Google’s mission is to “organize the world’s information and make it universally accessible and useful.” So far at least, Google fuels that mission with targeted advertising, which brought in $3.66 billion last quarter. In order to make Google services more effective, and to continue the flow of ad revenue, the company gathers user-specific information. But how long should that information be retained by Google? It seems 18-24 months is the answer, at least for now. Personally-identifiable data will be anonymized after that period of time. Peter Fleischer, the company’s Global Privacy Counsel explains why Google selected this retention period. He cites three primary factors:
- Improving Services
- Maintaining Security and Preventing Fraud and Abuse
- Complying with Legal Obligations to Retain Data
The third factor is of particular interest, because it implicates both national and transnational governments:
For example, Google may be subject to the EU Data Retention Directive, which was passed last year, in the wake of the Madrid and London terrorist bombings, to help law enforcement in the investigation and prosecution of Ã¢â?¬Å?serious crimeÃ¢â?¬Â?. The Directive requires all EU Member States to pass data retention laws by 2009 with retention for periods between 6 and 24 months. Since these laws do not yet exist, and are only now being proposed and debated, it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It’s therefore too early to state whether such laws would apply to particular Google services, and if so, which ones. In the U.S., the Department of Justice and others have similarly called for 24-month data retention laws.
As Nate Anderson points out in an Ars Technica article, the fact that these laws do not yet exist means that in essence Google is responding to nonexisting laws. His conclusion is that Google’s move could be explained in a more straightforward fashion:
… the company does itself no favors by engaging in some rhetorical sleight of hand and claiming that laws which don’t yet exist ought to guide its current behavior; just admit that the reasons are business-related and be done with it.
Perhaps Google is merely reading the writing on the wall, and is preparing for a time when data retention directives may become law. But even if that is the case, Google is the 800-lb. gorilla of the online world. Anderson reminds us that the company has already fought the U.S. government on behalf of user privacy, and won. However, the prospect of fighting governments around the globe over data retention can’t be very appealing. Most Google users don’t seem to mind giving away personal data, if the success of services like Gmail is any indicator. It could be that the company figures being just a bit more privacy-conscious than the competition is the way to go. Google can comply with potential government regulations, satisfy PR demands and keep shareholders happy all at once. For the view that many Internet users are giving away more than they think when they provide data to Google, et al, check out our podcast interview with the ACLU’s Nicole Ozer. For the view that government-mandated data retention policies are government surveillance by other means, see “Data Retention”: Costly Outsourced Surveillance by the Cato Institute’s James Plummer.