European Data Protection Authorities Take On Major Search Engines: The Italian Part Of An Ongoing Confrontation

Author:Dr. Felix Hofer
Profession:Studio Legale Hofer Lösch Torricelli

In recent years, the Data Protection Authorities in several member states of the European Union have voiced their concerns1 to a number of leading search engines and social networks about the compliance of their business practices with the requirements set by the Directives for legitimate processing of their users' personal information. Both, national Privacy Commissioners as well as the Article 29 Working Party2 took the view that many of the service features offered by these companies to their users appeared to be in patent breach of the strictly 'opt-in' system (and the notice and consent requirement) established by the Directives3.

The companies addressed by such concerns initially displayed strong objections (and intense lobbying) against the DPAs' compliance requests, mainly based on the argument that, having their legal seats outside the European Union and not performing their questioned business activities within the territory of member states, they could not be considered as bound by the EU privacy regulations. In the end, the search engines and social networks concluded that they could not maintain strictly such defense argument and therefore sought direct contact with the DPAs of several EU member states.

In Italy, a major search engine partially accepted the local Privacy Commissioner's constraints and tried to come – through meetings with the officials of the Italian DPA – to what the company considered as a reasonable compromise.

Despite such somehow accommodating position of the search engine, in spring 2013 the Italian Privacy Commissioner – adhering to a joint initiative of other DPAs – opened a formal infringement proceeding against the company. The Commissioner found, that irrespective of some modifications to the company's privacy policy, critical aspects were persisting with respect to:

Proper notice and consent practices, Online behavioral advertising targeted to users and profiling and monitoring practices performed on web site visitors' online conduct, Automated processing of users' personal information for purposes of commercial communication, Use of personal data collected for purposes different from those specifically required from users, Placement of cookies or of other personal identifiers (allowing to link personal information to specific individuals), Storage period of the data collected (considered as excessive, even after some improving modifications, while the search engine's indications as to its data...

To continue reading