Google will make the data it stores about users anonymous in its server logs after 18 months, as part of an effort to deflate concerns about privacy raised last month by an EU working group.
In a letter sent to the group on Monday, Google also said it is looking at ways to redesign its web cookies - small files used to track visitors’ online behaviour and store preferences – and reduce the length of time they are stored on users' PCs.
The lletter from Google global privacy counsel Peter Fleischer was in response to a letter sent last month by the EU's Article 29 Data Protection Working Party, which outlined its concerns about Google's service.
The EU group questioned why Google needed to retain server logs for 18 to 24 months, saying the practice did not appear to meet Europe's data protection rules. The logs, which include search histories, can be linked to individual users and therefore constitute personal data, the group said.
Fleischer responded by saying that Google would make data anonymous in its server logs after 18 months, the low end of its previous commitment.
"We... firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention periods shorter than 18 months," Fleischer wrote.
The company said it needed the log data to improve its search algorithms, fight click fraud and spam, comply with data retention laws and meet "valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation".
It noted that the EU's own Data Retention Directive would require companies to retain such data for six to 18 months when new laws come into effect by 2009.
Since few countries had yet passed their retention laws, "we have no choice but to be prepared to retain log data for up to 24 months", Fleischer wrote.
The working group had also complained about the length of time Google stores cookies on users' PCs. Google said it was exploring ways to redesign its cookies to improve privacy and that it would make an announcement "in the coming months".
One observer, while acknowledging privacy concerns about Google, was critical of the working group for singling out one company.
"These concerns would have been equally applicable to Yahoo or Microsoft or many other companies on the Internet," said Danny Sullivan, editor in chief of the Search Engine Land website , who wrote a detailed analysis of Google's response.
Microsoft and Yahoo had not specified how long they store their log files, he said, and may retain them for longer than Google.
The EU group had shown "technical ignorance" by focusing on server logs, he said. Like other search engines, Google collects information about users each time they register for a service such as Gmail or Adwords. These "user databases" contain more personal information than server logs can gather, and are often retained until a user closes their account or actively deletes the information, he said.
In its letter last month, the working group cited Google's "market position and ever-growing dominance". It also thanked the company for its "ongoing engagement with the data protection community", especially in contrast with "a lack of engagement by some of the other leading players" in the search industry.
The group is expected to discuss Google's response at a meeting later this month.