Share This Article
Privacy compliance is becoming a tough hurdle in Italy for Google as after having its privacy information notice challenged it has now been requested to adopt a number of measures with an audit right by the Italian data protection authority on the status of their implementation.
I covered in this post about the move from the Italian privacy authority to challenge Googleโs privacy information notice last year. The challenging proceeding has now escalated to the implementing actions since Google has time up to 15 January 2016 to comply with the terms of a protocol agreed with the Italian privacy authority.
The Italian privacy authority will not only receive quarterly updates on the status of adoption of the required measures, but will also be entitled to run inspections at Googleโs premises in the US. And this is the first time that a European privacy regulator is granted with such type of right (!).
It is unclear whether this arrangement between Google and the Italian privacy authority is a victory or a defeat from Googleโs point of view, but there is no doubt that it will have a major impact on their business.
The main terms of such protocol prescribe:
1. Privacy information notice
Google shall adopt a more clear and transparent privacy information notice which will differ depending on the type of service involved and will provide details on the modalities of processing of personal data as well as on usersโ profiling activities also referring to their performance through the usage of cookies and fingerprinting technologies.
2. Usersโ consent
The profiling of users shall be performed only with their prior consent and the same applies to the usage of cookies that shall occur only in compliance with the guidelines issued by the Italian privacy authority on cookies.
3. Storage of data and anonymization
Detailed rules on the term of storage of data shall be put in place also ensuring that on the expiry of such term the modalities adopted for their anonymization comply with the position taken by the European privacy authorities on the matter.
4. Requests to be forgotten
The exchange of information on the proper compliance with usersโ requests relating to the exercise of the so called right to be forgotten shall continue.
What consequences for other sectors?
As previously discussed, the question is whether the approach taken by the Italian privacy authority will be just the beginning of a more stringent approach by privacy regulators which might have a considerable effect on technologies like those of the Internet of Things. This will follow up the recent position taken by the European privacy regulators on the matter and will open a new field for negotiations between technology companies and privacy regulators. The hope is that sooner rather than later a common agreement will be reached on measures ensuring privacy protection in a manner that does not negatively affect businesses.
We will see the follow up reactions to the above, but in the meantime as usual feel free to contact me, Giulio Coraggio to discuss. Also, if you want to receive my newsletter, please join my LinkedIn Group or my Facebook page. And follow me on Twitter, Google+ and become one of my friends on LinkedIn.
