Spanish Data Protection Authority imposes 10 million euro fine on Google, the highest to date
Framework of the sanctioning procedure
The sanctioning procedure, which was brought following a complaint by an individual, concerns the procedures that Google LLC ("Google") makes available to the public so that data subjects ("Applicants") can request the withdrawal or erasure of online content managed by Google, based on copyright infringement, defamation, court rulings, trademarks, etc.
As the complainant informed the Spanish Data Protection Authority (Agencia Española de Protección de Datos, "AEPD"), Google's forms required Applicants to enter certain personal data, which, along with the requests, were transferred by Google to a third party: Harvard University's Berkman Klein Center for Internet & Society, which is dedicated to collecting and making available to the general public requests to withdraw content from webpages. This project is known as Lumen. This third party in turn published the requests submitted by Applicants (Google users) on its website (lumendatabase.org), so anyone could access their personal data.
The proceedings were aimed at analysing the (il)legality of the transfer by Google to Lumen of personal data related to the withdrawal of online content, as well as a possible violation of the right to erase data.
Infringements of the law
The AEPD concluded that Google had infringed articles 6 (lack of legal basis for the transfer) and 17 GDPR (right to erasure). The AEPD imposed a fine of 5 million euro for each of these infringements.
Infringement of article 6 GDPR
For this first infringement, Google alleged that the transfer of personal data to Lumen was protected by a legitimate interest (article 6.1(e) GDPR) of both Google and Lumen: the publication of requests to withdraw content contributes to the project with the goal of transparency and accountability, while preventing abuse and fraud.
Offered this argument, the AEPD held that: (i) Google had not informed Applicants of this legitimate interest (the applicable privacy policy only contained a reference to the transfer; nothing else) nor had it given them the opportunity to oppose the processing in question; (ii) Google had not provided evidence of having weighed up the different interests involved prior to using this legal basis; and (iii) in any case, the AEPD understood the alleged legitimate interest to not exist, since the processing of personal data is not strictly necessary to satisfy the legitimate interest alleged, or in other words, the legitimate interest could be satisfied without transferring the Applicants' personal data.
Furthermore, the AEPD reiterated that signing the form cannot be considered a valid way of giving consent to the transfer of personal data: among other requirements, for consent to be valid it must be free, that is, Applicants must have a real option not to grant consent to the disclosure of their data, without this involving any penalty in their use of the content withdrawal service. This was not the case here: the disclosure of personal data was inextricably linked to the sending of the request.
Infringement of article 17 GDPR
As regards this second infringement, the AEPD held that the system designed by Google to fulfil the request for the withdrawal of content could be misleading and confusing to users, who are given the impression that they are requesting the erasure of their personal data, when in reality this request for erasure is not going to be treated by Google as such, but rather as a request for the erasure of online content.
Therefore, according to the AEPD, while Google "provides the user with means to exercise the right to erasure", in reality "the requests that are made are not treated as such". In fact, not only is the personal data not erased, as requested by the data subject, it is also transferred to a third party (Lumen), which "in practice defeats the purpose of exercising the right to erasure".
Conclusion and next steps
Although the decision is not final (Google may choose to appeal the decision before the AEPD itself, or, alternatively, directly file an appeal for judicial review before Spanish Courts), it confirms that:
- While the AEPD has not yet arrived at the hundred-million fines imposed by other data protection authorities, there is an upward trend in the fines imposed.
- The most significant fines are related to the analysis of general policies adopted by data controllers. Therefore, the AEPD does not impose these fines because it considers that data controllers have infringed the GDPR in a specific case (i.e. affecting a particular data subject), but uses the specific cases as a sample of a general policy that is considered to infringe the GDPR.