More safeguards for Google users in Italy: the Italian Garante draws the line
- Più tutele per gli utenti di Google in Italia Arrivano i paletti del Garante privacy
MORE SAFEGUARDS FOR GOOGLE USERS IN ITALY: THE ITALIAN GARANTE DRAWS THE LINE
Mountain View will have to improve transparency in processing data and provide more safeguards to users
Users of Googles services (including Search) in Italy will be better protected. The Italian Garante has ruled that the IT giant from Mountain View may not use users data for profiling without their prior consent; furthermore, Google will have to inform users specifically that it is profiling them for marketing purposes.
Information to Users
The Garante required Google to implement a multi-layered information system so as to provide the most relevant information via a first-layer notice mentioning what data are being processed (device location data, IP-addresses, etc.), where users may apply (in Italian) to exercise their rights, and so on. A second-layer notice will include more detailed, specific information on the individual services.
More importantly, Google will have to clearly explain – in the first-layer notice – that users personal data are being monitored and used, among other things, to profile them for delivering targeted ads, and that users data are also collected via more sophisticated techniques than cookies (e.g., fingerprinting). The latter is a system whereby information on the use of a device is collected and stored directly in the companys servers – whilst cookies are installed, for instance, in the users PC or smartphone.
Google will have to obtain users prior consent in order to use their data (whether coming from the use of emailing services or collected by matching and combining information from different services or else by way of cookies and fingerprinting) for the purposes of profiling and delivering targeted behavioral ads. This means that Google may no longer regard the mere fact of using one of its services as unconditional acceptance of rules that have not left – so far – any room for decision-making by data subjects on how their personal data ought to be processed. In this connection, the Garante also proposed an innovative, user-friendly mechanism that does not affect user experience substantially and enables users to make affirmative, informed choices on whether to consent or not to consent to profiling also with regard to the individual services being used.
Google will have to set specific retention periods based on the provisions contained in the Italian data protection Code. This applies both to the data stored in the so-called active systems and to the data that is stored subsequently in back-up systems. As for the deletion of personal data, the Garante required Google to comply with deletion requests made by Google account holders (who therefore can be identified easily) within two months (for data stored in active systems) or else within six months (for data stored in back-up systems). However, the Garante considered it appropriate to await developments related to implementation of the CJEUs judgment on the right to be forgotten as for deletion requests concerning use of Googles search engine.
Google will have to comply with the measures laid down by the Garante in eighteen months. Meanwhile, the Garante will monitor implementation of those measures and the company will have to submit – by 30 September 2014 – a verification protocol which, once undersigned, will become binding. This protocol will regulate timeline and mechanisms for the supervision to be performed by the Garante on Googles activities.
Rome, 21 July 2014