Italy gives Google 18-month privacy compliance deadline

The Italian data protection watchdog has given Google 18 months to comply with EU privacy laws

In the latest round of Google’s privacy battles in Europe, the Italian data protection watchdog has given the company 18 months to change the way it processes and stores user data.

In January 2014, France’s privacy watchdog, CNIL, fined Google €150,000 for failing to conform to local law regarding tracking and storing user information within the three-month deadline it had set.

The Rome-based Italian Data Protection Authority (DPA) said in a statement that Google must ask users for permission to use personal data and make it clear this data may be used for commercial profiling.

Profiling is typically used by advertisers to target individuals with specific offers tailored to browsing and purchasing patterns.

The watchdog said Google also has to honour requests to delete data within two months, but the firm will have up to six months to remove the content from backups.

Google's disclosure to users remains inadequate, despite the steps it has taken to follow local law, the statement said.

A Google spokesman said: "We've engaged fully with the Italian DPA throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services, and we'll continue to do so. We'll be reading their report closely to determine next steps."

More on Google's privacy policy

  • EU data protection regulators begin action against Google
  • Google closer to action from European privacy regulators
  • Should the new Google privacy policy concern enterprises?
  • Google gets record fine over privacy bypassing cookies
  • Google lacks enterprise credibility
  • Google customers launch class action suit over privacy policy
  • Google privacy re-write raises data protection concerns

Google has also agreed to present a roadmap to the Italian DPA by the end of September, showing how the company will comply with privacy requirements.

The Italian DPA order follows a pan-European investigation that found that Google was in breach of the EU’s privacy laws.

The investigation was prompted by Google’s January 2012 consolidation of 60 of its privacy policies into one policy that covered a broad range of services without giving users the ability to opt out.

Privacy groups are concerned that personal data is being stored in the US, reducing the control that European citizens have over their personal information.

These concerns have increased in the wake of claims by whistleblower Edward Snowden that US intelligence services have access to material stored in US-based cloud services.

The EU investigation concluded that Google was in breach of European privacy laws, and in July 2013, the UK’s privacy watchdog joined data protection authorities in France, Spain, Germany, Italy and the Netherlands in demanding a rewrite of Google’s privacy policy.

The Italian DPA said that while Google has made some progress towards complying with EU privacy laws, it is does not yet fully comply in areas such as seeking prior consent in profiling for commercial purposes or how long personal data is stored.

Read more on Privacy and data protection