At the end of last week, the Italian privacy regulator reported the news on the approval of an arrangement with Google enabling the Italian DPA – for the first time in Europe – to regularly monitor the implementation by Google of the measures required in its previous decision and to carry out specific inspections at Google headquarters in the US in order to verify the compliance of the services offered to Italian users with Italian data protection law.
Let’s go back to how it all started!
In 2012, Google announced the implementation of a single privacy notice for all its services. This led to a number of complaints from various EU Privacy Authorities among which the Italian DPA which, following a 1,000,000 fine against Google Inc. for the processing of data collected through the Street View service (see our post here), also commenced a formal investigation ending up in the decision adopted in July 2014.
According to said decision Google was required to:
In addition to the above, the decision also required Google set out the modalities and timing of implementation of the above mentioned formalities.
Further to the DPA analysis, the verification protocol was finally approved, and for the first time in Europe, it enables the Italian DPA to regularly monitor the progress status of the above mentioned actions, to be implemented by Google within January 15, 2016, as well as to carry out specific inspection at Google headquarters in the US.
The arrangement – which was not published by the Italian DPA upon Google request – is interesting for two reasons: (i) it requires Google Italian entity to constantly update the Italian DPA on the implementation of the data protection requirements, but most importantly, (ii) it also confirms the recent approach of the Italian DPA to assess the conduct of a foreign company (the US entity) on which, apparently, it does not have jurisdiction.
We will see whether the Italian DPA is going to adopt the same approach also with other foreign entities.