The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective.
The Italian Data Protection Authority on Google’s privacy policies
After an investigation started one year ago, following the modification of Google’s privacy policies, the Italian DPA has issued yesterday a new provision, concerning services provided to Italian customers.
In fact, Google has unified in a single document the several rules governing personal data processing related to its features, such as e-mail (Gmail), social network (GooglePlus), management of online payments (Google Wallet), video platform (YouTube), online maps (Street View), statistical analysis (Google Analytics), therefore allowing the intersection and interoperability of these services and of users’ personal data involved.
It is the first time that a European DPA does not only holds the violation of the law but also requires specific measures that Google is expected to take in order to be compliant.
The first general level should provide the most relevant information for the user: the mention of the data processing as well as of the data used (es. geolocation, IP addresses, etc.).; the address to which users may send their request in Italian exercising the rights listed in article 7 of the Privacy Code; the purposes of profiling activities, especially where aimed at displaying behavioral advertising and customized analysis of the behavior of the websites visitors.
The first level should also include the hyperlinks to the privacy policies for the single services.
The second level should include the privacy policies of the single services. In this level, previous versions of the privacy policies, even if no longer in force, should be stored; users should be warned about specific risks that may arise by the use of the services (for example, in case of choice of password which is not enough secure).
In order to use personal data of its users for profiling and behavioral advertising activities, Google must reach their prior consent. An implied consent – through the use of the service as an acceptance of the personal data processing – is not allowed by the law.
Similarly, a consent is always required in case of fingerprint and cookies.
Google will have to define certain times of data retention on the basis of the provisions of the Privacy Code, for both “active” and “back up” personal data (i.e. personal data stored or not). Regarding the deletion of personal data, the DPA has ordered Google to process the requests from its users (who are easily identifiable) within two months in case of active personal data and within six months in case of personal data stored on back up systems. As for the requests for cancellation affecting the use of the search engine, the Italian DPA decided to wait for further applicative development of the judgment of the Court of Justice of the European Union on the right to be forgotten.
Google will have 18 months to comply with the requirements of the DPA. During this time, the Authority will monitor the implementation of the measures required. The company will have to submit to the DPA, by September 30, 2014, a verification protocol, which will become binding once signed, and which will settle when and how the DPA will make its further checks on Google.