The Article 29 Working Party involves the data protection officials of all the EU's member states and monitors compliance with Europe's Data Protection Directive. It has published a long-awaited report into search engines and privacy which is the result of months of consideration.
That report says that search engine companies must delete personal data as soon as they have used it for the purpose for which it was gathered, and that it should not be routinely kept for longer than six months.
"If personal data are stored, the retention period should be no longer than necessary for the specific purposes of the processing," said the report. "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months."
Even that retention, though, needs explanation and justification, said the Working Party. "After the end of a search session, personal data could be deleted, and continued storage therefore needs an adequate justification… the retention of personal data and the corresponding retention period must always be justified (with concrete and relevant arguments) and reduced to a minimum, to improve transparency to ensure fair processing, and to guarantee proportionality with the purpose that justifies such retention."
Until last year search engine companies generally kept search engine logs indefinitely. But the issue of retention became prominent when Google announced that it would reduce the period for which it keeps records to 24 and then 18 months.
That announcement triggered investigations by the Working Party into the retention. "Some search engine companies seem to retain data indefinitely, which is prohibited," it said in its report. "The Working Party welcomes the recent reductions in retention periods of personal data by major search engine providers. However, the fact that leading companies in the field have been able to reduce their retention periods suggests that the previous terms were longer than necessary."
Google has opposed the restrictions, claiming that it is required to keep search logs by the Data Retention Directive, a law which orders telecoms companies to keep records of communications for six to 24 months in case law enforcement agencies need them in crime fighting.
Google's global privacy counsel Peter Fleischer said in a statement that the Working Party's requirements do not take into account commercial, as well as regulatory, concerns.
"We believe that data retention requirements have to take into account the need to provide quality products and services for users, like accurate search results, as well as system security and integrity concerns," said Fleischer. "This perspective – the ways in which data is used to improve consumers' experience on the web – is unfortunately sometimes lacking in discussions about online privacy."
The report emphasised that EU law applies to companies from outside Europe. The Data Protection Directive applies to all processors of personal data with offices or even just equipment in the EU, even if a company headquarters is outside Europe, it said.
Search engine companies have argued that they must keep search engine logs because the Data Retention Directive demands that they do. The Working Party says that the Retention Directive only applies to telecoms firms, not to online content providers.
The Working Party's report, though, took further issue with companies' use of law enforcement obligations as justification for keeping information.
"Law enforcement authorities may sometimes request user data from search engines in order to detect or prevent crime," it said. "When such requests follow valid legal procedures and result in valid legal orders, of course search engine providers will need to comply with them and supply the information that is necessary. However, this compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes."
The report also dealt with the controversial issue of whether or not internet protocol (IP) addresses count as personal data, and therefore are controlled by the Data Protection Directive.
The report reiterated the Working Party's previously expressed view that "unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side. These considerations will apply equally to search engine operators".
Google disputes the Working Party's interpretation. "The Working Party's findings stated that IP addresses should be treated as personal information, with the full weight of data protection laws," said Fleischer. "Based on our own analysis, we believe that whether or not an IP address is personal data depends on how the data is being used."