Italy’s DPA extends its reach to audit Google’s US headquarters and possibly other companies

The Garante, Italy’s DP Authority, is requesting changes to Google’s privacy policy to bring it into line with Italy’s data protection law. Google has until 15 January 2016 to comply. The decision includes the opportunity for the Garante to conduct spot checks at Google’s US headquarters.

A Garante spokesman told PL&B today: “The on-site spot checks relate to compliance by Google with the privacy policy requirements our DPA had set out in its order of July 2014. The order envisaged a 'verification protocol' to be submitted by Google to our DPA, which the DPA approved recently. Thus, the onsite spot checks are part of the regular assessment our DPA will carry out throughout 2015, including via quarterly updates. We plan to visit Google’s headquarters twice. We will see how this evolves. In any case we would like to use a consistent approach vis-à-vis multinational companies under similar or identical circumstances.”

The Regulator demands that Google’s privacy notice is tailored to each specific service (such as Gmail, Google Wallet, and Chrome). In order to profile users of its services, Google will have to first obtain their informed consent. This requirement will have to be implemented, via different mechanisms, both for new accounts and for existing Google accounts. Individuals will have to be offered the right to object to profiling. Additional requirements relate to data storage, deletion and anonymization.

The approval of the protocol issued on 10 July 2014 is at  (in Italian).

The 2014 protocol (in English)  

Privacy Laws & Business has organised a Roundtable together with the Garante in Rome 24-25 March 2015: Managing data protection law risks to your business in Italy
Speakers include companies, lawyers and:
Augusta Iannini, Vice-President, Garante and 9 other speakers from the Garante, Rome
Allegra Migliorini, Chair of the EU Council of Ministers DP Regulation (DAPIX) Committee under Italy’s EU Presidency, Ministry of Justice, Rome
Bruno Gencarelli, Head of the Data Protection Unit, European Commission, Brussels
Rocco Panetta, Head of Privacy & IT Compliance, NCTM (Roundtable host), Rome