Google agrees to Italian privacy authority audits in the US

Google will also be subject to quarterly checks in Italy

Google has agreed to on-the-spot audits at its U.S. headquarters in order to comply with Italy's data protection laws.

The Italian data protection authority (DPA) imposed several privacy measures on Google after an investigation into the company's policies that was completed in July 2014. On Friday, the authority said Google will comply with all demands.

The process to verify compliance calls for the DPA to check up on Google's progress at its U.S. headquarters. It remains unclear when that will happen, though. "There is no precise appointment at the moment but there is an agreement to be able to go there," a spokesman for the authority said.

Google will also be subject to quarterly checks in Italy to monitor progress, the authority said. It's the first time that is being subjected to such checks by a European authority, the DPA said.

Google will have to improve its privacy policy, making it unambiguous and easily accessible and tailoring it to specific services such as Gmail and Chrome.

It will also have to provide details about which data is being collected and what it will be used for. For example, it will have to tell users if their data is combined across multiple services. If Google wants to profile its users, it can only do so after it has obtained informed consent, the DPA said.

Google will also have to improve the way it stores and deletes data. In particular, there should be a specific time frame in which data will be deleted from Google's systems. Internal rules on anonymization of personal data will have to be revised to be compliant with the guidance already provided by European DPAs.

The company will also have to set up an archive with previous versions of its privacy policy to allow users to keep track of the changes made over time.

A Google spokesman said it would continue to work with the Italian DPA. It will have to implement the measures by February 2016.

Google's privacy policy has been under scrutiny in Europe since it was introduced in 2012, when it started combining around 70 existing policies for various services, despite the concerns of European Union data protection authorities.

In January, the company agreed to change its policy in the U.K. after regulatory pressure, and last year, the Dutch privacy authority threatened fines of up to €15 million if it did not change its privacy policy to start complying with Dutch law by the end of this month.

Google has also been fined in France and in Spain over privacy issues similar to those addressed by the Italian DPA.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecurityprivacy

More about EUGoogleIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts