Google, the world's most popular search engine, has recently announced that it is decreasing the length of time for which it stores information which it gathers relating to users' search requests to 9 months. Concerns about privacy have plagued the company for years and this recent declaration by the company only goes so far to allay such fears.

Google has been put under pressure by EU privacy regulators to review its data retention practices and policies over the years. Only last year it implemented a new policy to anonymise search data after 18 months following increased pressure from the EU, and the further decrease in the time for holding data appears to have resulted from this ongoing criticism.

The search engine giant currently gathers and stores details from each search request relating to the search query itself, the IP address (the unique PC address) and other information about how a user makes a search. Google states that it uses the search data for the benefit of users: to improve search quality, improve security, fight fraud and reduce spam.

Google says that it will anonymise user IP addresses which are stored in server logs after 9 months. It states that this will address regulatory concerns whilst bolstering privacy for end users of its search engine. Whilst some regulatory commentators have welcomed this move, others have not been so positive in their reaction. A few have commented that the time Google holds data is less of an issue compared with how the data is actually anonymised, particularly if the "discarded" data can be retrieved.

Google is still in the process of working out how to anonymise personal data but this is likely to involve changing several of the digits in the user IP address. In comparison, Microsoft permanently removes the entire IP address, cookie IDs and other indentifiers from its search data within 18 months, whilst Ask.com introduced a feature last year which permitted users to search anonymously.

In Europe, criticism of Google has been levied by the Data Protection Working Party (an independent European advisory body advising on data protection and privacy issues). The Working Party has welcomed the decision by Google as a step in the right direction and has noted Google's willingness to work with data protection authorities. However the 9 month retention period still falls short of the 6 month period recommended by the Working Party. Based on the explanations provided by search engine companies for the purposes for collecting personal data, the Working Party stated a retention period of 6 months was ample.

Although Google has appeared to listen to the gripes of the Working Party, it still contests that it is not subject to EU data protection laws. The company has argued that such EU laws focus on the data controller, and in this case Google Inc., its US parent company, is the data controller. The company contends that, although a search engine provider may have a number of companies which are established or located within the EU, EU data protection laws will only apply if those companies established or located in the EU are processing personal data and doing so as a controller.

In contrast, the Working Party's April report concludes that the Directive applies to data processing by providers of search engines even if they are based outside the EU, provided that they carry out some or all of their services (which include the processing of personal data) through establishments inside the territory of an EU member state and make use of equipment situated within a member state.

Although Google may have fended off regulatory flak for the time being, it is clear that it lags behind in its privacy practices compared to those of its competitors. What is also clear is that users of Google should be made aware of how their personal data is being used and for what purposes.