Google LLC has been fined €10 million ($10.59 million) by the Spanish data protection authority – Agencia Española de Protección de Datos (AEPD) – for two serious violations of the General Data Protection Regulation (GDPR). The violations relate to the transfer of the personal data of Spanish citizens to third parties, without having a legal base to do so and hampering EU citizens’ attempts to exercise their right to be forgotten and have their personal data permanently deleted.
AEPD determined that Articles 6 and 17 of the GDPR had been violated by Google. The information passed to third parties by Google could allow EU citizens to be identified when they exercised their right to erasure and have their personal data deleted. Individuals exercising that right had their email address, the reasons provided, and the claimed URL transmitted to a U.S.-based third party when there was no legal basis for further processing users’ data.
The third party in question is the Lumen Project, an academic project conducted by the Berkman Klein Center for Internet & Society at Harvard University. The project involves the collection of content takedown requests to be used in a study of legal requests for the removal of online information. In order for there to be a valid legal basis for passing the data to the Lumen Project, individuals should have been notified about the Lumen Project and be given a choice of having their data sent, and for those individuals to provide valid consent. Google was also criticized for the form provided for exercising the right to erasure, as the form was confusing. The consent form required users to select an option when completing their request that could result in the users’ data being treated under a different regulatory regime to data protection.
“In the case of disclosure of data to third parties, the AEPD has found that Google sent information of requests made to it by citizens, including their identification, e-mail address, the reasons given, and the URL claimed to the Lumen Project,” said AEPD in a statement. “The task of this project is to collect and make available requests for the removal of content, and the Agency, therefore, considers that, since all the information contained in the citizen’s request is sent for inclusion in another publicly accessible database and for dissemination via a website, ‘the purpose of exercising the right of erasure results in practice frustrated’.”
Regarding the lack of an option to opt-out of the transfer of personal data, “Establishing such a condition for the exercise of the right to erasure granted to data subjects is in breach of the General Data Protection Regulation by generating “an additional processing of the data contained in the request for erasure when communicating them to a third party.”
In addition to paying the financial penalty, Google is required to change its procedures to ensure they are fully compliant with the requirements of the GDPR. All personal data held by Google when there is no further legal basis for processing the data must be deleted.
“We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online,” said a Google spokesperson in a statement in response to the GDPR fine. “We have already started reevaluating and redesigning our data-sharing practices with Lumen in light of these proceedings.”