First red flag
On March 11, 2020, the Swedish supervisory authority issued a statement confirming the highest GDPR fine issued to this day by the Swedish DPA.
This is a second large fine for Google, the first one was issued by the French CNIL, in the amount of €50 million which is the biggest GDPR fine, in general, to this date. Read our blog to find out more:
This was quite a surprise since Swedish DPA did not show any significant activity, issuing only two minor fines before. However, this is something that has been stirring since 2017.
In 2017 the DPA conducted an audit concerning how Google handles individuals’ right to have search result listings for searches that include their name, removed from Google’s search engine under the right-to-be-forgotten requests.
In its decision, the DPA concluded that several search result listings should be removed and ordered Google to do so. In 2018, due to indications that Google had not fully complied with the order, the DPA initiated a follow-up audit that is now finalized.
Results of the DPA audit
Lena Lindgren Schelin, General Director at the Swedish DPA, stated that an important part of individuals’ rights is to have their search results delisted. However, Google did not fully comply with its obligations in relation to this data protection right.
Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017.
Google has also made a too narrow interpretation of which web addresses need to be removed from the search result listing. In the second case, Google has failed to remove the search result listing without undue delay.
How should the removal of search results work?
When Google removes a search result listing, it notifies the website to which the link is directed so it gives the site-owner knowledge of which webpage link was removed and who was behind the request.
This allows the site owner to re-publish the webpage in question on another web address that will then be displayed in a Google search. This in practice, puts the right to delisting out of effect.
Therefore, the DPA also demanded that Google ceases informing websites their URLs will be de-indexed.
In Googles’ transparency report, Google explains how they remove URLs from all Google search results in Europe (meaning for users in France, Germany, Spain, etc.) and use geolocation signals to restrict access to the URL from the applicant country. However, they are not referring to the issue the DPA brought up.
Since the Court of Justice of the European Union enforced, the right to be forgotten back in 2014, Google received millions of requests. You can check the exact numbers and their progress status in their report.
The chart shows the percentage and actual number of URLs that were removed from the results after the review. The information used is generated from May 29, 2014, to March 9, 2020.
The chart does not include requests to remove URLs that have not yet been reviewed or whose processing requires additional information.
The report also shows the number of URLs requested to be removed to be and removal requests. There are currently 3.536.111 URLs requested to be removed and 900.008 removal requests from
Right to have search result listings removed
In May 2014, the Court of Justice of the EU ruled that an individual may request a search engine provider such as Google to remove a search result listing that contains the name of an individual in case the listing is inappropriate, irrelevant, no longer relevant, or excessive.
However, the right is not absolute. You can’t demand that all search results be removed. For example, if the site contains information of particular public interest.
Individuals who wish to exercise their right to request delisting should contact the search engine provider directly.
The amount of fine
As stated in the GDPR Article 83, there are two levels of GDPR fines. For the infringements of the data subjects’ rights, the organization can be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Taking this into account, the €7 million GDPR fine seems reasonable.
Next steps for Google
After the fine is issued, Google has a three week period to appeal the DPA’s decision. If Google decides not to appeal, the decision will enter into force by the end of that time period.