Loek Essers reports:
Google has agreed to on-the-spot audits at its U.S. headquarters in order to comply with Italy’s data protection laws.
The Italian data protection authority (DPA) imposed several privacy measures on Google after an investigation into the company’s policies that was completed in July 2014. On Friday, the authority said Google will comply with all demands.
The process to verify compliance calls for the DPA to check up on Google’s progress at its U.S. headquarters. It remains unclear when that will happen, though. “There is no precise appointment at the moment but there is an agreement to be able to go there,” a spokesman for the authority said.
Google will also be subject to quarterly checks in Italy to monitor progress, the authority said. It’s the first time that is being subjected to such checks by a European authority, the DPA said.
Read more on CSO (AU).
Update: Here’s the release from the Garante per la protezione dei dati personali:
Google to comply with the privacy measures set forth by the Italian DPA
Verification protocol approved by the DPA
Google will implement all the measures imposed by the Italian DPA to protect Italian users’ privacy. For the first time in Europe, it will be the subject of regular checks to monitor progress status of the actions to bring its platform into line with domestic legislation.
The Italian DPA approved the verification protocol referred to in its order of July 2014 to Mountain View. This marks a shift from the laying down of measures by the DPA to the practical implementation of such measures by Google, which will have to be fully compliant by 15 January 2016.
The protocol envisages quarterly updates on progress status and empowers the DPA to carry out on-the-spot checks at Google’s US headquarters to verify whether the measures being implemented are in compliance with Italian law.
The protocol enables the DPA to continuously monitor the changes Google is required to make to the processing of personal data relating to users of its services – including its search engine, emailing, YouTube and social networking services.
The key measures Google is to implement in the course of 2015 are summarized below:
Google will have to set up an archive including previous versions of its privacy notices to allow users to keep track of the changes made over time.
In order to profile users of its services, Google will have to first obtain their informed consent. This requirement will have to be implemented, though via different mechanisms, both for new accounts and for existing Google accounts.
All data subjects will have to be afforded in any case the right to object to the processing of their data for profiling purposes.
Data Storage and Deletion
The US giant will have to further improve its data storage and deletion mechanisms as for users’ personal information. In particular, a specific timeframe will have to be in place regarding data deletion from both online and back-up systems.
Internal rules on anonymization will have to be revised to ensure that the relevant procedures are fully effective and compliant with the guidance already provided by European DPAs.
Users’ Requests for Delisting Search Results
An exchange of information will continue regarding delisting requests received by Google from Italian users so as to monitor the implementing arrangements of the so-called right to be forgotten.
Rome, 20 February 2015