The Flow of Personal Data on the Internet: The Italian and European Google Cases

by Francesco Giacomo Viterbo

The recent judgement of the European Court of Justice of 13 May 2014 (hereinafter: the Judgement) focused on the activity of the Google platform as a provider of indexed content, including personal data; this activity consists of locating information published on the web by third parties, indexing it automatically, storing it temporarily, and finally, making it available to internet users according to a particular order of preference. The Court has stated that these operations must be classified as ‘processing’ (within the meaning of Directive 95/46), and are activities that can be distinguished from and are additional to the activities carried out by publishers of websites, and have additional effects on the data subject’s fundamental rights. This means that, especially in an online environment, the types of data processing, as well as the rules to be applied are becoming more diversified, even when considering the rights that can be exercised by data subjects. The key question to be answered is therefore not whether, but how data protection principles and rules have to be applied in each specific case. This can be illustrated by the measures set forth by the Italian Garante per la protezione dei dati personali (hereinafter: the Garante) in order to bring the processing of personal data carried out under Google’s new privacy policy into line with the Italian Data Protection Code. These measures tackle the problem of applying ‘criteria for making data processing legitimate’ and ‘principles relating to data quality’ on the internet, and focus on the legal requirements for the data subject’s prior consent with respect to a wide array of features offered to its users. It is exactly on this ground that one point of connection between the Data Protection Directive and the e-Privacy Directive will be analysed. The measures seem to emphasise the role of data subjects’ consent in the area of marketing and behavioural advertising, where there is no room for contractual agreements. Nonetheless freedom of contract within the scope of personal data protection does not seem to be ruled out. In this context, personal data are not negotiable goods and cannot be treated in the same way as any other kind of tradable commodity.

 Read the full article