g-docweb-display Portlet

More safeguards for Google users in Italy: the Italian Garante draws the line

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

versione italiana 

Mountain View will have to improve transparency in processing data and provide more safeguards to users

Users of Googles services (including Search) in Italy will be better protected. The Italian Garante has ruled that the IT giant from Mountain View may not use users data for profiling without their prior consent; furthermore, Google will have to inform users specifically that it is profiling them for marketing purposes.
This decision and the measures it provides for concluded the proceeding the Italian Garante had started last year following the changes made by Google to its privacy policy worldwide. This is the first decision in Europe that – as part of a coordinated action with other European DPAs and following the  judgment by the Court of Justice of the EU on the right to be forgotten – does not limit itself to urging Google to comply with privacy legislation as it actually lays down specific measures Google must take to achieve full compliance with the law. Google has merged the individual data management rules into a single document, which relates to the many features it offers: from Gmail to social networking (Google Plus); from online payments (Google Wallet) to video sharing (YouTube); from online mapping (Street View) to statistical analysis (Google Analytics). Thus, Google has made the individual features integrated and interoperable and matches and combines the data coming from users interaction with multiple services.
In the course of the proceeding, which also included several hearings with the companys representatives, Google did take measures to bring its privacy policy more into line with the applicable legislation. Nevertheless, the Garante found that several criticalities remained concerning the inadequate information provided to users, the failure to request users consent for profiling purposes, and the unspecified data retention periods; accordingly, the Garante laid down a set of measures applying to all the services offered by Google.

Information to Users
The Garante required Google to implement a multi-layered information system so as to provide the most relevant information via a first-layer notice mentioning what data are being processed (device location data, IP-addresses, etc.), where users may apply (in Italian) to exercise their rights, and so on. A second-layer notice will include more detailed, specific information on the individual services.
More importantly, Google will have to clearly explain – in the first-layer notice – that users personal data are being monitored and used, among other things, to profile them for delivering targeted ads, and that users data are also collected via more sophisticated techniques than cookies (e.g., fingerprinting). The latter is a system whereby information on the use of a device is collected and stored directly in the companys servers – whilst cookies are installed, for instance, in the users PC or smartphone.

Google will have to obtain users prior consent in order to use their data (whether coming from the use of emailing services or collected by matching and combining information from different services or else by way of cookies and fingerprinting) for the purposes of profiling and delivering targeted behavioral ads. This means that Google may no longer regard the mere fact of using one of its services as unconditional acceptance of rules that have not left – so far – any room for decision-making by data subjects on how their personal data ought to be processed.  In this connection, the Garante also proposed an innovative, user-friendly mechanism that does not affect user experience substantially and enables users to make affirmative, informed choices on whether to consent or not to consent to profiling also with regard to the individual services being used.

Data Retention
Google will have to set specific retention periods based on the provisions contained in the Italian data protection Code. This applies both to the data stored in the so-called active systems and to the data that is stored subsequently in back-up systems. As for the deletion of personal data, the Garante required Google to comply with deletion requests made by Google account holders (who therefore can be identified easily) within two months (for data stored in active systems) or else within six months (for data stored in back-up systems). However, the Garante considered it appropriate to await developments related to implementation of the CJEUs judgment on the right to be forgotten as for deletion requests concerning use of Googles search engine.

Google will have to comply with the measures laid down by the Garante in eighteen months. Meanwhile, the Garante will monitor implementation of those measures and the company will have to submit – by 30 September 2014 – a verification protocol which, once undersigned, will become binding. This protocol will regulate timeline and mechanisms for the supervision to be performed by the Garante on Googles activities.


Rome, 21 July 2014





Comunicato stampa