An Italian antitrust regulator already spoke out earlier this year against Google's 'freemium' app sales model and now the country’s data protection regulator has ordered Google to change the way it treats and stores user data.
The Rome-based Italian Data Protection Authority said in a statement that Google, the operator of the world's largest search engine, must ask users for their prior consent to use personal data and that it should make clear that this may be used for profiling and commercial purposes.
Google has 18 months to make the appropriate changes.
The regulator said Monday it recognised that Google made progress in adhering to local laws but that it didn't comply fully yet in areas such as seeking prior consent in profiling for commercial purposes or how long personal data is stored.
A spokesman for Google said the company had always cooperated with the regulator and would continue to do so, adding it would carefully review the regulator’s decision before taking any further steps.
As part of the process, Google also agreed to present a document by the end of September that will set a roadmap of steps to comply fully with the Italian regulator’s decision.
An unnamed source has told journalists if Google doesn't comply it would face fines of up to 1 million euros, and potential criminal proceedings.
The proceedings seem separate to the EU's concerns around its new "right to be forgotten" rule. In May the European Court of Justice ruled against Google in Costeja, a case brought by a Spanish man, Mario Costeja González, who requested the removal of a link to a digitized 1998 article in La Vanguardia newspaper about an auction for his foreclosed home, for a debt that he had subsequently paid.
The court ruled in Costeja that search engines are responsible for the content they point to and thus, Google was required to comply with EU data privacy laws. It began compliance on 30 May 2014 during which it received 12,000 requests to have personal details removed from its search engine.
The broad EU investigation started when Google combined all 60 of its privacy policies into one and started combining user data it collected on all of its services.
Google offered no option for users to opt out.
The company, based in Mountain View, California but with a strong worldwide presence, also handed over a €1 million ($1.5 million) fine to Italy's data protection watchdog back in April over complaints that cars it used to record images on Italian streets in 2010 were "not clearly recognisable."
"Cars belonging to the giant of Mountain View roamed Italy's streets without being entirely recognisable as such, therefore not allowing the people present in those places to decide whether to be photographed or not," Italy's data protection regulator said in a statement in April.
Google, while paying the fine, issued a statement of its own saying "The fine from the DPA relates to an old case that dates back to 2010. We complied with everything the (regulator) required of us at the time."