Google could face criminal proceedings, as well as a €1 million ($1.35 million) fine, in Italy if it doesn’t change its data-handling ways.
According to a Monday ruling by the Italian data protection commissioner, who has been coordinating with counterparts across Europe, Google must do the following within 18 months to comply with privacy law:
- Make it clear to users that their data is mixed and matched across Google services for marketing purposes, both by cookies and by more advanced behavioral “fingerprinting” technologies.
- Get explicit opt-in permission from users before using their data in this way.
- Define how long it retains users’ data.
- Delete users’ data when asked, within 2 months for data stored on “active” systems and within 6 months for backed-up data.
Google must present the regulator with a roadmap of compliance steps by the end of September. A Reuters source “familiar with the regulator” told the news agency that, if Google does not play ball, sanctions could include the fine of up to €1 million “as well as possible criminal proceedings.”
In Europe, Google has around 95 percent of the search market, making its policies relevant to just about everyone.
Other European fines over the unified policy issue have been smaller, notably France’s €150,000 fine in January and Spain’s €900,000 fine last December. However, criminal proceedings would take things to another level and, based on Italy’s fairly disgraceful privacy-related conviction of top Google execs a few years ago for a bullying clip that had been uploaded to Google Video, this may be no idle threat.
Italy’s data protection regulator has already levied a €1 million fine on Google this year, because the firm’s Street View cars were not recognizable enough for citizens to know when they might be photographed.
As I argued just over a year ago, deep-pocketed Google may be able to shrug off such fines but it faces a very powerful adversary in European data protection regulators, as well as those from elsewhere around the world. The regulators have been coordinating their actions against the company since 2013 precisely because such relatively small fines are not enough to change Google’s course, and there’s no sign of the regulators relenting anytime soon.
What’s more, if the EU adopts new data protection legislation that’s winding its way through the legislative process, the fines may become too heavy to ignore.