THE ARTICLE 29 INVESTIGATION OF 2012
The French Data Protection Authority took the lead of such first investigation.
From the analysis of the above mentioned investigations and of Google’s answers, the Article 29 Working Party and the EU DAPs involved came to the conclusion that Google:
- combines data across its services, without the user’s direct knowledge. This combination of data is very broad, considering that it includes all the activities of data subjects on Google’s sites and the activities on third-party websites and the users are not aware of the exact extent of that combination. Consequently, no valid consent was given by users for such data combination (Google does not expressly ask the users’ consent for the combination of data), which do not have a direct knowledge of the purposes of these combinations and, consequently, their right to object is not guaranteed.
- fails to provide retention period for the personal data it processes. As we know, the EU Data Protection legislation ensure that personal data can be processed only for a limited period of time.
THE REQUESTS OF THE EU ADPs AND THE ARTICLE 29 WORKING PARTY OF OCTOBER 2012
On the basis of these findings, on 16th October 2012 the Article 29 Working Party sent Google a letter in which were listed several important recommendations Google should follow in order to allay the compliance concerns which surfaced during the investigation, giving Google 4 months to implement the changes requested. The Working Party, also encouraged Google to engage with EU Data Protection Authorities during the development of services with significant data protection implications.
THE RESOLUTION TO INITIATE A PROCEEDING IN ORDER TO ESTABLISH COMPLIANCE WITH THE EU AND THE ITALIAN LEGISLATION
As a consequence of Google continuing non compliance with the Working Party’s recommendations, each of the DPAs actively involved in the first investigation (Privacy Authorities of Italy, France, Germany, United Kingdom, Holland and Spain) have therefore launched official investigations by way of parallel separate proceedings – which will nevertheless be coordinated very closely.
The Italian DPA has declared that this joint action of the European DPAs is meant to reaffirm the principle by which all companies – Google included – which process personal data of European citizens must respect the specific rules in force in the European Union established in order to protect citizens’ fundamental rights, as those related to the collection and the processing of personal data.
Unlike the first investigation conducted in 2012 by the Working Party, these new investigations might result in formal findings that Google has breached the data protection laws of the member states concerned and consequently in a binding order on Google to bring the infringement to an end and possibly in the imposition of fines.THE REQUESTS OF THE EU ADPs AND THE ARTICLE 29 WORKING PARTY OF OCTOBER 2012