Google gets 18-month deadline to overhaul data handling in Italy

The Italian data protection watchdog has brought in new regulations that will see Google forced to change how it collects, handles, and stores users' data.
Written by Federico Guerrini, Contributor
Google has 18 months to change the way it handles data in Italy. Image: Google

The relationship between Google and Italy hasn't always been an easy one.

Four years ago, three managers at Google's Italian subsidiary were found guilty of violating the country's privacy laws after a video was posted on Google Video depicting a disabled person being bullied. The verdict was later overturned, but the trial made waves across the world.

More recently, at the end of 2013, Democratic Party MP Francesco Boccia proposed a law introducing a so-called 'web tax' which would oblige internet companies that offer services to Italian users to set up a taxable entity in the country. The proposal was also known by the name of the 'Google tax', and was later pulled back by the Democrats.

Now it's the turn of Italy's data protection authority, the Garante della protezione dei dati personali, to tackle the company. Yesterday, the data watchdog brought in new regulations that will force the Mountain View-based company to change its data handling practices.

Google will have to alter the way it informs users how their data is being collected, ask for prior consent before using it to build up a profile for targeted advertising and other purposes, and modify its data retention practices. Google will have 18 months to bring itself into line with the provisions.

Specifically, Google will have to clearly explain to its users that their data is being stored for marketing purposes, and that the information is gathered not only through the now-notorious use of cookies, but also through other, less well-known methods such as 'fingerprinting'.

Fingerprinting is a technique that allows Google to profile internet users by identifying their device through its unique pattern of use. The distinction matters because, while cookies are stored on a computer and can be removed through the browser or other add-on software, the information collected through fingerprinting is stored directly on Google's servers, and the only way to remove it is through a request to the company.

As for consent, the authority made clear that simply using a Google service will be no longer considered equivalent to giving permission for the profiling. Google will now have to introduce a way, suggested by the watchdog, of giving users the chance to opt-in to having their browsing data collected, or opt-out of some or all Google's profiling for particular services, without interrupting their surfing.

The Garante also introduced new limits on how long Google can store data. The stipulations only apply to personal data (rather than data relating to queries made through its search engine, for example) and the time limits are different depending on whether the data is 'active', stored on Google servers for current use, or stored on backups.

In the first case, if a user asks for their information to be removed, Google will have to comply in the space of two months. In the second, the company will have up to six months to meet the request.

Read more on this story

Editorial standards