Monday, June 11, 2007
Over the years we’ve taken many steps to protect our users' data and privacy. For example, we have resisted overly-broad government subpoenas; we've designed our services to give users a choice between personalized services and general services; and we've engineered our services to allow users to see and control how much data they wish to share with us. Recently, we took another important step to improve our privacy practices by announcing a new policy to anonymize our server logs after 18 to 24 months, becoming the first leading search company to publish a data retention policy. We also posted here to explain the factors that guided our decision to retain server log data for 18 to 24 months.
The Article 29 Working Party, an advisory panel composed of representatives from all of the E.U.'s national data protection authorities, has sent us a letter in response to our commitment to anonymize server logs. In it, they're asking us to provide further information about our new policy, and to explain why we feel that the time period of 18 to 24 months is “proportionate” under European data protection principles. For some time, we've discussed many things with the Working Party, ranging from issues raised by Google products like Gmail and Google Desktop to industry-wide concerns, such as the challenges of protecting privacy in the Web 2.0 era. We’re pleased that this most recent letter from the Working Party acknowledges our ongoing engagement with the data protection community and, in particular, our "readiness to consult with it [the Working Party] in contrast with a relative lack of engagement by some of the other leading players in the search engine community”.
In the spirit of transparency, we're publishing our response to the Working Party's letter. The Internet is a global medium, and the principles at stake -- privacy, security, innovation and legal obligations to retain data -- have an impact beyond Europe, and outside of the realm of privacy. These principles sometimes conflict: while shorter retention periods are good for privacy, longer retention periods are needed for security, innovation and compliance reasons. We believe we’ve struck a reasonable balance between these various factors. Our policies are consistent with EU data protection laws, which acknowledge the need to set data retention periods that are proportionate and that enable companies like Google to comply with legal requirements.
We have a legitimate interest in retaining search server logs for a number of reasons:
- to improve our search algorithms for the benefit of users
- to defend our systems from malicious access and exploitation attempts
- to maintain the integrity of our systems by fighting click fraud and web spam
- to protect our users from threats like spam and phishing
- to respond to valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation; and
- to comply with data retention legal obligations.
As we build new products and services, we look forward to continuing our discussion with the Article 29 Working Party and with privacy stakeholders around the world. Our common goal is to improve privacy protections for our users.