Data protection issues for Google in Italy are not over. The Italian Data Protection Authority (DPA) has now challenged their privacy information notice requiring – among others – an express consent from users to their profiling for marketing purposes leading to issues that might impact any business based on the processing of BIG DATA such as the Internet of Things and in general on behavioural advertising.
A few months ago we had commented the € 1 M fine issued by the Italian DPA against Google for the processing of data collected through their Google Street View service. However, the battle between Google and the Italian DPA is not over since now the authority also challenged the data protection notice adopted by Google.
In 2012 Google announced the implementation of a single data protection notice for all its services. This led not only to comments from the different European data protection authority and the European data protection advisory body, the Article 29 Working Party, but also the Italian DPA started in 2013 an investigation which ended up in a decision now adopted.
The document issued by the Italian DPA is quite long and complex but its main terms are the following:
Modalities and contents of privacy information notice
Google shall adopt two levels of data protection information notice:
1. A general privacy information notice applicable to all its services and containing basic information such as
- the types of data that are processed,
- the identity of the data controller and of its representative located in Italy
- an address for the users’ exercise of their right of access
- the circumstance that the users’ personal data are used for marketing purposes with reference in particular to behavioural advertising practices through the monitoring and profiling of users’ activities and
2. Several long form data protection information notices relating to each service provided addressing the risks related to each service and linkable from the general privacy information notice.
Data protection issues in case of lack of users’ prior consent to the profiling and monitoring for marketing purposes
The most relevant data protection issues for Google derive from the obligation imposed by the DPA to obtain the users’ prior consent to the processing of their personal data for advertising purposes. This includes
- information contained in emails of GMail service,
- information deriving from different Google services that are then linked to be better tailored to users’ preferences and
- information collected through cookies, authentication credentials and fingerprinting technologies.
In relation to the modalities through which such consent has to be obtained, the DPA adopted an approach which is along the lines of the one recently adopted to face data protection issues concerning cookies outlined in the decision covered in this post. Indeed, the DPA held that a banner clearly visible on Google homepage shall:
- refer to the fact that personal data collected from users will be used for profiling purposes;
- contain a link to the privacy information notice which shall contain the information referred in the paragraph above;
- contain an additional link to an area where it is possible to either deny to the consent to the profiling or select the modalities and functionalities for which the user wants to be profiled; and
- mention that selecting any content of the page outside the banner, the user grants his consent to the profiling of his personal data.
The DPA also referred to cases when following the display of the above mentioned banner the consent is meant to be implied and when it shall be requested again from users.
And for instance while for authenticated users (i.e. those that have for instance a GMail account) the privacy consent will be valid across all the devices used by him, the same does not apply for unauthenticated users which shall grant a separate consent per each device. Also, in relation to the “passive users” (i.e. those that do not use Google services but navigate on sites that use Google cookies for instance) the consent shall be obtained by the site itself through the modalities outlined in the DPA’s decision concerning cookies.
Term of storage of personal data
In the light of the recent decision issued by the European Court of Justice with reference to the exercise of the right to be forgotten in relation to data accessible through Google search engine covered in this post, the Italian DPA did not take any clear position awaiting the developments on the matter. Google shall in any case adopt a data deletion policy and shall retain personal data for no longer than it is requested for the purposes for which they have been collected.
What data protection issues for other BIG DATA businesses and foreign companies?
Because of the technical issues necessary to implement the changes referred above, the Italian DPA granted 18 months to Google in order to put in place the measures referred above.
However, the main issue relates to the effects that such decision will have on other businesses relying on big data and behavioural advertising techniques. Will the same principles be extended for instance to companies that monitor social media usage? And what about Internet of Things, wearable technologies and eHealth technologies?
Also, while Google was granted with an 18 months period to comply with the obligations above, what will happen to other businesses that have not been proactively approaching the DPA to negotiate a transitional period in order to become compliant? They might consider to start discussions with the DPA before being potentially sanctioned with a considerable negative effect on the value of their business.
Furthermore, data protection issues are not just applicable to European companies since the DPA treated Google as a company fully subject to Italian data protection regulations following the so called targeting approach adopted in the recent decision of the European Court of Justice. Therefore any non-European company targeting European users might be obliged to comply with the principles above.