In a letter to Google CEO Larry Page, CNIL head Isabelle Falque-Pierrotin said she’s reviewed Google’s response to its questions and found them to be sorely lacking — in clarity and specifics.

Answers, too.

“For a large number of questions, the elements provided do not give a precise, clear and comprehensive response to our questions,” Falque-Pierrotin wrote. “While in some cases the questions themselves may have been misunderstood or not clearly expressed, many answers merely provide illustrative examples without describing the exact [processes], procedures or systems Google actually operates.”

In other words, Google’s answers to CNIL’s questions were often incomplete or approximate. And while Falque-Pierrotin generously offers that this might be the result of poor communication, it’s hard to accept that as a legitimate explanation. At this point, the CNIL has clarified its questions to Google twice — once in writing, and a second time during the in-person meeting with Google executives that evidently preceded her letter. During that same meeting, Google was given a third version of the questionnaire, and a June 8 deadline to answer it.

Are we really to believe that Google — a company that prides itself on hiring PhDs, that once sought out cream-of-the-crop engineers with a “mind-bending” Google Labs Aptitude Test, whose mission “is to organize the world’s information and make it universally accessible and useful” — can’t properly answer a few questions about its privacy practices and handling of consumer data?

Because that’s about as likely as Larry Page faking his Master’s degree in computer science.

A more reasonable explanation: Google not only doesn’t want to answer these questions, it doesn’t even believe it is obligated to do so. Indeed, it essentially said as much back in April, when it specifically questioned the authority of the CNIL and the Article 29 Data Protection Working Party to even investigate it. From Google’s April 5, 2012, response to the CNIL:

1) What is the legal basis for the Working Party to act as a regulatory body, or to mandate the CNIL to conduct a regulatory review on behalf of 26 other independent DPAs?
2) What law is being applied to this review?
3) Could the Working Party explain the process being followed and the ultimate aim of the review?

Questions respectfully asked, certainly. But they clearly reflect an uncooperativeness and, more to the point, an overweening arrogance that’s so prevalent these days that it might as well be one of Google’s hallowed “10 Things We Know To Be True.” As Christian Sandvig, a researcher in communications technology and public policy at the University of Illinois, recently told the New York Times in an article on that very subject, “Google doesn’t seem to think it ever will be held accountable. And to date it hasn’t been.”

Google did not respond to a request for comment.

Consider this graphic from the New York Times, which shows the proliferation of options available in those tools (click chart to link to larger version on original site).

Addles the brain, doesn’t it?

As the Times notes, to opt out of full disclosure of most of their personal information, Facebook users must click through more than 50 privacy buttons, which then require making decisions about more than 170 options.

Facebook describes its privacy tools as “comprehensive and precise,” but that’s poor justification for something so ridiculously convoluted from a company that positions itself as a caretaker of identity.

Little wonder that Facebook is facing a barrage of criticism. As European Union’s Article 29 Working Party said in a scathing letter today, Facebook’s privacy practices are “unacceptable.”

Google has long claimed that the server log data it collects are a critical driver of innovation. Over the years, to appease privacy advocates, the company has tweaked its treatment of those data and the length of time it stores them. Google continues to collect IP addresses, though it makes them anonymous after nine months (it used to do so only after 18-24 months).

This may soon change. And not because of any initiative on Google’s (GOOG) part but because of one by Microsoft (MSFT).

Responding to Article 29 Working Party guidelines for protecting users’ personal data online, Microsoft this morning said its new search engine, Bing, will purge all the data it collects on users after six months. Not make the data anonymous, but purge.

“Today we sent a letter to the Article 29 Working Party notifying them of our intention to make a change to Bing’s data retention policy,” Bing Privacy Manager Reese Solberg wrote in a post to the Bing blog. “Specifically, we are reducing the amount of time we store IP addresses from searchers to 6 months. Currently we keep that information for 18 months before we delete it.”

Elaborating, the letter continues, “Generally, when Bing receives search data we do a few things: first, we take steps to separate your account information (such as email or phone number) from other information (what the query was, for example). Then, after 18 months we take the additional step of deleting the IP address and any other cross session IDs associated with the query.”

In conclusion, the letter describes Microsoft’s initiative succinctly: “Under the new policy, we will continue to take all the steps we applied previously–but now we will remove the IP address completely at 6 months, instead of 18 months.”

Microsoft’s move leaves Google in the uncomfortable position of being far less a friend to privacy than Microsoft. And hard as the company might argue in favor of storing user data, it will likely have to match Microsoft.

It’s difficult to claim that server log data are “a crucial arm in the battle to protect the security of our services against hacks and fraud” when a prominent rival is essentially claiming exactly the opposite.

So it’s reassuring to hear that Google has agreed to cut the time for which it retains users’ personal search data to 18 months from 18 to 24 months. The move is a concession to the Article 29 Working Party, the European Commission’s advisory group on privacy protection, which last month expressed concern over Google’s plan to retain user data for up to two years (PDF). “After considering the Working Party’s concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously established period of 18 to 24 months,” Peter Fleischer, Google’s global privacy counsel explained. “We believe that we can still address our legitimate interests in security, innovation and antifraud efforts with this shorter period. However, we must point out that future data-retention laws may obligate us to raise the retention period to 24 months. We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and antifraud efforts with any retention period shorter than 18 months.”

Google’s policy change, while certainly a step in the right direction, likely won’t be enough to sate privacy advocates who’ve in the past called for it to scrub user logs in 18 to 24 hours, not months. Still, it’s better than that of Yahoo and Microsoft, which have so far declined to disclose their data-retention policies at all. This begs the question: Why haven’t we heard anything about the Working Party’s letters to those two companies? Insufficient postage for airmail?