How long should Google remember searches?

Posted by Peter Fleischer, Global Privacy Counsel

Over the years we’ve taken many steps to protect our users' data and privacy. For example, we have resisted overly-broad government subpoenas; we've designed our services to give users a choice between personalized services and general services; and we've engineered our services to allow users to see and control how much data they wish to share with us. Recently, we took another important step to improve our privacy practices by announcing a new policy to anonymize our server logs after 18 to 24 months, becoming the first leading search company to publish a data retention policy. We also posted here to explain the factors that guided our decision to retain server log data for 18 to 24 months.

The Article 29 Working Party, an advisory panel composed of representatives from all of the E.U.'s national data protection authorities, has sent us a letter in response to our commitment to anonymize server logs. In it, they're asking us to provide further information about our new policy, and to explain why we feel that the time period of 18 to 24 months is “proportionate” under European data protection principles. For some time, we've discussed many things with the Working Party, ranging from issues raised by Google products like Gmail and Google Desktop to industry-wide concerns, such as the challenges of protecting privacy in the Web 2.0 era. We’re pleased that this most recent letter from the Working Party acknowledges our ongoing engagement with the data protection community and, in particular, our "readiness to consult with it [the Working Party] in contrast with a relative lack of engagement by some of the other leading players in the search engine community”.

In the spirit of transparency, we're publishing our response to the Working Party's letter. The Internet is a global medium, and the principles at stake -- privacy, security, innovation and legal obligations to retain data -- have an impact beyond Europe, and outside of the realm of privacy. These principles sometimes conflict: while shorter retention periods are good for privacy, longer retention periods are needed for security, innovation and compliance reasons. We believe we’ve struck a reasonable balance between these various factors. Our policies are consistent with EU data protection laws, which acknowledge the need to set data retention periods that are proportionate and that enable companies like Google to comply with legal requirements.

We have a legitimate interest in retaining search server logs for a number of reasons:

• to improve our search algorithms for the benefit of users
• to defend our systems from malicious access and exploitation attempts
• to maintain the integrity of our systems by fighting click fraud and web spam
• to protect our users from threats like spam and phishing
• to respond to valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation; and
• to comply with data retention legal obligations.

After considering the Working Party's concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously-established period of 18 to 24 months. We believe that we can still address our legitimate interests in security, innovation and anti-fraud efforts with this shorter period. However, we must point out that future data retention laws may obligate us to raise the retention period to 24 months. We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months. We are considering the Working Party's concerns regarding cookie expiration periods, and we are exploring ways to redesign cookies and to reduce their expiration without artificially forcing users to re-enter basic preferences such as language preference. We plan to make an announcement about privacy improvements for our cookies in the coming months.

As we build new products and services, we look forward to continuing our discussion with the Article 29 Working Party and with privacy stakeholders around the world. Our common goal is to improve privacy protections for our users.