g-docweb-display Portlet

Ordering Google Inc. to block data processing in connection with the "capturing" of communications on Wi-Fi networks and lodging a report with jud...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1750713]

versione italiana 

Press Release By The Italian DPA

 

Ordering Google Inc. to block data processing in connection with the "capturing" of communications on Wi-Fi networks and lodging a report with judicial authorities

The Italian Data Protection Authority

Having convened today in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Daniele De Paoli, Secretary-General;

Having regard to the Italian Data Protection Code (legislative decree no. 196 dated 30 June 2003, hereinafter "the Code");

Having regard to the letters dated 27 April 2010 and 14 May 2010 as sent by Google Italy S.r.l. to inform this DPA that Google Inc. – whilst acquiring images for the StreetView service via its cars driving through Italy – had collected both data on the presence of Wi-Fi networks and fragments of electronic communications (so-called "payload data") transmitted by users over Wi-Fi networks that were not protected by secure protocols and encryption measures;

Having regard to the letter dated 17 May 2010 by this DPA, notifying the commencement of an administrative procedure in respect of Google to establish whether the relevant processing operations were lawful and fair as for compliance with personal data protection legislation in connection with the StreetView service;

Whereas this DPA had requested Google Inc. via the said letter to provide any items of information that could be helpful with a view to the overall assessment of the personal data processing operations performed via the StreetView service and had also called upon Google Inc. not to perform any further processing of payload data unless the DPA decided otherwise;

Having regard to the letter dated 1 June 2010, whereby Google Inc. – having taken up domicile at the Hogan Lovells law firm in Rome – provided initial clarification in respect of the collection of data on the presence of Wi-Fi networks and confirmed that they had been collecting payload data since April 2008 when the StreetView cars were driving through Italy, using Wi-Fi antennas and ad-hoc software for this purpose;

Whereas Google Inc. declared that, in their view, payload data were highly fragmentary as "Google StreetView cars move continuously and the WiFi equipment channel changes automatically five times per second"; however, they acknowledged that "it is theoretically possible for payload data to contain personal data where an user was transmitting personal information at the time the data were collected";

Whereas according to the statements made by Google Inc., the data in question were collected mistakenly, have never been used for any service, have never been communicated to third parties, and are currently stored on servers located in the USA – more specifically, in a separate database that can only be accessed by the entities that have been tasked by Google Inc. with ensuring data protection;

Whereas Google Inc. collected payload data over a considerable time span (April 2008 to May 2010) in a systematic manner and in connection with activities that were performed throughout Italy; whereas there are accordingly factual elements to conclude that it is likely for some of the collected information to be personal data;

Considering that the processing of personal data, if any, falls within the scope of application of the Code since it was performed by way of means located in the State´s territory (see section 5 of the Code);

Having regard to section 11(1)a. and b. of the Code, whereby any personal data is to be processed lawfully and fairly and collected and stored for specific, explicit, and legitimate purposes;

Having regard to Article 15 of Italy´s Constitution, which provides that freedom and confidentiality of correspondence and any other type of communication shall be inviolable and "may only be limited through a reasoned decision by judicial authorities in accordance with the safeguards set forth in the law";

Having regard to section 617-quater (1) of the Criminal Code, whereby "whoever fraudulently intercepts communications that relate to a computerised or IT system or else take place between several systems (…)" is to be punished;

Having regard to section 617-quinquies (1) of the Criminal Code, whereby "except where provided for by law, whoever installs equipment that is suitable for intercepting, preventing or discontinuing communications that relate to a computerised or IT system or else take place between several systems (…)" is to be punished;

Considering that,  based on the information gathered in the course of our preparatory investigations, the processing carried out by Google Inc. as related, in particular, to payload data might be in breach of the aforementioned provisions of Italy´s Criminal Code and that it is accordingly necessary to forward this case file to judicial authorities in order for the latter to assess it as appropriate;

Whereas under section 11(2) of the Code any personal data that is processed in breach of the relevant data protection provisions may not be used;

Considering it necessary for the payload data collected as above not to be deleted for the time being from the servers where they are stored, since they might serve as proof in case judicial authorities decide to step in;

Whereas under section 143(1)c. and section 154(1)d. of the Code the Italian DPA is empowered to order that any unlawful and/or unfair processing operation be blocked, also ex officio, and to also take such additional measures as are set forth in the legislation applying to the processing of personal data;

Considering that it is accordingly necessary to block the processing of data by Google Inc. in pursuance of section 154(1)d. of the Code as such processing was found to be unlawful with regard to the collection of payload data performed when StreetView cars were driving throughout Italy;

Taking account that, under section 170 of the Code, whoever is required to abide by this blocking order and fails to do so is punished by imprisonment for between three months and two years; that section 162(2-ter) of the Code provides that failure to abide by the said order also carries an administrative sanction consisting in payment of a fine ranging from thirty thousand to one hundred and eighty thousand Euro;

Without prejudice to such additional investigations and measures as may be decided upon in respect of the processing of data on the presence of Wi-Fi networks as performed by Google Inc. as well as regarding image acquisition for the StreetView service, since both issues are still being investigated by this DPA;

Having regard to the records on file;

Having regard to the considerations made by the Office as submitted by the Secretary General in pursuance of Article 15 of the DPA´s Rules of Procedure no. 1/2000;

Acting on the report submitted by Prof. Francesco Pizzetti;

NOW, THEFORE, THE ITALIAN DATA PROTECTION AUTHORITY

A. Orders that any processing of the payload data collected in the Italian territory be blocked by Google Inc. in pursuance of section 143(1)c. and section 154(1)d. of the Code;

B. Orders that a copy of the records on file and this decision be forwarded to the judicial authority in order for the latter to evaluate as appropriate whether criminal offences have been committed.

Done in Rome, this 9th day of the month of September 2010

THE PRESIDENT
Pizzetti

THE RAPPORTEUR
Pizzetti

THE SECRETARY GENERAL
De Paoli