The European Union’s Justice and Home Affairs Commissioner, Franco Frattini, gave a thumbs-up to Google’s offer to cut the time it keeps identifiable search user data down from 24 months to 18 months. Frattini’s comments came Wednesday during a news conference in Luxembourg.
“I think it is indeed a good step,” Frattini said. “I have appreciated the commitment of Google not only to meet our expectations in terms of protection of privacy or better on cutting the time and reducing the time of retention of personal data.”
Google announced the slightly abbreviated data retention plan Tuesday after an independent European Union watchdog group, the Article 29 Data Protection Working Party, voiced concern about the Internet search giant’s plans to anonymize its search server logs after 18 to 24 months. That policy would potentially have violated EU privacy rules, according to the group.
No More Budging
In response to claims that the company could further reduce the retention period, Google said it “firmly rejected any suggestions that we could meet our legitimate interests in security, innovation and antifraud efforts with any retention period shorter than 18 months.” Future legislation could force it to keep data for longer periods, the company warned. However, there is some doubt as to the validity of Google’s argument.
“Legal requirements aside, Google’s position is that they have a commercial interest in retaining the data for at least 18 months,” JupiterResearch analyst Barry Parr told TechNewsWorld. “No one believes that Google’s existence is threatened by stricter data retention policies. So it seems to me that their argument against protecting the privacy of their customers is that it’s too expensive.”
At the Table
Google’s privacy issues came along at a time when Europeans have become frustrated with negotiations between the U.S. and Europe over the exchange of passenger data for transatlantic flights, according to Eric Domage, an IDC analyst.
Dubbed “Passenger Name Records” (PNR), the current agreement between the two regions permits the U.S. Customs and Border Protection agency to distribute passenger information to other agencies within the U.S. law enforcement community to use in antiterrorism investigations so long as those agencies’ data protection standards are analogous to EU mandated standards. The U.S. has had access to this data since 2004.
Data including passenger names, addresses, seat assignment, credit card numbers and travel itineraries can be shared among U.S. agencies within 15 minutes of a flight’s takeoff for the U.S. Authorities can share up to 34 pieces of recorded data. Officials in Washington want to increase the amount of information airlines transfer and also to expand the list of law enforcement agencies to which it can be sent in the U.S.
The EU, reluctant to sanction further forays into its citizens’ personal information, has until the end of June to reach an agreement on the issue, officials representing Germany, current holder of the EU presidency, said. The current interim deal will expire in July.
“The PNR is the idea that the American government can use the passengers list to make intelligence research. This is forbidden in Europe,” IDC analyst Eric Domage explained. “There have been negotiations for the last two months, and it has failed.”
The other issue between the EU and U.S. concerns Swift, a Belgian money transfer firm that handles some 11 million money transfers each year. In an effort to disrupt terrorists’ ability to finance their plots, U.S. agencies subpoenaed the company’s transaction data. Swift complied, another violation of EU privacy rules.
In November 2006, the EU ordered Swift to stop sharing information on its more than 7500 clients.
“The U.S. government wants to have it open for money laundering and intelligence research, and once again the European government doesn’t want that,” Domage said.
Wrong Place, Wrong Time, Wrong People
Google’s announcement of its data retention plan comes at a bad time, according to Domage. Privacy is a key issue in Europe, and while Google believed it was serving the public good when it went public with its plans, Domage said the move was a mistake. While Frattini may laud Google for keeping Europeans’ personal data for only 18 months, the EU’s citizenry take a much less charitable view of the practice.
“Putting in the public place this debate shows that Google retains privacy data on European users. Most of the people were not aware of that, and it is very dangerous for Google,” he pointed out. “If people understand that just by using Google in Europe that their data is retained, stored and used by Google it is a really bad point for Google. They should have stayed very quiet and silent about this.
“But now it’s public that they retain data, and European people don’t like it,” Domage added. “They are fine giving their information to a bank or some government, but they don’t like private companies to have it.”
Google, he said, is now thought of as a company that takes consumers data and uses it for self-consideration. For Europeans that is going too far.
“The reputation of Google is suffering at this time and suffering a lot,” Domage stated.
Europeans, he noted, would be amenable to a plan that would allow them to choose whether they wanted to opt in or opt out of Google’s data retention plan.
“Just an opt-in and some strong advertisement on the fact that Google is not spying on them. [Right now] no one is sure about that.”