Google will no longer be able to use the data of Italian users to create profiles, unless it obtains the consent of the interested parties, and will have to explicitly declare that it carries out this activity for commercial purposes, or to offer personalized advertising, much more profitable than the traditional one . This was stated in a note by the Privacy Guarantor, explaining that the investigation launched last year after the changes made by the company to its privacy policy ended with a prescriptive measure.
As part of a coordinated action with the other European data protection authorities and following the ruling of the European Court of Justice on the right to be forgotten, that of the Italian Guarantor is the first provision in Europe which does not limit itself to referring to the compliance with the principles of the privacy regulation, but concretely indicates the possible measures that Google must adopt to remain legal.
The company has in fact unified in a single document the various data management rules relating to the numerous functions offered: from e-mail (Gmail), to the social network (GooglePlus), to the management of online payments (Google Wallet), to the diffusion of videos (YouTube), online maps (Street View), statistical analysis (Google Analytics) - thus proceeding with the integration and interoperability of the various products as well and therefore with the intersection of user data relating to the use of multiple services .
“During the investigation, also characterized by several hearings with its representatives – reads the note -, Google has adopted a series of measures to make its privacy policy more compliant with the rules. However, the Guarantor has noted the persistence of various critical profiles relating to inadequate information to users, the failure to request consent for profiling purposes, the uncertain data retention times and has dictated a series of rules, which apply to all offered services".
informative
The Authority has ordered Google to adopt an information system structured on several levels, in order to provide the most relevant information for the user in a first general level: the indication of the treatments and of the data being processed ( eg location of terminals, IP addresses, etc.), of the address where to contact in Italian to exercise one's rights, etc.; in a second, more detailed level, the specific information relating to the individual services offered. But above all Google will have to clearly explain, in the general information, that users' personal data are monitored and used, among other things, for profiling purposes for targeted advertising and that they are also collected with more sophisticated techniques than simple cookies , such as fingerprinting. The latter is a system that collects information on how the user uses the terminal and, unlike cookies that are installed on the PC or smartphone, stores it directly on the company's servers.
Consent
To use the data of the interested parties for profiling and personalized behavioral advertising purposes - both those relating to emails and those collected by cross-referencing information between different services or using cookies and fingerprinting - Google will have to obtain the prior consent of users and can no longer limit itself to considering the simple use of the service as an unconditional acceptance of rules which, until now, did not leave any decision-making power to the interested parties on the processing of their personal data. In this regard, the Authority has also indicated an innovative and easy-to-use method which, without burdening the user's navigation excessively, allows him to choose actively and consciously whether or not to give his consent to profiling, also with regard to individual services used.
Food container
Google will have to define certain data retention times on the basis of the rules of the Privacy Code, both as regards those maintained on the so-called "active" systems, and subsequently archived on "back up" systems. As regards the cancellation of personal data, the Guarantor has imposed on Google that requests from users who have an account (and are therefore easily identifiable) are satisfied within a maximum of two months if the data is stored on "active" systems and within six months if the data is archived on the backup systems. On the other hand, as regards requests for cancellation involving the use of the search engine, he deemed it appropriate to wait for the application developments of the sentence of the Court of Justice of the European Union on the right to be forgotten.
Google will have 18 months to comply with the Guarantor's requirements. During this period, the Authority will monitor the implementation of the prescribed measures. In fact, the company will have to submit to the Guarantor, by 30 September 2014, a verification protocol, which once signed will become binding, on the basis of which the times and methods for the control activity that the Authority will carry out against Mountain will be regulated. View.
