08:57 AM

GOOG defends data retention with nonexistent laws

At Ars Technica, Nate Anderson takes Google to task for justifying its extensive data-retention policies as adhering to laws that don't even exist.

In a post on the official Google blog, Peter Fleischer, Google's global privacy counsel, explained that one of the reasons Google chooses not to anonymize data for 18-24 months is to comply with "legal obligations," such as the EU Data Retention Directive, which requires member countries to pass laws requiring data retention for six to 24 months (to help investigate terrorism).

Since these laws do not yet exist, and are only now being proposed and debated, it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It's therefore too early to state whether such laws would apply to particular Google services, and if so, which ones. In the U.S., the Department of Justice and others have similarly called for 24-month data retention laws.

Google keeps your data linked directly to you for two years because nonexistent laws will eventually be passed requiring data retention? In any case, the EU laws wouldn't apply to US users - and the US calls for two-year retention are just trial balloons; no concrete proposals have been introduced as bills. Anderson says:

Even though the laws are not yet in force in Europe and won't apply retroactively, Google still uses the law as an argument to retain data now, and to do so for the longest possible period the law provides for. ... The company does itself no favors by engaging in some rhetorical sleight of hand and claiming that laws which don't yet exist ought to guide its current behavior; just admit that the reasons are business-related and be done with it.