Google gets 18-month deadline to overhaul data handling in Italy

Google gets 18-month deadline to overhaul data handling in Italy

Summary: The Italian data protection watchdog has brought in new regulations that will see Google forced to change how it collects, handles, and stores users' data.

SHARE:
TOPICS: Storage, Google, Legal, Privacy, EU
1
google-office-thumb
Google has 18 months to change the way it handles data in Italy. Image: Google

The relationship between Google and Italy hasn't always been an easy one.

Four years ago, three managers at Google's Italian subsidiary were found guilty of violating the country's privacy laws after a video was posted on Google Video depicting a disabled person being bullied. The verdict was later overturned, but the trial made waves across the world.

More recently, at the end of 2013, Democratic Party MP Francesco Boccia proposed a law introducing a so-called 'web tax' which would oblige internet companies that offer services to Italian users to set up a taxable entity in the country. The proposal was also known by the name of the 'Google tax', and was later pulled back by the Democrats.

Now it's the turn of Italy's data protection authority, the Garante della protezione dei dati personali, to tackle the company. Yesterday, the data watchdog brought in new regulations that will force the Mountain View-based company to change its data handling practices.

Google will have to alter the way it informs users how their data is being collected, ask for prior consent before using it to build up a profile for targeted advertising and other purposes, and modify its data retention practices. Google will have 18 months to bring itself into line with the provisions.

Specifically, Google will have to clearly explain to its users that their data is being stored for marketing purposes, and that the information is gathered not only through the now-notorious use of cookies, but also through other, less well-known methods such as 'fingerprinting'.

Fingerprinting is a technique that allows Google to profile internet users by identifying their device through its unique pattern of use. The distinction matters because, while cookies are stored on a computer and can be removed through the browser or other add-on software, the information collected through fingerprinting is stored directly on Google's servers, and the only way to remove it is through a request to the company.

As for consent, the authority made clear that simply using a Google service will be no longer considered equivalent to giving permission for the profiling. Google will now have to introduce a way, suggested by the watchdog, of giving users the chance to opt-in to having their browsing data collected, or opt-out of some or all Google's profiling for particular services, without interrupting their surfing.

The Garante also introduced new limits on how long Google can store data. The stipulations only apply to personal data (rather than data relating to queries made through its search engine, for example) and the time limits are different depending on whether the data is 'active', stored on Google servers for current use, or stored on backups.

In the first case, if a user asks for their information to be removed, Google will have to comply in the space of two months. In the second, the company will have up to six months to meet the request.

Read more on this story

Topics: Storage, Google, Legal, Privacy, EU

Federico Guerrini

About Federico Guerrini

In the last 12 years Federico has been working as a freelance journalist, at first covering current affairs and economy and then focusing on technology, writing extensively for several Italian national media outlets.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Privacy

    There were polls about "security" vs. Convenience. Especially in the U.S., most people wanted ease-of-use and convenience over security and privacy. The issue is that few bother to read the ToS and the privacy policy of websites because they "trust" that their information will really be private. "They wouldn't DARE give my information away to a third party without my permission..." Well, people need to wise up because sites argue that, just by using their websites and services, they have your permission to use your information or publicly display that information and that they are not responsible for storing protected data. So Google might use some small-town police force as a user of their services while large cities, such as Los Angeles can't use Google because they have to conform to CJIS (criminal justice information) laws. It gets even worse when you find that a company or government stores your information out on the web without your permission. And then you get some "We're Sorry" letter that the website was breached or some employee lost a laptop.

    I'd be interested in what follows with what Italy is doing since Google is an advertising company and that they need the data in question in order to do business.
    hforman@...