Here’s a rare sight: Google has been hit with a €10 million fine by Spain for serious breaches of the European Union’s General Data Protection Regulation (GDPR) which found it had passed information that could be used to identify citizens requesting deletion of their personal data under EU law, including their email address; the reasons given; and the URL claimed, to a U.S.-based third party without a valid legal basis for this further processing.
As well as being fined, Google has been ordered to amend its procedures to bring them into compliance with the GDPR — and to delete any personal data it still holds related to this enforcement.
The fine is not Google’s first GDPR penalty — France gets the accolade for most swiftly enforcing the bloc’s flagship data protection framework against it, some years ago — but, as far as we’re aware, it’s only the second time the adtech giant been sanctioned under the GDPR since the regulation came into application, four years ago this month. (Although use of certain Google tools has, more recently, been found to breach GDPR data export rules. Google has also been hit with far meatier fines under the EU’s ePrivacy rules.)
Spain’s data protection authority, the AEPD, announced the penalty today, saying it was sanctioning Google for what it described as “two very serious infringements” — related to transferring EU citizens’ data to a third party without a legal basis; and, in doing so, hampering people’s right of erasure of their personal data under the GDPR.
The third party Google was deemed to be illegally transferring data to is the Lumen Project, a U.S.-based academic project out of the Berkman Klein Center for Internet & Society at Harvard University which aims to collect and study legal requests for the removal of online information by amassing a database of content takedown requests.
The AEPD found that by passing the personal data of European citizens who were requesting erasure of their data to the Lumen Project, Google was essentially frustrating their legal right to erasion of their information (under GDPR Article 17) — aka the ‘right to be forgotten’; rtbf. (And Google has, to put it mildly, a long history with railing against the EU’s rtbf — which, in search de-indexing form, predates the GDPR, via a 2014 CJEU ruling. So the ability of EU individuals to make certain legal requests attached to their personal data is not at all new.)
In its decision, the AEPD says Google did not provide users who were requesting erasure of their data with a choice over their information being passed to the Lumen Project — meaning it lacked a valid legal basis for sharing the data.
The regulator also criticized the form-based system Google devised for individuals to request erasure of their data — for being confusing and requiring they select an option for their request which it said could lead to it being treated under a different regulatory regime than data protection.
“The Agency’s decision states that this system is equivalent to ‘leaving Google LLC’s decision as to when and when not GDPR applies, and this would mean accepting that this entity can circumvent the application of personal data protection rules and, more specifically, accept that the right to erase personal data is conditioned by the content removal system designed by the responsible entity’,” the AEPD notes in a press release.
A Google spokesperson told us it’s assessing the regulator’s decision.
The company claimed it’s already taken steps to amend its processes, such as by reducing the amount of information it shares with Lumen for removal requests which come from EU countries. Google also suggested its general policy is not to share any right to erasure/right to be forgotten search delisting requests or any other removal requests in which data protection or privacy rights are invoked — but if that’s the case it’s not clear why the AEPD found otherwise.
In a statement Google’s spokesperson added:
We have a long commitment to transparency in our management of content removal requests. Like many other Internet companies, we have worked with Lumen, an academic project of the Harvard Berkman Klein Center for Internet and Society, to help researchers and the public better understand content removal requests online.
We are reviewing the decision and continually engage with privacy regulators, including the AEPD, to reassess our practices. We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data sharing practices with Lumen in light of these proceedings.
The AEPD has also ordered Google to “urge” the Lumen Project to cease use of and erase any EU people’s data it communicated to it without a valid legal basis — although, ultimately, Spain’s regulator has limited means to force a non-EU based entity to comply with EU law if it chooses not to.
In this case, the Lumen Project told us it has deleted the data, following a request by Google to do so.
“The data within the Lumen database consists copies of takedown notices that have been voluntarily shared with Lumen by the original senders or recipients of the notices. Google is one such recipient. Lumen’s policy has always been that if the party that originally shared a notice copy with Lumen — here, Google — requests that the notice be redacted or deleted, we will do so,” the spokesman for the Project also said.
Spain’s enforcement is also interesting because of a separate GDPR jurisdiction question.
The regulation’s one-stop-shop (OSS) mechanism funnels cross border complaints through a ‘lead’ supervisor, typically in the EU market where the company has its main establishment — which in Google’s case (and for many other tech giants) is Ireland’s Data Protection Commission (DPC), which continues to face strong criticizism over the painstaking pace of its GDPR enforcement, especially in cross-border cases which apply to tech giants. Indeed, the DPC is currently being sued over inaction on an Google adtech complaint.
That complaint dates back almost four years at this point. The DPC also has a number of other long-running Google enquiries — including one looking into its location tracking practices. But the Irish regulator still hasn’t issued any decisions on any Google cases. Hence GDPR enforcement of Google being a rare sight.
If Spain’s far less well resourced data protection agency can get a decision and enforcement out the door (it’s actually one of the most active EU DPAs), critics will surely ask, why can’t Ireland?
France’s earlier GDPR spank of Google, meanwhile, was only possible because the adtech giant had not yet reconfigured its business to shrink its ‘regulatory risk’ in the region, via OSS ‘forum shopping’, by moving citizens’ accounts to its Irish-based entity — thereby putting EU users under the jurisdiction of the (painstaking) Irish DPC.
So how, then, has Spain sidestepped the DPC GDPR enforcement bottleneck in this Google-Lumen case?
Basically the agency has competency because Google’s U.S.-based business was carrying out the processing in question, as well as the Lumen Project itself being U.S.-based. The regulator was also, presumably, able to show that Spanish citizens’ data was being processed — meaning it could step in on their behalf.
The AEPD confirmed it relied upon a mechanism in the GDPR to liaise with the Irish DPC on the question of competency, tell us: “Once this procedure was completed, and after jurisdiction had been determined, the AEPD agreed to open this sanctioning procedure.”
This report was updated with comment from the Lumen Project