The Garante highlighted once again that, pursuant to Italian data privacy laws, any processing activities of personal data is only allowed if the data subjects receive specific and detailed information with regards to the data processing activities and give their express consent to the processing operations.
The Garante clarified that Google should provide detailed information to its users on the processing activities of personal data, highlighting the specific marketing purposes for which the data are collected.
I. Italian Framework
Italian provisions on data privacy protection are outlined in the Legislative Decree No. 196 of 2003, as amended and updated (the “Data Privacy Code”).
The Data Privacy Code applies to “the processing of personal data, including data held abroad, where the processing is performed by any entity established either in the territory of Italy or in a place that is under the sovereignty of Italy”, as such it may apply to both foreign and Italian companies.
For the purpose of the Italian data privacy law, “personal data” includes any information relating to an identified or identifiable natural person (the “data subject”), who can be identified either directly or indirectly or through any other information.
The “data processing activities” consist of any operations, or set of operations, which are performed upon personal data whether or not by automatic tools. Data processing activities will include, amongst others: the preservation, imaging, storage, consultation, collection, recording, organization, interrogation, elaboration, selection, retrieval, comparison, utilization, interconnection, translation, review, redaction or transfer of data.
Following the Data Privacy Code, personal data must be processed lawfully and must be collected in a fair manner for specific, explicit and legitimate purposes. Any processing of data must be necessary and not excessive in relation to the purposes for which the data is collected. Data cannot be stored longer than is necessary for the purposes for which it was collected.
Processing of personal data also requires: (i) a specific information notice to the data subject in connection with the data processing activities; and (ii) the express consent, documented in writing, of the data subject to the data processing.
The consent of the data subject and the information to him will not be necessary under specific circumstances set forth by the Data Privacy Code.
The processing activities can only be performed by persons who are expressly appointed—in writing—by the persons responsible for the data processing for the company (the “data processor”). It is common for medium to large companies to appoint a nominated person to act as the data processor. The duty of acting as the data processor will fall on the company’s Board of Directors as a whole if a company has not appointed a specific person to be the data processor.
A company which unlawfully processes personal data may face a number of consequences including the payment of fines, the payment of damages to the data subject, or, in the most serious cases, criminal sanctions. In case of unlawful processing the company is required to delete the information obtained unlawfully.
II. The Decision on Google
In its 10th of July 2014 Google decision (the “Decision”) the Garante ruled that the processing activities carried out by Google in connection with some of its services, including Gmail, YouTube and Google Search, were not fully conducted in compliance with Italian data privacy laws.
The key outputs of the Decision are as follows. The obligation of Google to inform its users of what data are being processed, the specific marketing purposes of the data processing operations and where users may apply to exercise their rights (e.g. to delete their personal data). The information notice provided by Google to its users at the time of the Decision was deemed not detailed enough, as it simply included a statement referencing ‘further purposes’. Secondly it was held that Google should request to its users the prior and express consent to the data processing. The last key conclusion by the Garante was the need for Google to implement a data retention policy and a data deletion policy.
As for the information notice, the Garante concluded that Google would have to implement a “multi-layered information system” to safeguard its users’ data. In the ‘first-layer’ notice Google should clearly outline the main information regarding the data processing operations as mentioned above and, most specifically, that personal data of the user will be monitored and processed for profiling purposes. The Garante also held that Google should inform the users that their data will be collected through sophisticated tools such as fingerprinting, which allows Google to match the personal data retrieved from different services. Then, in the ‘second-layer’ notice Google should provide its data subjects with more detailed and specific information on the processing operations that could be conducted on their personal data through those sophisticated tools.
The Garante then clarified that Google should obtain from users their prior consent to use their data, regardless of whether the data was collected via the emailing services such as Gmail, or by matching information from different services by way of, for example, cookies and/or fingerprinting.
Finally, the Decision handled the right of the data subject to be forgotten and to ask the data processor to delete the personal data, as recently reaffirmed by the European Court of Justice. Google must introduce a specific retention policy based on the provisions contained in the Data Privacy Code which should specify a two month deadline for Google to comply with any request of deletion of data, or if the data is stored in a back-up system, a six month deadline.
The Garante gave Google 18 months to make its system compliant with the requirements outlined in the Decision. Moreover, by the 30th of September 2014, Google will have to submit a verification protocol that will have to be approved by the Garante. As the protocol becomes binding it will regulate a timeline and mechanism for the Garante’s supervisory activities of Google.
The Decision commented herein is highly innovative as the Garante did not limit itself by urging Google to comply with the applicable data privacy laws. The Garante outlined specific guidelines which would need to be followed by Google in order to modify its compliance system and procedures to become compliant with the Data Privacy Code.
As emerged in the Google case, internal policies and procedures addressing data privacy concerns are critical components for companies operating in Italy and abroad where data processing is a crucial aspect of their business.
Detailed information notices and explicit consent forms are key tools to be adopted, in any case of processing operations, which involve personal data, such as, for example, in the context of marketing activities, like in the Google case. Implementing policies with respect to the use of personal data, the processing of email details and laptop and Internet usage as well as security measures, password management and the appointment of a person who will be responsible to handle data privacy aspects are therefore strongly recommended.
Companies operating in Italy and abroad should be mindful of the fact that adopting adequate internal policies and compliance programs addressing data privacy issues will provide them with a crucial tool which will help them in managing data privacy operations, and which will ensure compliance with applicable data privacy laws.