Google will implement all the measures imposed by the Italian Data Protection Authority (DPA), the Garante, to protect Italian users' privacy. For the first time in Europe, Google will be the subject of regular checks to monitor progress status of the actions to bring its platform into line with domestic legislation.

The Italian DPA approved the verification protocol referred to in its order of July 2014 to Mountain View. This marks a shift from the laying down of measures by the DPA to the practical implementation of such measures by Google, which will have to be fully compliant by 15 January 2016.

The protocol envisages quarterly updates on progress status and empowers the DPA to carry out on-the-spot checks at Google's U.S. headquarters to verify whether the measures being implemented are in compliance with Italian law.

The protocol enables the DPA to continuously monitor the changes Google is required to make to the processing of personal data relating to users of its services, including its search engine, email, YouTube and social networking services.

The key measures Google is to implement in the course of 2015 are summarized below.

Privacy Notice

Google will have to improve its privacy policy by making it unambiguous and easily accessible and tailoring it to the specific service, such as Gmail, Google Wallet, Chrome, etc.

The notice will have to detail purposes and mechanisms of the processing of users' data, including profiling as performed by combining data across multiple services, the use of cookies and other identifiers such as fingerprinting, that is, the collection of information on the use of terminal equipment or devices by users and the storage of this information directly in the company's servers.
Google will have to set up an archive that includes previous versions of its privacy notices to allow users to keep track of the changes made over time.

Consent

In order to profile users of its services, Google will have to first obtain their informed consent. This requirement will have to be implemented, though via different mechanisms, both for new accounts and for existing Google accounts.

Google will also have to fully implement the measures set forth in the decision adopted by the Italian DPA in May 2014 regarding use of cookies and other identifiers, including unregistered users.

All data subjects will have to be afforded, in any case, the right to object to the processing of their data for profiling purposes.

Data storage and deletion

Google will have to further improve its data storage and deletion mechanisms for users' personal information. In particular, a specific time frame will have to be in place regarding data deletion from both online and backup systems.

Internal rules on anonymization will have to be revised to ensure that the relevant procedures are fully effective and compliant with the guidance already provided by European DPAs.

Users' Requests for Delisting Search Results

An exchange of information will continue regarding delisting requests received by Google from Italian users so as to monitor the implementing arrangements of the so-called right to be forgotten.