Google, the italian dpa and the ghost protocol

The Garante della Privacy (the Italian DPA ) has published its ruling dated January 22nd, 2015, where it formally approves the control protocol submitted by Google Inc. On July 14, 2014 the Italian DPA had issued a decision ( where it had found Google’s privacy policies where in violation of the Italian privacy Code. The Garante had ordered Google to modify its policies in several areas, namely the information notice to data subjects had to be modified; consent had to be obtained for several personal data processing operations including, among others, consent for profiling, cookies, and for several services offered by Google. Finally, the data retention policies had to be put in line with the law. Google had until Sep. 30, 2014, to propose a control protocol to the Garante, to allow it to verify the compliance of the new policies. The proposal was submitted by Google on time and after a relatively short negotiation (and few changes to the original proposal) the protocol has now been approved. Under the protocol the Garante will assess periodically the status of the implementation of the modification to the policies, and it has been agree that the Garante may conduct audits at Google’s premises in the US. So far so good; the only problem is that the Garante has omitted the publication of the protocol itself and, more disturbing, has omitted any motivation as to why it has decided not to publish it. This is a very strange decision, under many points of view. Most of all, we regret this omission for a basic reason: it is at odds with the very reason why Courts’ decisions, comments and related materials are published, i.e. to increase the understanding, the knowledge and (last, but not the least) compliance with the law. The dissemination of such documents and the knowledge of the legal rationale that has led a Court to a given decision is key to all lawyers, indeed to anyone who practices law; it helps to better understand how the law itself must be interpreted and applied. This is of key importance in a subject matter (Information Technology) where interpretation of the law is often not easy and where each one of us has a great deal to learn. Second: this is a very important precedent, whose knowledge would have possibly forced, or maybe simply suggested other (reluctant) Internet operators a way to comply with the law, following the steps taken by the largest Internet and technology company in the world. Nothing works like emulation, and the awareness of the task Google will undertake (because we are sure it is not going to be an easy task) may have prompted others to be proactive in changing their own policies. The ruling is available on and will shortly be published on our website as well.

Comments are closed.