The Spanish Data Protection Agency (“AEPD”) has issued its highest fine to date – €10 million – to Google for unlawfully disclosing personal data to Lumen, an independent research project, and for infringing the GDPR’s right to be forgotten.

This is also AEPD’s first enforcement action against a data controller established outside the EEA.

Background

Search engines, like Google, frequently remove links to online content to address complaints relating to trademarks, defamation, and privacy and to comply with court orders. Such content removal practices influence what users see on search engines and online generally.

To increase the transparency of its online content moderation practices, Google shares content takedown requests and cease and desist letters with a third-party project called Lumen.

Lumen is an independent research project managed by the Berkman Klein Centre for Internet & Society at Harvard Law School, which collects and publishes copies of such online content takedown requests. Its aim is to facilitate research, provide transparency about such requests (including who is sending them and for what purpose) and so prevent abuse and fraud in online content moderation practices. Lumen says its database has already helped researchers identify fraudulent takedown notices on a number of occasions.

One-stop-shop

Upon receiving a complaint against Google by a data subject, the AEPD asked the Irish Data Protection Commission (“DPC”) to confirm whether it was the lead supervisory authority for this matter under the GDPR’s one-stop-shop mechanism.

The DPC stated it did not believe it was competent to act as lead authority as the data processing was carried out by Google Ireland’s US parent company, Google LLC. However, Google argued that the infringement was based on forms offered by its Irish subsidiary, and thus the DPC was the competent authority to look into this complaint.

The AEPD disagreed with Google, concluding that Google’s US-based parent company was the data controller in relation to these services when the complaint was filed and that Google LLC was therefore subject to the GDPR as a result of offering services to the data subjects in Spain (Article 3(2)(a) GDPR). This means the AEPD is competent to decide the case.

Unlawful communication of data

The AEPD decided Google infringed the GDPR by disclosing to Lumen the personal data of users who asked for online materials to be removed. The data included the name of the person who made the request, email address, type of removal request, and the reported URL. The AEPD found that the personal data of the users was not anonymised by Google, as they are still visible on the legal notices published by Lumen on its database.

The AEPD ruled that Google disclosed this personal data without a clear and adequate legal basis, such as a valid legitimate interest or consent. Google argued that it had several legitimate interests to communicate the personal data to Lumen. The AEPD decided that Google failed to demonstrate that its legitimate interests prevail over the rights and freedoms of the data subjects, taking into consideration their reasonable expectations based on their relationship with Google (Recital 47 GDPR).

The AEPD also criticised Google’s poor transparency in relation to these transfers of personal data to Lumen, including their purpose and lawful basis. The AEPD ruled that, due to this lack of transparency, data subjects have been deprived of their right to be informed of the legitimate interests pursued by Google or third parties (Article 13(1)(d) GDPR) as well as their right to object to the communication of their data.

Right to be forgotten

The AEPD also found that the content removal form provided by Google to data subjects for exercising their right to be forgotten was confusing. The form required users to choose an option when completing their request, which meant that the users’ data erasure request could be reviewed under a different legal regime than data protection (e.g. defamation law). The AEPD also decided that this data erasure request system allows Google to arbitrarily decide whether or not to apply the GDPR to the users’ data erasure requests and makes the right to erase personal data conditional to Google’s content removal mechanism.

The AEPD also stated that since the personal data disclosed was subsequently included in Lumen’s publicly accessible database, users cannot get their personal data fully erased.

The erasure of personal data or so-called “right to be forgotten” arose as a result of a landmark AEPD ruling against Google back in 2010, which was subsequently upheld by the European Court of Justice in 2014.

Conclusion

The AEPD has fined Google LLC a total of €10 million. This is made up of €5 million for unlawfully disclosing personal data to Lumen and €5 million for infringing the GDPR’s right to be forgotten. Google has the right to appeal the AEPD’s ruling to the Spanish High Court, Audiencia Nacional.

This is the highest fine imposed by the AEPD to date and is an example of the AEPD’s recent measures to step up its enforcement activity.