In the latest round of Google’s privacy battles in Europe, the Italian data protection watchdog has given the company 18 months to change the way it processes and stores user data.
In January 2014, France’s privacy watchdog, CNIL, fined Google €150,000 for failing to conform to local law regarding tracking and storing user information within the three-month deadline it had set.
The Rome-based Italian Data Protection Authority (DPA) said in a statement that Google must ask users for permission to use personal data and make it clear this data may be used for commercial profiling.
Profiling is typically used by advertisers to target individuals with specific offers tailored to browsing and purchasing patterns.
The watchdog said Google also has to honour requests to delete data within two months, but the firm will have up to six months to remove the content from backups.
Google's disclosure to users remains inadequate, despite the steps it has taken to follow local law, the statement said.
- EU data protection regulators begin action against Google
- Google closer to action from European privacy regulators
- Google gets record fine over privacy bypassing cookies
- Google lacks enterprise credibility
- Google privacy re-write raises data protection concerns
Google has also agreed to present a roadmap to the Italian DPA by the end of September, showing how the company will comply with privacy requirements.
The Italian DPA order follows a pan-European investigation that found that Google was in breach of the EU’s privacy laws.
The investigation was prompted by Google’s January 2012 consolidation of 60 of its privacy policies into one policy that covered a broad range of services without giving users the ability to opt out.
Privacy groups are concerned that personal data is being stored in the US, reducing the control that European citizens have over their personal information.
These concerns have increased in the wake of claims by whistleblower Edward Snowden that US intelligence services have access to material stored in US-based cloud services.
The Italian DPA said that while Google has made some progress towards complying with EU privacy laws, it is does not yet fully comply in areas such as seeking prior consent in profiling for commercial purposes or how long personal data is stored.