From the BBC (hat tip also to Canadian Privacy Law Blog; advance warning from The Register):
Google is to halve the amount of time it stores users’ personal search data in response to continued pressure from the EU over its privacy policy. The search giant has said it will anonymise identifiable IP addresses on its server logs after nine months. Google said respecting users’ privacy is “fundamental to earning and keeping their trust”.
From the Official Google blog (cross-posted on the Google Public Policy Blog):
Today, we’re announcing a new logs retention policy: we’ll anonymize IP addresses on our server logs after 9 months. We’re significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users.
From Damien Mulley:
Google will now anonymize IP data after 9 months. Cos they love us. Or because their tech has advanced a good bit so they only need 9 months now to know everything about you compared to 18 months a while back.
From Broadstuff:
Of course, it would be much more heartening if their embrace of their famous “Don’t Be Evil” principles came from their own good will, rather than being pushed (hard) every inch of the way by the European Union, and the appointment of a respected US lawyer to look into anti-trust issues.
From Cyber Panda:
The move still leaves Google lagging behind the recommended 6 months storage period recommended by the Working Body. It is dubious whether the recent move by Google will be enough to assuage the concerns of the Working Body as the reason for storing and processing personal data has still not been sufficiently explained by Google.
Other worthwhile reaction: JenkinsLaw (Nine months is still a long time) | OUT-Law (skeptical of Google’s claim that EU law does not apply to data processing controlled by its US parent) | Wired (the effort may do little to prevent future regulation of search data collection). Update: Ian Brown (Blogzilla) (Google must try harder).
Last April, the European Commission’s Article 29 Data Protection Working Party released an opinion (Opinion 1/2008, WP 148: pdf; background on this blog here and here) concerning the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines (excellent discussion here). Google’s revision is a direct response to this opinion. It is a reassuring step in the right direction. (Though neither unique nor complete, so too are the incognito features in Chrome.) But this is all still a long way from AskEraser. So, come on Google: what about an incognito feature for searches?
Eoin,
Some further issues with the Data Retention Directive (Ireland application):
1. The Draft S.I. contains references to civil litigation, this is wholly incorrect vis the intention of the Directive (Think Sabam v Tiscali SpA. “Scarlett” and Music Rights Holders v eircom);
2. The S.I. could redefine ‘serious crime’ in Ireland which as you will be aware is defined under the Bail Act 1997, as crimes with a sentence toll of five years in duration or more;
3. Wrangles over what constitutes ‘undue delay’ in furnishing data;
4. Clashes between the Article 29 WG and the intention of the Data Retention Directive;
5. The litigation at the ECJ undertaken by Ireland and Slovenia vis the Pillar placement of the Council vote on the directive (McDowell is actually a liberal in re. Data Privacy);
6. Cost recovery is not being allowed in Ireland, it is in the UK and other countries. Making Law enforcement agencies work to a budget means that ‘fishing expeditions’ will not occur;
7. Germany are Judicially Reviewing the DRED at the moment, will be most interesting. Some of the main angles are mentioned above e.g., Civil Litigation and Serious Crime; and
8. The EU expert group on the DRED are not finished their deliberations as yet.
Back in 2002 when this was first discussed and coincidentally Minister Dermot Ahern was in-situ in Department of Communications, now Justice we all worked to lobby on this in Internet and Telecoms in Ireland. The snafu continues.
The powers that be failed to get a time extension due to the ECJ litigation and now we face implementation with out a Regulatory Impact Assessment – RIA, in advance of it being signed into law.
I wonder does the Irish Constitutional shield under Art 29 really still apply or do we have to contend with more right infringing legislation.
Anyone know where the DRI case is at?
Fun times.
Ronan