On May 18, 2022, the Spanish data protection authority – AEPD (Agencia Española de Protección de Datos), issued a decision to fine Google LLC €10 million.
The fine is issued for the violation of the EU General Data Protection Regulation (GDPR) on account of two serious infringements of Article 6 (lawfulness of processing) and Article 17 (right to be forgotten).
In short, Google was sharing data without a proper lawful basis with the database – Lumen Project, restricting, along the way, individuals’ right to the erasure of personal data.
The Lumen Project
For privacy reasons, Google LLC offers the withdrawal of results obtained in searches on Google Search and Google Maps services.
However, in order to withdraw the results, individuals have to fill out a form and provide information such as country of residence, full name, email, URL of the content that includes the personal information that must be removed, personal information that they want to delete and the reasons.
All this information is then included in another publicly accessible database – Lumen Project tasked with the collection of the legal complaints and requests for removal of online materials.
Since all the information contained in requests is included in another publicly accessible database and disclosed via a website, the AEPD found it frustrating and defeating the purpose of exercising the right to be forgotten.
The AEPD decision
In its decision, the AEPD stated Google failed to provide users who were requesting the erasure of their personal data with the opt-out mechanism that would give them a choice over whether their information can be transferred to the Lumen Project.
Issues with the form
In order to submit the request, the individual has to fill out the form. The form submission system, designed by Google, leads individuals through various pages to complete a data deletion application.
This means an individual has to mark the options that are offered in advance, which may cause an individual to choose an option that seems appropriate at the time but departs from the individual’s original intention to protect personal data, which could lead to it being treated under a different regulatory regime.
The AEPD assessed this as equivalent to leaving the decision on when and where GDPR applies, to the discretion of Google.
This would mean accepting that Google can circumvent the application of personal data protection rules and accepting that the right to erase personal data is conditioned by the content removal system.
According to Google’s spokesperson, Google is already assessing the regulator’s decision and has reached out to the Lumen Project with questions.
We have a long commitment to transparency in our management of content removal requests. Like many other Internet companies, we have worked with Lumen, an academic project of the Harvard Berkman Klein Center for Internet and Society, to help researchers and the public better understand content removal requests online.
We are reviewing the decision and continually engage with privacy regulators, including the AEPD, to reassess our practices. We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data sharing practices with Lumen in light of these proceedings.
In addition to the fine, Google will have to change its practices in accordance with the GDPR and delete any personal data that have been the subject of a request for the erasure communicated to Project Lumen.
The AEPD has also ordered Google to urge the Lumen Project to cease use of and erase any personal data it communicated to it without a valid legal basis.
Read the official decision by the AEPD available only in Spanish: RESOLUCIÓN DE PROCEDIMIENTO SANCIONADOR
Official statement: the AEPD has imposed a sanction on Google LLC for transferring personal data to third parties unlawfully and for hindering the exercise of the right to erasure