Information not provided in response to an access request

Expand all

Under applicable law, you may be entitled to request that we provide you with access to certain data that we process relating to you. For more information, please refer to our Privacy Help Center, section “Your account controls”. To protect the privacy and security of our users and services, there are some circumstances under which we do not include certain data in our responses to access requests:

Information which is not your data or which is the data of someone else

You may be entitled to request that we provide you with access to certain data relating to you - this does not extend to information relating to someone else, or information which is not data relating to you.

For example, we will not be able to provide you with access to data we may process relating to your friend, relative or work colleague. Additionally if data has been anonymised we will not be able to associate it with you so it would not be provided in response to a request for information relating to you.

Data we cannot associate with the individual making the request

Data is not included to the extent we are unable to verify that the person making the request is the person to whom it relates. Disclosing data to a person making a request without being able to adequately verify that person’s entitlement to the data could undermine the confidentiality and security of users’ data, and may adversely affect other individuals to whom the data relates. For more information see the identity verification section of this Help Centre.

Data that could adversely affect the rights and freedoms of others
Data that could be used to undermine the security of our systems
Certain data that could undermine the security of Google systems by revealing the logic, operation or efficacy of Google’s security systems is not provided in response to user requests for their data. However, there are dynamic user-facing tools and processes through which users can access much of their data, which would include a subset of data that is also processed for security purposes but does not similarly reveal the logic, operation or efficacy of Google’s security systems. You can learn more about those tools and processes here.
How providing requested data could undermine security of our systems

Providing a copy of data that we process for purposes of defending our systems to protect you, our users, the public, and Google could undermine the security of our systems. This means, for example: to detect threats to the security of our systems; privacy, anti-abuse and anti-fraud protection; to support traffic management (e.g., defending against DDoS); and to defend against other abusive and system-damaging activities. 

We do not disclose data where such a disclosure may impact the ability of you and other users to safely use the services. Cyberattackers and other potential adversaries can exploit details about data to infer exactly how we defend our systems, leaving those systems - and our users - more vulnerable to sophisticated attack. For example, knowledge of how many copies of account sign-in logs and related activity metrics are held, and in what formats, implicitly indicates security sensitive configuration details, commercially sensitive indications of our approach to backup and archiving, and, most importantly, embodies architectural information about our approach to defense-in-depth.

If certain detailed information, about our system defenses, and the data we process through them, such as how low-level data structures are laid out in memory, were to become known, it could give potential bad actors valuable signals that could be used to exploit our systems. It’s for that reason - to protect our users and their data - that we hold some of these details in confidence and do not release them. As these technologies evolve and specific details become less critical to our systems’ security, we reappraise what we are able to safely provide.

Additionally, while data that is used for security purposes may not be provided in response to an access request for that security related data, other copies of it may still be returned where it is used for other purposes. For example, if a data point associated with an individual is processed in the context of securing Google systems, information in those security logs may not be provided to ensure our systems remain safe. However, it may still be available through Google Takeout in the context of other services. Similarly, device identifiers processed in the context of our security systems may not be produced in the context of those security systems but are still disclosed in Google’s Takeout tool. 

What this means in practice

To illustrate this we provide an example of information associated with a user’s use of our services that could appear in a log entry below. Like most websites, our servers automatically record the page requests made when you visit our sites. These “server logs” typically include your web request, IP address, browser type, browser language, and the date and time of your request. For example:

123.45.67.89 - 25/Mar/2023 10:15:32 -

http://www.google.com/search?q=cars -

Chrome 112; OS X 10.15.7 -

  • 123.45.67.89 is the IP address assigned to the user by the user’s ISP. Depending on the user’s service, a different address may be assigned to the user by their service provider each time they connect to the Internet.
  • 25/Mar/2023 10:15:32 is the date and time of the query.
  • http://www.google.com/search?q=cars is the requested URL, including the search query.
  • Chrome 112; OS X 10.15.7 is the browser and operating system being used.

If this information was processed in the context of our internal security systems, records of that security processing may not be provided in response to an access request. However, this information could still be provided in Takeout where it is logged in other services. For example, downloading the data available in the:

  • “Google Account” service that is included in Takeout will include information such as time of activity, IP address associated with the activity, and browser details when an activity was performed.  
  • “MyActivity” service that is included in Takeout will include information such as details of your activity by reference to the selected product and time of activity.
Data that could infringe the rights and freedoms of others 

Disclosure of data could also impact other people and organizations’ rights and freedoms beyond undermining the security of our systems and processes. For example:

  • Where the provision of data in response to an access request includes the data of others, and providing it impacts the rights of those other individuals, such data may not be provided depending on the circumstances.  
  • Where disclosing the data could also reveal a trade secret, or create a risk to the protection of intellectual property (such as copyright protection of software). For example, providing data could sometimes reveal information about the structure of internal databases that are protected under intellectual property law. In many cases, much of the same data (e.g. your IP address and account identifier) may still be available to you in our response, but in a different context that does not reveal a trade secret or adversely affect intellectual property rights.
If a user has been sharing content that has been identified as unlawful the user may not be able to receive such content in response to an access request. Users can appeal such decisions and the process to appeal those decisions will be displayed to those users whose data is withheld. 

Depending on where you are based, there may be further circumstances under which we do not include certain data in our responses to access requests, according to local law. For example, many local laws provide that data which is the subject of legal privilege may be withheld. Where additional statutory exemptions are applied to a request for data, we will provide you with an outline of such exemptions with our response, consistent with local law.

false
Google apps
Main menu
2490254449887766075
true
Search Help Center
true
true
true
false
false