EU mandates Web sites delete personal data after six months

Can a fair compromise be obtained on the matter of how long search engines should be allowed to retain personally identifiable data? Last week, a key European advisory group moved the goalposts on that issue yet again.

The European Union's key advisory panel on governing policy for Internet services issued an opinion last Friday stating that search engines and Web sites that retain personally identifiable data delete that data from their servers after six months. Member states would then be free to specify an even tighter timeframe.

"Retention periods should be minimized and be proportionate to each purpose put forward by search engine providers," reads the opinion of the Article 29 Working Group (PDF available here). "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months. However, national legislation may require earlier deletion of personal data. In case search engine providers retain personal data longer than 6 months, they must demonstrate comprehensively that it is strictly necessary for the service. In any case, the information about the data retention period chosen by search engine providers should be easily accessible from their homepage."

The opinion prompted a response yesterday from Google's global privacy counsel Peter Fleischer, on his company's Public Policy blog.

"We believe that data retention requirements have to take into account the need to provide quality products and services for users, like accurate search results, as well as system security and integrity concerns," Fleischer wrote. "We have recently discussed some of the many ways that using this data helps improve users' experience, from making our products safe, to preventing fraud, to building language models to improve search results. This perspective -- the ways in which data is used to improve consumers' experience on the Web -- is unfortunately sometimes lacking in discussions about online privacy."

But a careful read of last week's Art. 29 opinion reveals that user experience did, in fact, factor into the Group's deliberations, and may have played a role in a working group discussion on the matter immediately following the opinion's release. One example cited how search engine providers tend to set the expiration date for locally stored cookies at the highest possible date by default, when there's no proof that the experience which the providers give to their users is enhanced by such a choice.

Art. 29 also cited several providers, including MSN and Google, which admit to aggregating the personally identifiable data they collect with data supplied by third parties, in order to enrich search results. The opinion actually quotes from Google's defense of its policy from its own Web site: "We may combine personal information collected from you with information from other Google services or third parties to provide a better user experience, including customizing content for you."

That quote was used to substantiate a point that search users' experiences could conceivably be improved if they were informed as to when personal data was being collected from them, at the time of its collection, as well as how much and for how long.

"As controllers of the user data, search engines should make clear to users what information is collected about them and what it is used for," Art. 29 writes. "A basic description of the use of personal information should be provided whenever it is collected, even when a more detailed description is provided elsewhere. Users should be similarly informed about software, such as cookies, that might be placed on their computer when they use the Web site, and how these can be refused or deleted. The Working Party considers that this information is necessary in the case of search engines to guarantee fair processing."

Last year, the debate over whether a search engine actually needs to retain any personally identifiable information about its users at all, was moderated somewhat when the European Commission opted to restrict the discussion to length of retention. That move brought parties to the table, and spurred Google to reduce its own retention time from 24 months to 18.

Next: Art. 29 challenges ISPs to prove IP addresses aren't personal