1) effective information notices shall be provided to users; 2) the prior consent of both authenticated and non-authenticated users shall be obtained as regards the processing of information relating to them; furthermore, the data subjects in question shall be enabled to exercise their right to object; 3) more specific data retention periods shall be applied to information stored in active or back-up systems while a data retention policy should be adopted in line with the purpose limitation principle laid down in the Code; 4) the measures shall be implemented by no later than 18 months; 5) Google shall submit a draft verification protocol to the Garante.
How the Mountain View company works
The Mountain View company Google Inc. is well-known to be active in the technology field. From 1998 on, it grew up to account 70 branches and offices in about 40 countries. For example, Italian branch is Google Italy s.r.l. established in Milan by 2002 for promoting, marketing and selling advertising spaces. It also represents Google Inc. in Italy for the purposes and under the terms of Section 5 of the Privacy Code and personal data protection legislation.
Google is providing many services for every need of its users
Google is mainly a web search engine providing lot of services through the way. Its features include email Gmail, online mapping Street View on Google Maps, marketing of advertising space DoubleClick, the browser Google Chrome, the social networking Google Plus, online payment service Google Wallet, a virtual store of media Google Play, YouTube, services of text storage, sharing and revision Google Docs and Google Drive, satellite imaging software Google Earth, calendar service Google Calendar, management and control of user profiles Google Dashboard, statistical analysis and monitoring tools Google Analytics.
Users are categorized upon privacy purposes: authenticated, not-authenticated and passive
Thanks to the revenues coming from advertising services, the above-mentioned features are offered for free to end-users. For privacy purposes, they are ultimately distinguished between authenticated or not users, depending whether they access to Google’s features by an account created through a registration procedure or access without prior registration.
Additionally, there is a third group of users, called passive because even if they do not use Google’s features or services directly, Google knows them or, to be more precise, Google can acquire their data.
How Google collects data of users not connected to Google
How is it possible? Every time a user is browsing sites of third parties where cookies of Google are installed, they unconsciously leave their data to Google. We can put the example of YouTube. Users of the media platform could not be aware that it was purchased by Google in 2006 and thus became part of the Google domain being controlled by it.
It means that users connecting to the video sharing platform are persuaded YouTube is storing their data while it is actually collected by Google as controller of the personal data. Indeed, Google collects data and match it with information related to other Google’s services or features the same user has used.
This is how Google explains this policy: "We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads. We may combine personal information from one service with information, including personal information, from other Google services."
The administrative proceeding for failure to comply with EU legislation
Concerns of Italian Garante for privacy settings not meeting provisions of the Code
Google made some privacy adjustments before the decision
The Garante decides and set measures
The legal background of the case concerning processing of personal data and the protection of privacy is framed within EU Directive 95/46/EC, Directive 2002/58/EC, Directive 2009/136/EC, Directive 2002/22/EC and Regulation (EC) No 2006/2004. Moreover, it is considered Personal Data Protection Code, legislative decree no 69 of 28 May 2012, case C-131/12 of EU Court of Justice on 13 May 2014 and several Opinion by the Article 29 Working Party on cookies and privacy issues.
The measures Garante requires to comply to
Under the terms of Section 143(1), letter b), and Section 154(1), letter c), of the Code, the Garante orders that Google Inc. should take measures regarding the processing of Italian users’ personal data using its services. Among other measures the Garante requires information notices to be provided to users, prior consent of both authenticated and non-authenticated users, more strictly data deletion periods. Google is then ordered to implement those measures by no later than 18 months as from service of this decision and to submit a draft verification protocol to the Garante.
The criticalities affecting the processing of personal data of Google
The aforementioned measures are requested by the Garante because of criticalities affecting the processing of personal data carried out by the company.
The first concern to be addressed was the inadequate information given to users as the Garante found that Google does not provide easily accessible information about the uses the data may be put. As a remedy, the Garante asks for implementing a multi-layered information system. Via a first-layer notice Google shall mention the most important privacy information – for example that user’s personal data are being monitored and used to profile them for delivering targeted ads and collected not only by cookies but also by other techniques like fingerprinting – while more detailed information on the specific Google’s service chosen will be included in a second-layer notice.
The second concern raised by the Garante is regarding the fact that Google used to gain the user consent by one of its services – for example emailing with Gmail – as unconditional acceptance of rules binding to all its services. Now, Google will have to obtain users prior consent in order to use their data for the purposes of profiling and delivering targeted behavioral ads and the users shall be enabled to make affirmative, informed choices on whether to consent or to profiling also with regard to the individual services being used. This consent to be valid must be free, obtained prior to starting the processing, applied to processing operations for explicit and specific purposes, informed and written.
To address the third question related to retention of data stored both in active systems or in back-up systems, Google will have to comply its retention periods to the provisions contained in the Italian data protection Code. Therefore, if the personal data deletion request is coming from a registered user, Google shall comply within two or six months depending upon the data storage system, giving room for adjustments that the ongoing jurisprudence should recommend on the right to be forgotten concerning search engine.
A monitored term to comply for Google
Google will have to comply with the measures in eighteen months during which the Garante will monitor their implementation and Google will submit a binding verification protocol regulating timeline and mechanisms of the supervision on Googles activities.
The first Italian Garante decision provided with measures