Regulators in Italy say Google failed to adequately disclose its treatment of data to Italian citizens, and have given the company 18 months to comply with a series of new measures. The new rules include users’ prior consent when their data is being used for commercial purposes and a two-month deadline for the removal of personal data from a user’s account once a take-down request is filed.
After Google consolidated its privacy and data storage protocols across all of its services in March 2012 — without offering users the choice to opt-out — the European Union launched an investigation into the massive amounts of personal data held by Google in foreign jurisdictions.
The Italian deadline follows similar requirements instated in Britain and the Netherlands that Google’s policies conform to local laws. “As part of the process, Google also agreed to present a document by the end of September that will set a roadmap of steps to comply fully with the Italian regulator’s decision,” reports Reuters.
Google has incurred fines by both Spain and France for not adhering to local data protection laws, and a source familiar with the Rome-based watchdog group told Reuters that Google risks fines of up to €1 million for noncompliance, as well as criminal charges.
According to Gigaom, “…based on Italy’s fairly disgraceful privacy-related conviction of top Google execs a few years ago for a bullying clip that had been uploaded to Google Video, this may be no idle threat.” Italy has already fined Google €1 million because Italian citizens were not able to identify the company’s Street View cars and thus were unaware of being captured on camera.
The Italian regulator said in a statement on Thursday that Google has indeed paid the fine (which is relatively high, but also quite low compared to the company’s earnings) and has made changes such as putting signage on the Street View cars to make them recognizable and giving notice on its website and via newspapers and radio stations at least three days ahead of filming in a particular area.
A similar requirement that German citizens opt-in to Street View may be why Google has stopped refreshing that country’s images, “and the service is unnecessarily broken in Germany as a result,” according to the Gigaom report.
The Italian data protection commissioner’s ruling outlines what is required by Google over the next 18 months:
- Inform users that their data is spread across Google services like YouTube, Gmail and Google+ for marketing purposes.
- Make clear that data is collected both by cookies and behavioral “fingerprinting” technologies.
- Obtain opt-in permission by users before using their data for commerical purposes.
- Upon request, delete users’ data within 2 months for data stored on “active” systems and within 6 months for backed-up data.
- Specify the length of users’ data retention.
Google is already processing thousands of “right to be forgotten” requests by European citizens who want their personal information deleted from Google’s search engine results.
Earlier this year, the European Court of Justice said individuals have the right to control their data and can ask search engines to remove results in EU countries where Google establishes a branch to promote and sell advertising. The move was in line with an earlier EU data-protection directive proposed in 2012.
While privacy advocates and European commissioners believe the ruling brings “today’s data protection rules from the ‘digital stone age’ into today’s modern computing world,” The Guardian said the ECJ ruling has “huge implications, and is hugely contentious,” potentially burdening online businesses and leading to tech giants closing European offices to escape the law’s reach — even before considering the ruling’s freedom of speech verbiage.
New Career Opportunities Daily: The best jobs in media.