The Flow of Personal Data on the Internet: the Italian and European Google cases

The recent judgment of the European Court of Justice of 13 May 2014 (hereinafter: the Judgment) focused on the activity of the Google platform as a provider of content, including personal data; this activity consists of locating information published on the web by third parties, indexing it automatically, storing it temporarily and finally making it available to internet users according to a particular order of preference. The Court has stated that these operations must be classified as ‘processing’ (within the meaning of Directive 95/46), and are activities that can be distinguished from and are additional to the activities carried out by publishers of websites, and have additional effects on the data subject’s fundamental rights. This means that, especially in an online environment, the types of data processing as well as the rules to be applied are becoming more diversified, even when considering the rights that can be exercised by data subjects. The key question to be answered is therefore not whether but how data protection principles and rules have to be applied in each specific case. This can be illustrated by the measures set forth by the Italian Garante per la protezione dei dati personali (hereinafter: the Garante) in order to bring the processing of personal data carried out under Google’s new privacy policy into line with the Italian Data Protection Code. These measures tackle the problem of applying ‘criteria for making data processing legitimate’ and ‘principles relating to data quality’ on the internet, and focus on the legal requirements for the data subject’s prior consent as well on the processing arrangements to be chosen by the provider with respect to a wide array of features offered to its users. It is exactly on this ground that one point of connection between the Data Protection Directive and the e-Privacy Directive will be analysed. The importance of consent seems to be emphasised by the law even if, in the majority of cases, the features are offered without charge to end-users. In the context of such negotiations and contracts, personal data are not negotiable goods and cannot be treated in the same way as any other kind of tradable commodity.