In particular, the IDPA set out its prescriptions with regard to the following points:
Information to users
In this respect, the IDPA required Google to implement a multi-layered information system so as to provide the most relevant information via a first-layer notice, including what data are being processed (device location data, IP-addresses, etc.), where users may apply to exercise their rights, and so on. A second-layer notice will provide more detailed, specific information on the individual services. In particular, Google – in the first-layer notice – will have to clearly explain that personal data of the users are being monitored and processed, among other things, for profiling purposes and that such data are also collected via sophisticated techniques (e.g., fingerprinting).
Google will have to collect users prior consent in order to use their data (whether coming from the use of emailing services or collected by matching and combining information from different services or else by means of cookies and fingerprinting) for the purposes of profiling and delivering targeted behavioral ads.
Data Deletion and Data Retention
Finally, the IDPA ordered that:
- As for the information stored in so-called active systems, the data deletion requests made by registered users shall be complied with by no later than two months;
- As for the information stored in so-called back-up systems, deletion shall be carried out by no later than six months as from the date of the request made by registered users.
- In addition, a data retention policy should be adopted in line with the purpose limitation principle set out in the IDPC.
Obviously, the various views on such an important decision regarding an Over The Top Player are not unanimous.
In my opinion, the current Italian data protection legal system, based on the mechanism: privacy notice and express consent, can certainly be criticized and held not suitable to cope with the challenges posed by the new technologies, including Internet of Things and Big Data, but, according to the existing rules, the above mentioned prescriptions ordered by the IDPA to Google seem fair and right.
As well, it is correct the call of the IDPA for an enhanced transparency vis-à-vis the users on the data processing operations carried out by Google, provided the number of platforms and services (e.g. Gmail, Google Search, Google+, Google Map, etc.), also marked by different brands (e.g. YouTube), whereby Google is used to collect and match a huge amount of users data.
Also, everyone can agree with the need of a privacy notice easily accessible for the users, outlining all the mandatory information provided for by the IDPC.
To this end, the recommendation of a multilayered (but not excessively fragmented) privacy notice, in accordance with the opinion No.10/2004 of the Article 29 Working Party, seems aimed at prompting a balanced and practical solution.
In such circumstances, it will be sufficient that the user will get rid of the banner, only selecting an item contained in the web page out of the banner, to consider such an action an express consent of the user. Provided such a prescription, the IDPA seems oriented to allow this modality for the collection of the users consent (similar to an implied consent and quite unusual within the Italian data protection legal system), not solely with regard to cookies, but also with regard to further data processing activities carried out through the website.
This being stated, provided the number of daily accesses of unregistered users to the different Google platforms, by means of different devices, I am afraid that, assuming that such a privacy banner will be implemented, soon Italian users will become very familiar with it.
The last points of the Decision regard data retention and data deletion, in accordance with the recent decision of the European Court of Justice about the right to be forgotten.
Apparently, the prescriptions seem not particularly burdensome: (i) with regard to the data retention, Google shall have to implement a data retention policy in accordance with the Italian IDPC, limiting the retention of personal data to the period strictly needed in order to meet the data processing purposes; (ii) with regard to the data deletion, the order is limited to the sole registered users and the timescale (2 months to delete the data from active systems and 180 days to delete the data from back-up systems) seems affordable.
However, since Google is and will be one of the major players in the Big Data ecosystem (as the well known Google Flu Trends shows) and provided the strict measures set out by the Article 29 Working Party in the Opinion No.5/2014 on anonymisation techniques, the implementation of such measures may represent for Google a thorny issue.
To make a long story short, actually, the impression is that the measures are per se fair, but the IDPA has been making all its best efforts, trying to adapt slim fit suits to a character of a Fernando Botero’s painting.