Google answers Article 29 Working Party on data protection standards

By EDRi · June 20, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Google has answered several questions related to its data protection
standards addressed by the Article 29 Working Party, especially on the
period after which the anonymisation of the search server logs can be

Initially Google announced in March 2007 a reduction of the retention period
for data related to users and their searches to 18-24 months, but, after the
Article 29 Working Party’s letter, Peter Fleischer, global privacy counsel
at Google, accepted a period of 18 months. However, he
also stated that the period could be extended to 24 months, depending on the
implementation of the Data retention directive in some of the EU member

Google explained that the period is necessary to use for logs in their
activities, such as spell-checking help, preventing abuse and fraud or
helping users refining their search queries based on previous experiences.
The privacy counsel has also used as one of the main reasons for keeping the
logs, the requirements of the Data retention directive that will require the
state members to keep the traffic data between 6 and 24 months. But he also
raised several questions marks regarding the clarity of the text of the

However, Philippos Mitletton, that works for the European Commission’s Data
Protection Unit, explained to Out-Law that the data retention directive
should not apply to Google

“The Data Retention Directive applies only to providers of publicly
available electronic communications services or of public communication
networks and not to search engine systems. Accordingly, Google is not
subject to this Directive as far as it concerns the search engine part of
its applications and has no obligations thereof.”

But Google’s letter goes beyond the text of the directive and expresses
concerns about the possibile extentions of the directive’s purpose at the
implementation of the Data Retention Directive in each EU member-state. It
also reffers to the German Ministry of Justice proposal that webmail
providers should be required to verify the identity of their
account holders and asks ” Could we challenge its legality in court, either
as an unconstitutional infringement of privacy, or as an example of
jurisdictional over-reach?” In practice, the German working group against
data retention has already gathered a lot of supporters for a constitutional
court challenge against the data retention law, that would be the largest
constitutional court case in Germany ever.

The letter Google has sent to the Article 29 Working Party points also to
other privacy-sensitive issues raised. The major search engine explained
that its anonymisation process deletes the final digits of the logged IP
addresses and that the process is irreversible, even for Google staff.

Fleischer explained also the Google position regarding cookies: “We believe
that cookies data management in a user’s browser is fundamentally a
browser/client issue, not a service/server issue. Therefore, the lifetime of
a cookie does not indicate or imply any enforcement of data retention. We
also believe that cookie lifetimes should not be so short as to expire and
force users to re-enter basic preferences (such as language preference).
Nonetheless, we acknowledge that cookie lifetimes should be “proportionate”
to the data processing being performed.”

Article29 Working party letter to Google (16.05.2007)

Google response to Article 29 Working Party (10.06.2007)

How long should Google remember searches? (11.06.2007)

Google makes data retention concession(12.06.2007)

Data retention laws do not cover Google searches, says Europe (13.06.2006)

EDRI-gram: Privacy bodies investigate Google’s data protection standards

EDRI-gram: Google limits the search data retention period (28.03.2007)