The European Commission‘s Article 29 Data Protection working group has been examining how Internet search engine operators like Google, Yahoo, and WIndows Live search comply with European privacy regulations. The group’s new report recommends that search engines discard personal search data after six, which may set the EC at odds (again) with the everyday practices of giant Internet companies, which routinely retain search data much longer.
In part, query data saved by Internet search engines consists of search terms and phrases that users enter into the search engine. In and of themselves, these terms are often innocuous, but over time can reveal a good deal about where a person lives, what they’re interested in, where they work, what they do, and who they know. Advertisers start salivating at the prospect of tapping that information, and, indeed, that’s the basis of search engine marketing: advertisers buy ads to be displayed alongside search results of users they feel align best with their products or offers.
But search engine data goes deeper than that: it also includes information about how a user is accessing the Internet, what browsers and operating systems they use, what languages they speak, and potentially even includes information that enables advertisers or the search engines themselves to associate search users with existing accounts on other services—like Web-based email, photo sharing, and even social networking sites. And, of course, search engines do their best to determine what search results, if any, users actually click. Altogether, these dossiers can reveal significant amounts of information about an individual, and raises considerable privacy implications for users of these services.
The working group recommends that search query data either be destroyed or fully anonymized after no more than six months, unless the search service can "demonstrate comprehensively" that retaining the data is absolutely necessary to the service.
Currently, mainstream search engines retain search data for much longer periods of time. Ask.com—now making itself over as a destination site for women—was the first to implement an 18 month limit on data retention and even offer users a way to erase their own search histories. Google also announced it would cut search data retention times from two years to 18 months, and later announced it would change its famously immortal cookies to expire after two years. Microsoft also announced an 18 month search data retention policy, and Yahoo went one step further, announcing a 13-month search data retention policy.
The European Commission Article 29 Data Protection group has been examining data retention policies of major Internet companies since early 2007; the group’s report will be used by the European Commission as it considers implementing pan-EU data retention and consumer privacy regulations.
