Google Must Comply With Italian Data Privacy Rules Within 18 Months

Italian regulators have told Google that it must get into compliance with their rules about data privacy or face fines of up to $1.35 million.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors


Italy is the latest European Union nation that is telling Google to change its data privacy practices or face large fines. Italy's data protection agency, The Italian Data Protection Authority, has given the company 18 months to comply with the rules that will protect that nation's residents or face fines of up to $1.35 million (1 million euros), according to a July 21 report by Reuters.

The Italian Data Protection Authority "said Google's disclosure to users on how their data was being treated remained inadequate, despite the company having taken steps to abide by local law," according to the report. "The Rome-based regulator said Google would not be allowed to use the data to profile users without their prior consent and would have to tell them explicitly that the profiling was being done for commercial purposes. It also demanded that requests from users with a Google account to delete their personal data be met in up to two months."

In addition, Google "also agreed to present a document by the end of September that will set a roadmap of steps to comply fully with the Italian regulator's decision," according to Reuters. "A source familiar with the regulator said should Google not comply it could risk fines of up to about 1 million euros, a tiny fraction of Google's income, as well as possible criminal proceedings."

"We've engaged fully with the Italian DPA throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services, and we'll continue to do so," a Google spokesperson told eWEEK in an email reply. "We'll be reading their report closely to determine next steps."

Google has been involved in similar data privacy compliance cases in several nations throughout the EU in recent years.

In January 2014, Google was hit with a $204,200 fine by France's National Commission for Computing and Civil Liberties (CNIL) in connection with changes Google made to its data policies in 2012 that continue to be in conflict with the French Data Protection Act. The CNIL's decision relates to Google's move back in March 2012 to merge many of the company's privacy policies into one over-arching policy for some 60 Google services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs and Google Maps.

Google merged the 60 privacy policies to help break down the identity barriers between some of its services to accommodate its then-new Google+ social network, according to an earlier eWEEK report. Google's streamlining came as regulators continued to criticize Google, Facebook and other Web service providers for offering long-winded and legally gnarled privacy protocols. The Google privacy policy changes went into effect March 1, 2012.

The CNIL action to fine Google was taken because Google did not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing, according to the agency. That lack of information about why data is collected means that residents are not able to exercise their rights to object or seek deletion of such information, the agency stated.

In May 2012, French regulators accused Google of not being cooperative with investigators looking into privacy issues concerning the company and its practices there. The CNIL had sent Google a questionnaire about the new privacy policy in March 2012, but the agency complained that Google's answers were "often incomplete or approximate." A follow-up survey also left questions remaining.

Then in June 2013, French regulators gave Google 90 days to amend its policies about how the company deals with users' data or face large fines. Five other EU nations made similar threats to Google. In a statement, the CNIL told Google that it was taking the action because the company was not yet in compliance with French law.

In April 2013, Google was hit with a $189,167 fine in Germany for collecting user data without fully disclosing the practice as Google Street View vehicles combed German streets collecting information for its maps from 2007 to 2010.

A similar case in the United States was resolved in March 2013 when a $7 million settlement was reached between Google and the U.S. government to end a probe into the Street View imaging program, which for three years collected personal information on users wirelessly as the Street View vehicles drove around taking photographs. The $7 million fine against Google was designed to resolve investigations that were under way by some 30 state attorneys general over the controversial Street View program.

Google's progress on developing clearer, better-known policies regarding how it will use any of the personal data belonging to its users has become a sore point with many governments around the world, which say that the search giant is not moving quickly enough to address such privacy concerns. Google could potentially be fined about $1 billion for shortcomings in its data privacy policies in Europe.