Italy’s data protection regulator has given Google 18 months to change the way it treats and stores user data, bringing to an end an investigation that is part of a European drive to reform the internet giant’s privacy practices.
Regulators in several European nations, including Italy, began a joint inquiry last year after Google consolidated its 60 privacy policies into one, combining data collected on individual users across its services, including YouTube, Gmail and social network Google+. It gave users no means to opt out.
In a statement on Monday, the Italian watchdog said Google’s disclosure to users on how their data was being treated remained inadequate, despite the company having taken steps to abide by local law. It gave the group 18 months to fully comply.
The Rome-based regulator said Google would not be allowed to use the data to profile users without their prior consent and would have to tell them explicitly that the profiling was being done for commercial purposes.
A spokesman for Google said the company had always cooperated with the regulator and would continue to do so, adding it would carefully review the regulator’s decision before taking any further steps.
Regulators in France and Spain have already fined Google for breaking local laws on data protection, underscoring growing concerns across Europe about the volume of personal data that is held in foreign jurisdictions.
In Britain, the ICO regulator gave Google until September 20 last year to make changes to bring the policy into line with local law. On Monday a spokesman did not return a request for comment asking for an update on the case.
In a separate regulatory development, Google is taking initial steps to meet a European ruling that citizens can have objectionable links removed from Internet search results, a ruling that pleased privacy campaigners but raised fears that the right can be abused to hide negative information.
The request was made in a formal letter sent on 16 October 2012 by the EU's Data Protection Authorities united within the so-called Article 29 Working Party. The letter was signed by 24 of EU's 27 data regulators plus those of Croatia and Liechtenstein.
In March 2011, EU Justice Commissioner Viviane Reding spelled out new privacy rules for personal data held on the Internet, including a "right to be forgotten" that would allow users to permanently delete data held by companies.
Reding's proposals would overhaul the EU's 15 year-old Data Protection Directive. Her "four pillars" include urging more transparency from companies that process personal data, making privacy the default setting on websites and ensuring that all companies that operate in the European Union follow EU data protection rules.
Data protection and privacy in electronic communications are also governed by the E-privacy Directive, which dates back to 2002.