DRM News

According to WP29 (the European Commission’s Article 29 Data Protection Working Party advisory body…I love these short names!), the search engines from Google, Yahoo and Microsoft don’t comply with the EU’s Data Protection Directive.

That directive requires businesses and governments to protect private citizens from having personal information collected, used or disclosed. The issue with regard to Google, Yahoo and Bing are the search data retention policies used by the search engines. The original complaint was made in April of 2008, when it was concluded that search engine data retention does come under the Data Protection Directive, and wasn’t up to par for EU policy. The EU wants data, including user IP addresses and searches, kept no longer than 6 months after their use.

From the EFF :

At the time, Google announced that it would anonymize IP addresses in its server logs after nine months, instead of the previous 18-24 months. Since then, Google has indicated that in practice it deletes the last octet of collected IP addresses. Google retains other information, like cookies, for a period of 18 months. Yahoo announced that it would anonymize user log data, page views, clicks, ad views, and ad clicks within 90 days of collection, with limited exceptions for fraud, security, and legal obligations. Yahoo also announced that it would delete full IP addresses, rather than deleting merely the last octet. And this year, Microsoft announced that it will delete IP addresses associated with search queries six months after their collection, a reduction form the previous practice of retaining that data for 18 months. Microsoft’s announced data retention policy goes further by endorsing "de-identification" (separation of search queries and account information, as well as anonymization of cookie information) as soon as a Bing search query is received. After 18 months, Microsoft then deletes cookie information, and any other cross-session IDs associated with the search query.

In response to those initial changes, WP29 told Yahoo that partial deletion of personal data in search logs doesn’t make for true anonymization of the user. Google were told that deleting only the last octet of an IP address is insufficient in guaranteeing user anonymity. Finally, MS and Google were asked to review their retention policy and bring it in line with the maximum of 6 months the EU desires.

The short version : The EU wants Google, Yahoo and Bing to start getting rid of any and all personal data kept from user searches after a maximum of 6 months. They also want less information kept from the beginning, and that information kept truly secure and anonymous.