The WP confirms that the Data Retention Directive (contrary to what has been claimed by some) does not apply to search engines:
Search engine services in the strict sense do not in general fall under the scope of the new regulatory framework for electronic communications of which the ePrivacy Directive is part. Article 2 sub c of the Framework Directive (2002/21/EC), which contains some of the general definitions for the regulatory framework, explicitly excludes services providing or exercising editorial control over content:Consent cannot be implied in the case of anonymous users:"Electronic communications service" means a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or mainly in the conveyance of signals on electronic communications networks;Search engines therefore fall outside of the scope of the definition of electronic communication services.
A search engine provider can however offer an additional service that falls under the scope of an electronic communications service such as a publicly accessible email service which would be subject to ePrivacy Directive 2002/58/EC and Data Retention
Directive 2006/24/EC.
Article 5(2) of the Data Retention Directive specifically states that “No data revealing the content of the communication may be retained pursuant to this Directive”. Search queries themselves would be considered content rather than traffic data and the Directive would therefore not justify their retention. Consequently, any reference to the Data Retention Directive in connection with the storage of server logs generated through the offering of a search engine service is not justified.
Consent cannot be construed for anonymous users of the service and the personal data collected from users who have not chosen to authenticate themselves voluntarily. These data may not be processed or stored for any other purpose than acting upon a specific request with a list of search results.The "necessary for the performance of a contract" exception will seldom be available:
Processing may also be necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This legal basis may be used by search engines to collect personal data that a user voluntarily provides in order to sign-up for a certain service, such as a user account. This basis may also be used, similar to consent, to process certain well-specified categories of personal data for well-specified legitimate purposes from authenticated users. Many internet companies also argue that a user enters into a de facto contractual relationship when using services offered on their website, such as a search form. However, such a general assumption does not meet the strict limitation of necessity as required in the Directive.Personalised advertising raises particular problems:
Search engine providers that wish to provide personalised advertising in order to increase their revenues, may find a ground for the legitimate processing of some personal data in Article 7 (a) of the Directive (consent) or Article 7 (b) of the Directive (performance of a contract) but it is difficult to find a legitimate ground for this practice for users who have not specifically signed in based on specific information about the purpose of the processing. The Working Party has a clear preference for anonymised data.Search engines may not store information purely on the basis that it may be useful in later criminal proceedings:
Law enforcement authorities may sometimes request user data from search engines in order to detect or prevent crime. Private parties may also try to obtain a court order addressing a search engine provider to hand over user data. When such requests follow valid legal procedures and result in valid legal orders, of course search engine providers will need to comply with them and supply the information that is necessary. However, this compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes. Moreover, large amounts of personal data in the hands of search engine providers may encourage law enforcement authorities and others to exercise their rights more often and more intensely which in turn might lead to loss of consumer confidence.A maximum retention period of six months is permissible, and users must be informed in advance:
In practice, the major search engines retain data about their users in personally identifiable form for over a year (precise terms vary). The Working Party welcomes the recent reductions in retention periods of personal data by major search engine providers. However, the fact that leading companies in the field have been able to reduce their retention periods suggests that the previous terms were longer than necessary. In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months...Update: Lilian Edwards has more on the Opinion, including the problems it poses for people search services.
In case search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service. In all cases search engine providers must inform users about the applicable retention policies for all kinds of user data they process.