Google Saga

In the latest saga on Google's policy to keep its server log data for more than 18 months, the Art. 29 Working Party has published its letter to Google dated 16th May:

Although Google's headquarters are based in the United States, Google is under legal obligation to comply with European laws, in particular privacy laws, as Google's services are provided to European citizens and it maintains data processing activities in Europe, especially the processing of personal data that takes place at its European centre. As you are aware, server logs are information that can be linked to an identified or identifiable natural person and can, therefore, be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason their collection and storage must respect data protection rules.The Article 29 Working Party considers a reduced storage period for server logs generated by the users of Google services as a valuable step to improve Google's privacy policies. However, it is of the opinion that the new storage period of 18 to 24 months on the basis indicated by Google thus far, does not seem to meet the requirements of the European legal data protection framework.The Article 29 Working Party is concerned that Google has so far not sufficiently specified the purposes for which server logs need to be kept, as required by Article 6(1)(e) of Data Protection Directive 95/46/EC. Taking account of Google's market position and ever-growing importance, the Article 29 Working Party would like further clarification as to why this long storage period was chosen. The Working Party would also be keen to hear Google's legal justification for the storage of server logs in general.

See also:

• Art. 29 Working Party Letter (pdf)
• Out-Law: Data Protection Watchdogs' letter to Google goes public
• Data Retention Directive 2006/24/EC (pdf)
• Article 29 Working Party Resolution on Privacy Protection and Search Engines
• World Privacy Forum: Search Engine