Spain’s data watchdog has issued its highest fine to date after finding that Google unlawfully transferred personal data to a US database.
The regulator, known as the AEPD, said that it had found two “very serious” GDPR breaches in Google’s practices. It said the company had transferred data to third parties without a legal basis, and hindered data subjects’ right to be forgotten. Each breach resulted in a €5 million fine.
According to the regulator, Google unlawfully shared information about individuals’ webpage takedown requests to the Lumen Project database, a Harvard University-run research project that documents various forms of online content takedown requests. The information included requesters’ IDs, email addresses, the grounds for the requests, and the URL they wanted removed.
The AEPD said the breach arose when data subjects completed Google forms to request content takedowns, which were then shared with the Lumen Project. Only Google’s right to be forgotten form referenced rules around personal data protection.
The AEPD said this is equivalent to letting Google decide when the GDPR applies or not, adding that “this would mean accepting that this entity can circumvent the application of personal data protection rules and, more specifically, accept that the right to erase personal data is conditioned by the content removal system designed by the responsible entity”.
In 2018, the watchdog received a complaint about individuals’ personal data being shared with the Lumen Project, which it forwarded to the Irish data regulator the following year. The AEPD asked Ireland’s Data Protection Commission to establish whether the latter was the lead authority in the case under the one-stop-shop.
The Irish watchdog did not consider itself competent in this case, as the complaints were lodged before it became Google’s lead regulator. The Irish regulator also rejected its competency as lead supervisor as the processing was carried out by Google’s US parent company.
In its objection to the AEPD’s draft decision, Google argued that the DPC was the lead regulator as the infringement was based on forms accessible through services offered by its Irish subsidiary. But the AEPD also disagreed, ruling that the case is “exclusively concerned” with the liability of the US-based parent company – meaning that the AEPD is the competent authority.
In calculating the penalty, the regulator cited a number of aggravating factors, including the fact that the transfers were made to a non-adequate country and without data subjects having the opportunity to object; a failure to have adequate systems in place for the processing of the relevant personal data; and the fact that Google’s activities are centred around the processing of personal data.
Google had asked the regulator to accept as a mitigating factor that it had told Lumen to anonymise the information it published. But the AEPD rejected this, saying that the infringement in this case was focused on Google’s data-sharing, and not the dissemination of the data by a third-party.
On top of the financial penalty, the AEPD ordered Google to bring its practices in line with GDPR, to delete all personal data that has been the subject of a right to be forgotten request shared with Project Lumen, and to urge the database to do the same.
Daniel López Carballo, a partner at ECIJA in Madrid, said the decision “highlights a fundamental issue included in data protection regulations: the need not only to attend to the rights exercised by individuals over their personal data, but also the establishment of guarantees so that the result of this attention is truly effective.”
He noted that the regulator said the infringements had prevented data subjects from exercising their data protection rights.
“These aspects are fundamental in a regulatory system such as the European one, where the individual is the focus of the protection conferred by the GDPR, as the owner of his or her information, together with the implications for other fundamental rights, such as the right to honour, privacy and self-image,” López Carballo said. “All of them are connected and have implications derived from the correct attention and effectiveness of requests for the exercise of rights.”
He highlighted that the AEPD had “once again” issued a major penalty for infringements to core data protection principles. “In this case, the sanction does not relate to the use of disruptive technologies or artificial intelligence, mass data processing or other special processing,” he said, adding that this should give “food for thought”.
Leandro Núñez, a partner at Audens in Madrid, said: “The thing we can learn from this ruling is that it’s very important that companies handle adequately every request of rights they receive, even if it is not received through the official channel or form or procedure that has been implemented by the company to handle this request.”
He noted the size of the fine, which he said was significant but in alignment with penalties issued by other European data protection authorities, citing a €7 million fine issued by Sweden’s regulator in another Google right to be forgotten case.
Núñez also highlighted that “a lot of pages” in the ruling were dedicated to establishing that the GDPR applies to the US branch of Google directly and not just a Spanish branch. “I think that this is interesting, because it once again remarks that the GDPR also applies to non-European countries when they are processing information of European citizens,” he said.
Google did not respond to a request for company. The company has two months to lodge an appeal.