European authorities told the three major search engines on Wednesday that their data retention practices violate a rule requiring the deletion of users' personal information after six months.
The Article 29 Working Party alleged in letters to Google, Yahoo and Microsoft that they don't adequately anonymize information about search users. "Therefore," the letters state, "WP29 cannot conclude your company complies with the European data protection directive."
The European authorities previously told the companies they shouldn't keep logs tying search queries to users' IP addresses for longer than six months. All of the search engines changed their policies in response, but the authorities said Wednesday that the new practices don't go far enough.
"An individual's search history contains a footprint of that person's interests, relations, and intentions and should rightly be treated as highly confidential personal data," the letters state. "Pursuant to the data protection directive the retention period should be no longer than necessary for the specific purposes of the processing, after which the data should be deleted."
Currently, Google obscures search users' IP addresses after nine months by deleting the last octet. But the privacy authorities say that's not sufficient, for a few reasons. First, Google keeps the data for longer than the six-month limit. Second, they allege, "partial deletion does not prevent identifiability of data subjects." In addition, Google retains cookies for 18 months -- a time frame that "appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months," the authorities state.
Yahoo sheds IP addresses after three months, but the EU says it needs more information "about the techniques of hashing, especially with regard to user identifiers and cookies" in order to evaluate the company's policy. Yahoo said in a statement that it will respond to the letter "in due course." Continuing: "Yahoo is extremely proud of our data anonymtization policy which has received wide support and affirms our commitment to help protect our users' privacy," the company said.
Microsoft recently said it would delete IP addresses after six months, but the European authorities said the company also should delete users' cookies after that same time period.
The European authorities also said they have asked the Federal Trade Commission to evaluate whether the search engines' data retention constitutes an unfair or deceptive practice.
A Google spokesperson said the company develops policy "based on what provides the best experience for users both in terms of respect for their privacy and the quality and security of our services." The company adds: "Our current retention policy represents the most responsible balance between these two important concerns."
Microsoft Senior EU Policy Director Thomas Myrup Kristensen said in a statement that the company looks forward to a "continued dialogue" with the Working Party "on all aspects of compliance." Kristensen added that the company will encourage the authorities to ensure "that the whole search market, including the 95% that in some markets is held by a single company, adheres to a single standard."