Letter to Google re CNIL response — May 2012

Our reference: P12/12

Mr Larry Page
CEO
Google Inc.
1600 Amphitheatre Parkway
Mountain View
CALIFORNIA 94043 USA

Dear Mr Page

Changes to Google’s Privacy Policy

Thank you for your letter dated 29 February 2012 responding to the concerns of the Technology Working Group (TWG) of the Asia Pacific Privacy Authorities (APPA) regarding Google’s amended privacy policy.

We note that Google responded in full to the Commission nationale de l’informatique et des libertés (CNIL) questionnaire relating to Google’s amended privacy policy on 20 April 2012 (Response).

The Office of the Australian Information Commissioner (OAIC) has considered the Response. On behalf of the TWG, the OAIC would like to ask Google to clarify a number of the answers provided by Google to CNIL.

Data retention periods

We note that question 19 of the CNIL questionnaire seeks information on Google’s data retention policies. Specifically, question 19 asks:

‘A) Please explain why Google “may not remove information from […] backup systems”, when the user asks for its deletion.

B) Please clarify if this means that data will actually be deleted from all backups after an additional period of time or not.

C) Please provide an upper bound on the additional retention period needed to delete data from all backups.’

Google’s response to question 19 relevantly provides that ‘[r]emoving data from our backup tapes is routinely achieved through disposal of the encryption keys, rendering the data inaccessible’.

However, where a user requests the deletion of their data, it is not clear from the Response:

• how long it would take for Google to dispose of the relevant encryption key after a request is made, or
• whether the ‘inaccessible’ data is subsequently deleted and, if so, how long after a request for deletion the deletion occurs.

We would appreciate if Google could provide clarification on these issues.

I note that, in her letter to Google dated 11 May 2012, the Privacy Commissioner of Canada, Jennifer Stoddard, expressed similar concerns regarding data retention periods and the time required to respond to requests for deletion of user data.

We agree with Commissioner Stoddard that it would be helpful to users (and best privacy practice) if Google included information on data retention periods and the relevant timelines for the deletion of user data (even in the form of an estimated time frame) in its public policies.

Aggregation of data across separate Google accounts

We also note that Question 40(A) of CNIL’s questionnaire asks:

‘Please indicate if Google may combine data from different Google accounts related to distinct users who share the same computer (and the same browser), for example in a family environment.’

Google’s response to question 40(A) relevantly provides:

 ‘…Google does not copy data from one account into another without user consent. If multiple accounts are signed in using the same browser session, due to the technical nature of cookies, associations may be stored in the browser, sent to Google servers, and retained temporarily. We may also correlate data across accounts for security and abuse prevention purposes.’

We would appreciate further clarification on the nature and ramifications of the ‘associations’ and ‘correlations’ specified in the Response. Specifically, we would like to understand what information is conveyed by an ‘association’, and how long that information may be retained. Similarly, we would appreciate more detailed advice about what information is ‘correlated’, and for what specific purpose.

I look forward to your response on the above matters.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Information Commissioner

18 May 2012