On July 21st the Italian Data Protection Authority (hereinafter the “IDPA”) issued a “Decision Setting forth Measures Google Inc. Is Required to Take to Bring the Processing of Personal Data under Google's New Privacy Policy into Line with the Italian Data Protection Code(hereinafter the “Decision”): the first decision in Europe that lays down specific measures, regarding the overall data protection structure of Google, to be implemented in order to achieve full compliance with the Italian law. Google will have a grace period of eighteen months to comply with these new provisions.

In particular, the IDPA set out its prescriptions with regard to the following points:

Information to users

In this respect, the IDPA required Google to implement a multi-layered information system so as to provide the most relevant information via a first-layer notice, including what data are being processed (device location data, IP-addresses, etc.), where users may apply to exercise their rights, and so on. A second-layer notice will provide more detailed, specific information on the individual services. In particular, Google – in the first-layer notice – will have to clearly explain that personal data of the users are being monitored and processed, among other things, for profiling purposes and that such data are also collected via sophisticated techniques (e.g., fingerprinting).

 

Consent

Google will have to collect users prior consent in order to use their data (whether coming from the use of emailing services or collected by matching and combining information from different services or else by means of cookies and fingerprinting) for the purposes of profiling and delivering targeted behavioral ads.

Data Deletion and Data Retention

Finally, the IDPA ordered that:

  • As for the information stored in so-called active systems, the data deletion requests made by registered users shall be complied with by no later than two months;
  • As for the information stored in so-called back-up systems, deletion shall be carried out by no later than six months as from the date of the request made by registered users.
  • In addition, a data retention policy should be adopted in line with the purpose limitation principle set out  in the IDPC.

Obviously, the various views on such an important decision regarding an Over The Top Player are not unanimous.

In my opinion, the current Italian data protection legal system, based on the mechanism: privacy notice and express consent, can certainly be criticized and held not suitable to cope with the challenges posed by the new technologies, including Internet of Things and Big Data, but, according to the existing rules, the above mentioned prescriptions ordered by the IDPA to Google seem fair and right.

As well, it is correct the call of the IDPA for an enhanced transparency vis-à-vis the users on the data processing operations carried out by Google, provided the number of platforms and services (e.g. Gmail, Google Search, Google+, Google Map, etc.), also marked by different brands (e.g. YouTube), whereby Google is used to collect and match a huge amount of users data.

Also, everyone can agree with the need of a privacy notice easily accessible for the users, outlining all the mandatory information provided for by the IDPC.

To this end, the recommendation of a multilayered (but not excessively fragmented) privacy notice, in accordance with the opinion No.10/2004 of the Article 29 Working Party, seems aimed at prompting a balanced and practical solution.

Moreover, I hold interesting the mechanism suggested by the IDPA for the collection of the users consent, in line with the guidelines recently issued on cookies: in deed, Google could provide the users, by means of a  banner, that shall immediately appear when the user will access to the home page (or another page of the website), including specific elements and, in particular: (i) a notice  “that the website carries out data protection activities in order to profile the users, by means of the automatic processing of personal data of the registered users with regard to the use of the Gmail email service in order to send and receive email messages, and by means of the matching of the data through different functionalities, and by means of the use of cookies or other identifiers also in order to send marketing messages in accordance with the privacy preferences expressed by the users in the context of the use of the functionalities and of the web browsing and in order to monitor the behaviors of the  users on the websites”; (ii) a link to the privacy notice; (iii) a link to a webpage where the user can deny his consent to profiling activities; (iv) a warning that a click out of the banner in order to keep on surfing on the website will be considered a consent to the above mentioned profiling activities.

In such circumstances, it will be sufficient that the user will get rid of the banner, only selecting an item contained in the web page out of the banner, to consider such an action an express consent of the user. Provided such a prescription, the IDPA seems oriented to allow this modality for the collection of the users consent (similar to an implied consent and quite unusual within the Italian data protection legal system), not solely with regard to cookies, but also with regard to further data processing activities carried out through the website.

This being stated, provided the number of daily accesses of unregistered users to the different Google platforms, by means of different devices, I am afraid that, assuming that such a privacy banner will be implemented,  soon Italian users will become very familiar with it.

The last points of the Decision regard data retention and data deletion, in accordance with the recent decision of the European Court of Justice about the right to be forgotten.

Apparently, the prescriptions seem not particularly burdensome: (i) with regard to the data retention, Google shall have to implement a data retention policy in accordance with the Italian IDPC, limiting the retention of personal data to the period strictly needed in order to meet the data processing purposes; (ii) with regard to the data deletion, the order is limited to the sole registered users and the timescale (2 months to delete the data from active systems and 180 days to delete the data from back-up systems) seems affordable.

However, since Google is and will be one of the major players in the Big Data ecosystem (as the well known Google Flu Trends shows) and provided the strict measures set out by the Article 29 Working Party in the Opinion No.5/2014 on anonymisation techniques, the implementation of such measures may represent for Google a thorny issue.

To make a long story short, actually, the impression is that the measures are per se fair, but the IDPA has been making all its best efforts, trying to adapt slim fit suits to a character of a Fernando Botero’s painting.