities, asked Google to explain why it needed to keep user data for 18 to 24 months. The group said server logs contain information that can be linked to a particular person and that collecting such data must comply with the EU's data protection laws.

The working group said keeping the information for 18 to 24 months does not meet those laws, and it asked Google to justify its reasons for keeping the information for that length of time. The group said it planned to discuss this issue at a meeting later this month.

In a response, privacy counsel Peter Fleischer said: "The Internet is a global medium, and the principles at stake -- privacy, security, innovation, and legal obligations to retain data -- have an impact beyond Europe and outside of the realm of privacy." He added: "These principles sometimes conflict: While shorter retention periods are good for privacy, longer retention periods are needed for security, innovation, and compliance reasons."

Fleischer said Google believed it had "struck a reasonable balance between these various factors" and that its policies were consistent with E.U. data protection laws. Fleischer said Google needed to retain server logs for a variety of reasons, including: to improve its search algorithms for the benefit of users; to defend its systems by fighting click fraud and spam; to comply with data retention legal obligations; and to "meet valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation."

"After considering the Working Party's concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously established period of 18 to 24 months," Fleischer said. "We believe that we can still address our legitimate interests in security, innovation, and anti-fraud efforts with this shorter period. However, we must point out that future data retention laws may obligate us to raise the retention period to 24 months."

Fleisher said Google disagrees that it could meet "legitimate interests in security, innovation, and anti-fraud efforts with any retention period shorter than 18 months."

In addition, Fleischer said Google was considering the working party's concerns about cookie expiration periods and said it was looking into ways to redesign cookies to improve privacy and would make an announcement on the issue in the coming months.

"As we build new products and services, we look forward to continuing our discussion with the Article 29 Working Party and with privacy stakeholders around the world. Our common goal is to improve privacy protections for our users," Fleischer said.

In his blog, search engine analyst Danny Sullivan, editor-in-chief of said, "It's nice to see Google make such a fast, responsive move, though it is reacting to something that felt more like a political show rather than a real effort to improve privacy protection."

Sullivan also criticized the working group for singling out Google.

"I find the letter fairly amazing from a group that supposedly is concerned about privacy, in how it fails to ask any substantial questions and suggests, frankly, technical ignorance," he said in his blog. "It simply feels motivated out of political posturing. Where are the letters for Microsoft and Yahoo?"

This story, "Google adjusts privacy policy -- slightly" was originally published by Computerworld.

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform