The Article 29 Working Group, a collection of the EU's top minds on data protection and privacy issues, has issued a major report (PDF) of its findings, and it won't be good news to the search engine community. The EU started with the premise of a "right to a private life" and allowed only limited data collection exceptions to that right. Search engines can only hang on to European user data for six months, must generally treat IP addresses as "personal information," and must comply with the rules even if they are based outside the EU.

The retention period will prove one of the most controversial proposals. Google and other search engines have scaled back their retention periods over the last year, with Google keeping data for 18 months before anonymizing it. But, according to the Article 29 group, that won't cut it.

"Retention periods should be minimised and be proportionate to each purpose put forward by search engine providers," says the report. "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond six months."

To hang onto data for longer, search engine operators will need to show that such data is "strictly necessary" to offer the service. Google and others have long said that they need to retain data in order to refine search results, prevent click fraud, and launch new services like spell check (which, in Google's case, was built from user search data).

In addition, the data that is kept will need to be guarded more closely. The working group concluded that IP addresses could be used to identify individuals; if not by the search engine itself, then by law enforcement or after a subpoena. Citing an earlier decision that said, "unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side," the group concluded that the same principle should apply to search engines.

In addition, cookies should be kept "no longer than demonstrably necessary" and search engine users should have "the right to access, inspect and correct if necessary" all personal data and even their own search history. All the rules would apply to any search provider operating in Europe, regardless of where they are physically based.

Google has already responded to the report with a surprisingly mild post on its public policy blog. "The findings are another important step in an ongoing dialogue about protecting user privacy online—a discussion in which Google will continue to be engaged. It's also a debate in which we hope our users will participate," wrote Peter Fleischer, Google's Global Privacy Counsel.

Once again, the US and Europe appear to be diverging on issues of data protection and privacy; it's difficult to imagine the Article 29 findings appearing in an FTC report here.

For instance, consider a post made to the Google public policy only a couple hours after Fleischer's. Deputy general counsel Nicole Wong talked up the FTC's "self-regulatory approach" to handling the issues raised by behavioral advertising on the Internet. "Google's comments underscore our support for the Commission's proposed self-regulatory approach," she wrote, "which we believe is the most appropriate method of ensuring innovation, competition, and consumer protection in this space."

Europeans, it appears, have a bit more faith in the power of regulators to lay down consumer-friendly ground rules.