Share This Article
Privacy compliance is becoming a tough hurdle in Italy for Google as after having its privacy information notice challenged it has now been requested to adopt a number of measures with an audit right by the Italian data protection authority on the status of their implementation.
I covered in this post about the move from the Italian privacy authority to challenge Google’s privacy information notice last year. ย The challenging proceeding has now escalated to the implementing actions since Google has time up to 15 January 2016 to comply with the terms of a protocol agreed with the Italian privacy authority.
The Italian privacy authority will not only receive quarterly updates on the status of adoption of the required measures, but will also be entitled to run inspections at Google’s premises in the US. ย And this is the first time that a European privacy regulator is granted with such type of right (!).
It is unclear whether this arrangement between Google and the Italian privacy authority is a victory or a defeat from Google’s point of view, but there is no doubt that it will have a major impact on their business.
Theย main terms of such protocol prescribe:
1. Privacy information notice
Google shall adopt a more clear and transparent privacy information notice which will differ depending on the type of service involved and will provide details on the modalities of processing of personal data as well as on users’ profiling activities also referring to their performance through the usage of cookies and fingerprinting technologies.
2. ย Users’ consent
The profiling of users shall be performed only with their prior consent and the same applies to the usage of cookies that shall occur only in compliance with the guidelines issued by the Italian privacy authority on cookies.
3. Storage of data and anonymization
Detailed rules on the term of storage of data shall be put in place also ensuring that on the expiry of such term the modalities adopted for their anonymization comply with the position taken by the European privacy authorities on the matter.
4. Requests to be forgotten
The exchange of information on the proper compliance with users’ requests relating to the exercise of the so called right to be forgottenย shall continue.
What consequences for other sectors?
As previously discussed, the question is whether the approach taken by the Italian privacy authority will be just the beginning of a more stringent approach by privacy regulators which might have a considerable effect on technologies like those of the Internet of Things. ย This willย follow up the recent position taken by the European privacy regulators on the matterย and will open a new field for negotiations between technology companies and privacy regulators. ย The hope is that sooner rather than later a common agreement will be reached on measures ensuring privacy protection in a manner that does not negatively affect businesses.
We will see the follow up reactions to the above, but in the meantime as usual feel freeย to contact me,ย Giulio Coraggioย to discuss. Also, if you want to receive my newsletter, please join myย LinkedIn Groupย or myย Facebook page.ย And follow me onย Twitter,ย Google+ย and become one of my friends onย LinkedIn.
