At the end of last week, the Italian privacy regulator reported the news on the approval of an arrangement with Google enabling the Italian DPA – for the first time in Europe – to regularly monitor the implementation by Google of the measures required in its previous decision and to carry out specific inspections at Google headquarters in the US in order to verify the compliance of the services offered to Italian users with Italian data protection law.
Let’s go back to how it all started!
In 2012, Google announced the implementation of a single privacy notice for all its services. This led to a number of complaints from various EU Privacy Authorities among which the Italian DPA which, following a 1,000,000 fine against Google Inc. for the processing of data collected through the Street View service (see our post here), also commenced a formal investigation ending up in the decision adopted in July 2014.
According to said decision Google was required to:
- adopt both a general privacy information notice applicable to all its services and containing basic information, as well as a long version of the information notice addressing the risks relating to each service provided by the entity;
- collect the user’s prior consent to the profiling and monitoring for marketing purpose (in particular Google shall obtain the users’ consent to the monitor of information contained in the emails of the Gmail service, as well as to the installation of cookies – see here - or implementation of fingerprinting technologies – see here);
- adopt a data deletion policy and retain personal data for no longer than it is required for the purposes for which they have been collected (for both online and back-up systems).
In addition to the above, the decision also required Google set out the modalities and timing of implementation of the above mentioned formalities.
Further to the DPA analysis, the verification protocol was finally approved, and for the first time in Europe, it enables the Italian DPA to regularly monitor the progress status of the above mentioned actions, to be implemented by Google within January 15, 2016, as well as to carry out specific inspection at Google headquarters in the US.
The arrangement – which was not published by the Italian DPA upon Google request – is interesting for two reasons: (i) it requires Google Italian entity to constantly update the Italian DPA on the implementation of the data protection requirements, but most importantly, (ii) it also confirms the recent approach of the Italian DPA to assess the conduct of a foreign company (the US entity) on which, apparently, it does not have jurisdiction.