A European Union privacy panel wants Internet search engine providers like Google and Yahoo to delete data taken from users after six months, even when they operate abroad.
The new report from the EU-funded privacy watchdog recommended that search engines follow European data protection rules regardless of their headquarters' location.
Although the watchdog has no policy powers, its report could lead to stricter privacy rules. The EU's executive, the European Commission, is currently redrafting data-protection rules for the 27-nation bloc.
The panel's report said search engines fall under EU laws if they collect users' numeric Internet Protocol, or IP, addresses or track search history using a unique ID on small data files called cookies installed on users' computers.
Most search engines, including Google Inc., Yahoo Inc., Microsoft Corp.'s MSN and Time Warner Inc.'s AOL, do so to gather insights on usage.
Germany's data protection commissioner Peter Scharr said in January that IP addresses should generally be regarded as personal information.
IP addresses consist of a string of numbers that identifies individual computers on the Internet so that a search engine would know where to return results.
Search engines have generally regarded IP addresses as anonymous information because they aren't necessarily linked to personal data about individuals.
However, they can reveal the individual's location or service provider, from which a company or government agency armed with a subpoena can track down the individual.
Treating IP addresses as personal information would have implications for how search engines record the data they need to understand search patterns and correctly bill online advertisers for the number of times their ad is viewed.
The data can be a boon to advertisers for targeting pitches based on a user's taste for particular clothing, music or cars, but search companies also say the data help them make products better and safer.
"This perspective — the ways in which data is used to improve consumers' experience on the Web — is unfortunately sometimes lacking in discussions about online privacy," Peter Fleischer, Google's global privacy counsel, wrote on a company blog this week.
Whether or not an IP address is personal information, he added, should depend on how the data are being used.
In a subsequent statement, Fleischer said Google looked forward to further discussions.
"Protecting our users' privacy is at the heart of all our products," he said. "It is the reason we were the first company to commit to anonymising our search logs, and also why we dramatically shortened our preference cookie lifetime."
Google was the first to cut the time it stored search information to 18 months. Microsoft now has an 18-month policy, while Yahoo and AOL retain search requests for 13 months.
But EU watchdog said it "does not see a basis for a retention period beyond six months."
The group of privacy officers said information recorded on users, such as what search terms were used and whether users clicked on any of the results, should be erased after that time to better protect the privacy of users and to avoid any possible misuse of the data.
"If personal data are stored, the retention period should be no longer than necessary for the specific purposes of the processing," the report said. "Therefore, after the end of a search session, personal data could be deleted and continued storage ... needs an adequate justification."
The panel also slammed the search companies for failing to properly inform users on why some data are needed to perform searches on their sites.
It said the search engines have "insufficiently explained" to customers what they are retaining the data for.