On May 16, a European Union advisory panel of data protection authorities (DPAs) sent Google a letter informing the company that its data retention policies may violate European Union privacy law. Google has since agreed to anonymize server logs after 18 months and to drastically reduce the life of its cookies. On June 21, the panel announced that its Working Party's inquiry has been expanded to include search engines in general. This growing initiative could have repercussions for numerous other U.S. Internet companies, even those with minimal facilities in the European Union.

Google's Data Collection Practices

For every search on Google.com, Google apparently retains "server log information," including any URL on which a user clicks, the user's IP address, browser type, and more. Before receiving the Article 29 Working Party's letter, Google had already announced plans to "anonymize" server log information after 18 to 24 months, removing any information that could identify individual users (personal data). Google's practice had been to retain personal data for as long as the data were useful. Google denies sharing personal information with third parties such as advertisers.

Google's data-handling practices are generally considered consistent with applicable U.S. law. Privacy law in the United States tends to target discrete types of "high risk" personal information, such as data concerning children, medical treatment or financial accounts. In other words, restrictions tend to apply only if there is a substantial risk that misuse could harm an individual. Some of these laws include restrictions on data retention, but very few regulate the use of "cookies," small bits of software that many websites save on individuals' computers in order to personalize websites and track "clickstream."

In contrast, Google's data retention and cookie practices are potentially problematic in the European Union. Compared to U.S. law, EU privacy law does not tailor its requirements based on the degree of risk that would be presented if a particular type of personal information were misused. Rather, EU privacy directives assume a relatively high baseline level of risk and require EU companies to justify their data-handling practices a priori. For example, the EU Data Protection Directive (95/46/EC) establishes that companies may retain personal data only for specified, legitimate reasons, may not retain more than required and must delete those data when they are no longer necessary for the purposes for which they were collected. Further, the EU Directive on Privacy and Electronic Communications (2002/58/EC) can be interpreted to allow deployment of cookies only if they are "strictly necessary" in order to provide a consumer-requested online service.

DPAs Put Google in Their Sights

The Article 29 Working Group letter suggests that Google's data retention and cookie maintenance practices might violate EU privacy law. It questioned whether Google has a legitimate interest in its two-year server log retention period, and thus whether the company has violated the Data Protection Directive's restrictions on data retention. Likewise, it challenged whether the 30-year lifespan of Google cookies was "strictly necessary" under the Electronic Communications Privacy Directive. In the DPAs' view, compliant cookies would have the "sole purpose" of providing a service explicitly requested by a user, and would not otherwise facilitate collection of personal information for the benefit of Google. Further, the DPAs asked whether Google's cookies served a legitimate interest, as required to comply with the Data Protection Directive.

Google Yields; Probe Expands

Google responded swiftly to the Working Group letter, announcing on June 12 that it will anonymize server log data after 18 months, rather than 24 months, and will drastically reduce cookie lifespan from 30 years to as little as 2 years. The EU DPAs are expected to comment this fall on whether Google may retain personal data in server logs up to 18 months. Those authorities also have raised questions about technologies Google has used to gather insights concerning which websites people visit.

Google's timeline for anonymization may impose only marginal detriment to it. Presumably, the value of server log data declines rapidly with age, so the difference between stripping identifiers at 18 versus 24 months may not be great. On the other hand, Google's response apparently has emboldened DPAs anxious to exert control over major online actors, especially those operating largely outside the European Union. The June 21 expansion of the probe will deal with search engines in general and will scrutinize their data protection activities, reflecting concerns that stored data may be targeted by hackers and governments.

In the past, DPAs have asserted jurisdiction over U.S. website operators merely on the basis of cookies saved on the computers of EU residents. Google's decision to reduce cookie lifespan in response to a DPA inquiry would seem to support such extraterritorial jurisdictional assertions. Perhaps most troubling, by publicly questioning a high-profile company's data handling practices, the Article 29 Working Party seems now to have discovered a method for extracting concessions from foreign companies, notwithstanding the DPAs' general lack of funding, failure to show proof of harm or extreme legal interpretations resting on shaky authority. Other U.S. online companies should start checking their mail