Although the U.S. data-retention policy has yet to be determined, the European Union last March approved a directive requiring member states to adopt data-retention rules for ISPs, telephony (landline, mobile and VoIP) and e-mail. EU countries have another year to pass enabling legislation, with the option to postpone enforcement of the Internet requirements (ISP, VoIP and e-mail) for two years after that.
Against this backdrop, Google's announcement is not surprising. Granted, it's trimming back on its log retention, which it presumably kept indefinitely. Many other entities will have to do the opposite--increase data retention. But with this move, Google places itself in a position to help shape U.S. data-retention policy developments, as well as to begin the technical work that will make its announcement a reality on the back-end servers.
The writing is on the wall. Domestic requirements for data retention will be here in the next year or two. If you won't be affected by impending EU rules, you may be covered by the U.S. law, depending on its scope. Make sure you're represented at the bargaining table when the policy negotiations over these rules start to heat up.
Patrick R. Mueller, CISSP, is completing his law degree at the University of Wisconsin-Madison and will be joining the privacy compliance practice at Wildman Harrold Allen &Amp; Dixon, LLP, in Chicago. Write to him at [email protected].