European authorities sent a letter to Google, Microsoft, and Yahoo! at the end of May informing the companies that their data-retention practices violate European Union law. European data-protection directives require that search engines delete all traceable links to individual computer users completely after six months.
The three search engines had previously been informed by the EU authorities that they were not in compliance. Although the companies updated their policies in response, the letter from the Article 29 Working Party, a group of 27 European national privacy chiefs, alleged that the search engines still do not adequately anonymize information about their users.
“An individual’s search history contains a footprint of that person’s interests, relations, and intentions and should rightly be treated as highly confidential personal data,” the letters said. “Pursuant to the data-protection directive, the retention period should be no longer than necessary for the specific purposes of the processing, after which the data should be deleted.” Each of the search engines has its own issues, according to the letter.
Google keeps its users’ information for nine months, past the six-month limit, and deletes only a section of the users’ IP address, which does not prevent the identification of data subjects, the EU authorities allege. Google also retains cookies for 18 months, which makes for “easy retrieval of IP addresses, every time a user makes a new query within those 18 months,” according to the letter.
Although Yahoo! deletes IP addresses after three months, the EU authorities expressed concern about the company’s techniques of hashing, specifically with regard to user identifiers, and cookies. And Microsoft – which has said it will delete IP addresses after six months – should also delete users’ cookies and other session identifiers after that same time period, the letter said.
Based on the search engines’ practices, the Working Party “cannot conclude that your company complies with the European data-protection directive,” the letter said.
The letters requested that the three companies appoint outside auditors to verify that their practices have truly eliminated all links to users and their data.
To read the letter to Google, click here.
To read the letter to Yahoo!, click here.
To read the letter to Microsoft, click here.
Why it matters: In a separate letter, the EU authorities also encouraged the Federal Trade Commission to probe the search engines’ data-retention practices in the United States, and investigate whether their data-retention policies constitute a violation of the FTC Act. “The concerns of the [Working Party] are focused on the retention and anonymization policy of the three providers with regard to the search query logfiles,” the letter said, offering the FTC assistance in finding a “constructive solution to protect the private life of everybody who conducts searches on the Internet.”