Google Inc on Monday defended a policy of retaining data on web users for up to 18 months as necessary to improve search results, responding to an EU report that saw no need for search services to keep personal data beyond six months.
A group of data protection commissioners from across the European Union found that computer web addresses and cookie monitoring are personal information that search services should do more to protect.
The long-anticipated set of recommendations for how European data protection laws should be applied to web search services was published on Friday.
The report by the so-called Article 29 Working Party calls for increased user notification and warns web search services that fail to do so may be unlawful.
Cookies are small bits of text that mark the comings and goings of computer users to websites. They are widely used by commercial sites to make web surfing more convenient and by advertisers to measure audiences. But they also raise privacy concerns due to their potential to track user behaviour.
"It is the opinion of the Working Party that search engines in their role as collectors of user data have so far insufficiently explained the nature and purpose of their operations to the users of their services," the report states.
"The Working Party does not see a basis for a retention period beyond 6 months," the study concludes.
In a statement issued on Monday, Peter Fleischer, Google's global privacy counsel, said his company disagreed with key findings in the report and argued that privacy policies must be balanced against efforts to make web services easier to use.
"We believe that data retention requirements have to take into account the need to provide quality products and services for users, like accurate search results, as well as system security and integrity concerns," Fleischer wrote.
The EU report specifically challenges the defence by saying that arguments about improving services may conceal other uses that go beyond the original reasons the data was collected.
The Google official also took issue with the Article 29 Working Party's finding that Internet Protocol (IP) addresses - the unique addressees that identify a specific computer or device connected to the internet - should be treated as personal information, with the full weight of data protection laws.
"Based on our own analysis, we believe that whether or not an IP address is personal data depends on how the data is being used," Fleischer said. Google has previously argued the issue is not black and white, in part because Internet Service Providers often allot the same IP address to many users.
Google web services generate mountains of more or less anonymous user data that it stores securely in massive computer data centres it operates. The company's engineers regularly study this data to figure out how to improve its services.
While traditionally internet companies have stored data on web surfers for years, Google took the initiative a year ago to limit how long it stored such data to 18 months.
Rival search services followed suit to set their own limits, with Ask.com going a step further by offering a set of tools for users to scrub their data stored from Ask computers. (Reuters)
Google defends user data policy