Italian DPA's measure for Google’s privacy policy

Garante sets measures to safeguard users from Googles privacy policyWith decision on July 2014, the Italian DPA (Garante) sets forth measures to bring the processing of personal data carried out by Google under its New Privacy Policy relating to use of the features offered with www.google.it more into line with Italian data protection Code:

1) effective information notices shall be provided to users; 2) the prior consent of both authenticated and non-authenticated users shall be obtained as regards the processing of information relating to them; furthermore, the data subjects in question shall be enabled to exercise their right to object; 3) more specific data retention periods shall be applied to information stored in active or back-up systems while a data retention policy should be adopted in line with the purpose limitation principle laid down in the Code; 4) the measures shall be implemented by no later than 18 months; 5) Google shall submit a draft verification protocol to the Garante.

 

How the Mountain View company works

The Mountain View company Google Inc. is well-known to be active in the technology field. From 1998 on, it grew up to account 70 branches and offices in about 40 countries. For example, Italian branch is Google Italy s.r.l. established in Milan by 2002 for promoting, marketing and selling advertising spaces. It also represents Google Inc. in Italy for the purposes and under the terms of Section 5 of the Privacy Code and personal data protection legislation.

Google is providing many services for every need of its users

Google is mainly a web search engine providing lot of services through the way. Its features include email Gmail, online mapping Street View on Google Maps, marketing of advertising space DoubleClick, the browser Google Chrome, the social networking Google Plus, online payment service Google Wallet, a virtual store of media Google Play, YouTube, services of text storage, sharing and revision Google Docs and Google Drive, satellite imaging software Google Earth, calendar service Google Calendar, management and control of user profiles Google Dashboard, statistical analysis and monitoring tools Google Analytics.

Users are categorized upon privacy purposes: authenticated, not-authenticated and passive

Thanks to the revenues coming from advertising services, the above-mentioned features are offered for free to end-users. For privacy purposes, they are ultimately distinguished between authenticated or not users, depending whether they access to Google’s features by an account created through a registration procedure or access without prior registration.

Additionally, there is a third group of users, called passive because even if they do not use Google’s features or services directly, Google knows them or, to be more precise, Google can acquire their data.

How Google collects data of users not connected to Google

How is it possible? Every time a user is browsing sites of third parties where cookies of Google are installed, they unconsciously leave their data to Google. We can put the example of YouTube. Users of the media platform could not be aware that it was purchased by Google in 2006 and thus became part of the Google domain being controlled by it.

It means that users connecting to the video sharing platform are persuaded YouTube is storing their data while it is actually collected by Google as controller of the personal data. Indeed, Google collects data and match it with information related to other Google’s services or features the same user has used.

This is how Google explains this policy: "We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads. We may combine personal information from one service with information, including personal information, from other Google services."

For almost every service provided by Google there was a specific privacy policy determining how and when Google can acquire users’ data. On 2012 Google announces that all these policies were up to be merged in a single documented policy.

The administrative proceeding for failure to comply with EU legislation

On 2 February 2012, the Working Party of Article 29 informed Google of an inquiry into the compliance of the new privacy policy with Directive 95/46/EC. On 16 October 2012 the company is notified that new policy failed to comply with the applicable EU legislation and that was set-up an ad-hoc task force. Due to Google not following up on the recommendations as indicated by the WP29 is initiated an administrative proceeding.

Concerns of Italian Garante for privacy settings not meeting provisions of the Code

Italian Garante raises questions about the processing of personal data as resulting from the new Google’s privacy policy. Concerns are about users’ consent, data retention policy and inadequacy of information given to users on the use of their personal data.

Google made some privacy adjustments before the decision

While Google argues that the new policy is in line with legislation, to meet Garante concerns it introduces various measures and changes of its privacy policy as improving the information notice on the use of cookies and other identifiers, on the use of location data or credit card information, making more understandable technical terminology.

The Garante decides and set measures

The legal background of the case concerning processing of personal data and the protection of privacy is framed within EU Directive 95/46/EC, Directive 2002/58/EC, Directive 2009/136/EC, Directive 2002/22/EC and Regulation (EC) No 2006/2004. Moreover, it is considered Personal Data Protection Code, legislative decree no 69 of 28 May 2012, case C-131/12 of EU Court of Justice on 13 May 2014 and several Opinion by the Article 29 Working Party on cookies and privacy issues.

The measures Garante requires to comply to

Under the terms of Section 143(1), letter b), and Section 154(1), letter c), of the Code, the Garante orders that Google Inc. should take measures regarding the processing of Italian users’ personal data using its services. Among other measures the Garante requires information notices to be provided to users, prior consent of both authenticated and non-authenticated users, more strictly data deletion periods. Google is then ordered to implement those measures by no later than 18 months as from service of this decision and to submit a draft verification protocol to the Garante.

The criticalities affecting the processing of personal data of Google

The aforementioned measures are requested by the Garante because of criticalities affecting the processing of personal data carried out by the company.

The first concern to be addressed was the inadequate information given to users as the Garante found that Google does not provide easily accessible information about the uses the data may be put. As a remedy, the Garante asks for implementing a multi-layered information system. Via a first-layer notice Google shall mention the most important privacy information – for example that user’s personal data are being monitored and used to profile them for delivering targeted ads and collected not only by cookies but also by other techniques like fingerprinting – while more detailed information on the specific Google’s service chosen will be included in a second-layer notice.

The second concern raised by the Garante is regarding the fact that Google used to gain the user consent by one of its services – for example emailing with Gmail – as unconditional acceptance of rules binding to all its services. Now, Google will have to obtain users prior consent in order to use their data for the purposes of profiling and delivering targeted behavioral ads and the users shall be enabled to make affirmative, informed choices on whether to consent or to profiling also with regard to the individual services being used. This consent to be valid must be free, obtained prior to starting the processing, applied to processing operations for explicit and specific purposes, informed and written.

To address the third question related to retention of data stored both in active systems or in back-up systems, Google will have to comply its retention periods to the provisions contained in the Italian data protection Code. Therefore, if the personal data deletion request is coming from a registered user, Google shall comply within two or six months depending upon the data storage system, giving room for adjustments that the ongoing jurisprudence should recommend on the right to be forgotten concerning search engine.

A monitored term to comply for Google

Google will have to comply with the measures in eighteen months during which the Garante will monitor their implementation and Google will submit a binding verification protocol regulating timeline and mechanisms of the supervision on Googles activities.

The first Italian Garante decision provided with measures

Italian users can now rely upon an enforced safeguard of their rights. When Google announced changes on its privacy policy, a task force of European DPA was immediately alerted to monitoring the impact on users. The Garante, as a member of this commission, pointed out some failures potentially affecting users’ awareness about the scope of their given consent and use of their personal data.

What is most significant and peculiar about the decision is that the Garante goes far beyond the decision asking for changes and implementation of Google’s privacy policy to comply with EU legislation and provides the decision with specific measures Google must take under supervision.

Plex’s changing privacy policy

On august 2017 the media player software maker Plex alerted users that the next update of the privacy policy would have been deprived users of their ability to opt-out of data collection. This raised many concerns about sharing or selling data to third parties or identifying media files housed in the users’ library. Plex’s clarification that they do not have interest to access to users’ library or to sell their data wasn’t a remedy: they had to re-change their update.

Copyright © 2017-18