I am unable to reconcile an inconsistency between the common appeal search engines make that data retention laws require them to store user search query histories, and what these laws (where enacted) actually require.
For example, this post at Google’s Public Policy Blog discusses the EU’s data retention directive, which, as summarized by the blog post, “imposes retention obligations between six months and two years in relation to accessible data generated or processed as a consequence of a communication or a communication service.” The post goes on to explain what Google is doing “against this background,” linking to its recent announcement of a new policy to anonymize search server logs after 18 months.
Both of these posts frame Google’s “legitimate interest in retaining search server logs” as necessary in order to (in part) “comply with data retention legal obligations,” as does this post attempting to explain why Google keeps query logs in the first place.
I fail to understand, however, how Google is correct in invoking data retention laws as a justification for storing search query data. Three points lead me to conclude this argument is flawed:
First, Google’s web search services do not constitute “electronic communications services” or “public communications networks” as construed by the EU Directive. This interpretation is supported by the following:
(a) The “categories of data to be retained” listed in Article 5 of the EU data directive relate exclusively to e-mail, VOIP, and mobile telephony — nothing on this list relates directly or indirectly to web search query log data;
(b) statements by members of the EU’s Data Protection Unit, such as Philippos Mitletton, an attorney with the Hellenic Data Protection Authority, who was quoted by the European Digital Rights organization as remarking that “the Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems. Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof”; and
(c) statements by European data retention experts, such as Christoph Gusy of the University of Bielefeld in Germany, who remarked in this New York Times article that European law is “silent” on whether European data retention laws apply to content providers or search engines.
Therefore, the EU data directive places no explicit or specific obligation on web search engines to retain search query data.
Second, if the Directive was expanded to include web search engines as “communication services”, or some new interpretation of the regulated entities did so, it still would not require them to retain the search queries themselves, as Article 1 of the Directive states: “It shall not apply to the content of electronic communications, including information consulted using an electronic communications network” (emphasis added). Therefore, if a search engine provider felt an obligation to retain a record of a “communication,” its content — the search terms — could not be included in the retained data. Their logs could contain information such as user 12345 performed a search query on August 22, 2007 at 4:08:28 from machine IP 123.456.78, but not the fact that the “information consulted” was a keyword search for “overcoming alcoholism” and the like.
Third, moving to the US arena, while various government proposal have emerged, no general data retention laws exist that compel any communication or content provider to retain records (as Google itself recognizes here). Therefore, search engine providers cannot invoke data retention requirements to justify logging search query activity within US jurisdictions.
Given these points, I remain confused why search engine providers frequently cite data retention laws as motivating forces behind their data retention policy.
MichaelZimmer.org 
Michael,
I totally agree with this post. Notwithstanding, neither EU´S Data Protection Directive nor EU´S Data Retention Directive prohibit any search engine to retain search terms data if they inform users and.
On the other hand, EU State Members are free to put their data protection laws beyond EU´s Data Protection Directive as you cold see here and here . I do not have references that any EU Member State is establishing communications data retention duties on its EU´s Data Retention Directive transposition law.
In Spain, article 12 LSSI obliged electronic communications services and electronic communication network providers, as well as other entities such hosting providers and search engines to retain communications data. This article never really entered in force due to remission to a regularion that should define the certain data to be retained and the method to do so. This regulation never arrived. Nowadays this article is going to be superseded by EU´s Data Retention Directive spanish transposition law that does not oblige neither hosting providers nor search engines to retain the data.
I understand that search terms retention it could be a threat for search engines users, but in any case this Google´s movement has improved previous situation. Beforehand we did not have this transparency and data retention periods went far beyond than now.
Thanks for the comment, Deincognito. Do you know if English translations of those two Spanish directives exist?
Hi Michael,
Your article is fully correct. Before Ixquick.com decided to delete its users privacy sensitive data within 48 hrs and start safeguarding privacy we performed an extensive study of all the legal data retention requirements for search engines in various countries. Our findings were completely in line yours. Any suggestion to the contrary by the large search engines who (should) know better only serves to blow up smoke. The commercial interests of holding on to their users data – which enables them to better serve behavioral targeted ads – simply are too high.
The answer is no.
http://www.theregister.co.uk/2007/06/14/google_data_retention/