Skip to content
Spain slaps Google for frustrating EU ‘right to be forgotten’ – TechCrunch

Here’s a rare sight: Google was fined 10 million euros by Spain for serious breaches of the European Union’s General Data Protection Regulation (GDPR), which found it had transmitted information that could be used to identify citizens requesting the deletion of their personal data. under EU law, including their email address; the reasons given; and the claimed URL, to a US-based third party without a valid legal basis for such further processing.

In addition to being fined, Google was ordered to change its procedures to bring them into compliance with the GDPR – and to delete any personal data it still holds related to this app.

The fine is not Google’s first GDPR sanction – France is rewarded for applying the bloc’s flagship data protection framework against it the fastest, a few years ago – but, to our knowledge, it is not. It’s only the second time the adtech giant has been sanctioned under the GDPR since the regulation came into force four years ago this month. (Although the use of some Google tools has more recently been found to violate GDPR data export rules. Google has also been hit with much larger fines under EU online privacy rules. .)

Spain’s data protection authority, the AEPD, announced the sanction today, saying it was sanctioning Google for what it described as “two very serious breaches” – related to the transfer of data from citizens of the EU to a third party without a legal basis; and, in doing so, hindering individuals’ right to erasure of their personal data under the GDPR.

The third party to which Google has been alleged to be unlawfully transferring data is the Lumen Project, a US-based academic project of the Berkman Klein Center for Internet & Society at Harvard University, which aims to collect and investigate lawful requests from deletion of online information. by accumulating a database of content takedown requests.

The AEPD found that by forwarding the personal data of European citizens who requested the erasure of their data to the Lumen project, Google was essentially frustrating their legal right to the erasure of their information (under Article 17 of the GDPR ) – aka the “right to be forgotten”. ‘; rtbf. (And Google has, to put it mildly, a long history of protesting the EU’s rtbf – which, in the form of search de-indexing, predates the GDPR, via a 2014 CJEU ruling. So, the ability of EU individuals to make certain lawful demands attached to their personal data is nothing new.)

In its decision, the AEPD claims that Google did not give users who requested the erasure of their data the choice to pass their information to the Lumen project, which means that there was no valid legal basis. to share data.

The regulator also criticized the forms-based system designed by Google for individuals to request the erasure of their data – for being confusing and requiring them to select an option for their request which it said could lead to it is treated under a regulatory regime different from that of data protection.

“The Agency’s decision clarifies that this system is tantamount to ‘leaving Google LLC to decide when and when the GDPR does not apply, which would amount to accepting that this entity can circumvent the application of the rules of protection of personal data and, more specifically, to accept that the right to erase personal data is conditioned by the content deletion system designed by the entity responsible’”, notes the AEPD in a press release.

A Google spokesperson told us they are evaluating the regulator’s decision.

The company said it has already taken steps to change its processes, such as reducing the amount of information it shares with Lumen for removal requests from EU countries. Google also suggested that its general policy is not to share any right to erasure/right to be forgotten search deletion requests or any other deletion request in which data protection or privacy rights are invoked – but if so, it’s unclear why the AEPD found otherwise.

In a statement, the Google spokesperson added:

“We have a long-standing commitment to transparency in our handling of content removal requests. Like many other Internet companies, we’ve worked with Lumen, an academic project of the Harvard Berkman Klein Center for Internet and Society, to help researchers and the public better understand online content removal requests.

“We are reviewing the decision and continuously engaging with privacy regulators, including the AEPD, to reassess our practices. We always try to balance privacy rights with our need to be transparent and accountable about our role in moderating online content. We have already begun to reassess and rethink our data sharing practices with Lumen in light of these procedures. »

We reached out to the Lumen Project with questions.

The AEPD also ordered Google to “request” the Lumen project to stop using and erase all data of EU citizens that it has provided to it without a valid legal basis – although at the end of account, the Spanish regulator has limited means to force a non-EU based entity to comply with EU law.

The case is interesting because of a separate GDPR jurisdiction issue.

The Regulation’s one-stop-shop (OSS) mechanism routes cross-border complaints through a “lead” supervisor, usually in the EU market where the company has its principal place of business – who, in the case of Google (and for many other tech giants), is the Ireland Data Protection Commission (DPC), which continues to come under heavy criticism for the laborious pace of its GDPR enforcement, particularly in cross-border cases that apply to tech giants. Indeed, the DPC is currently being sued for inaction on a Google adtech complaint.

This complaint dates back nearly four years at this point. The DPC also has a number of other long-running Google investigations, including one looking at its location tracking practices. But the Irish regulator has yet to issue a decision on Google’s cases. Therefore, applying GDPR to Google is a rare sight.

If Spain’s far less well-resourced data protection agency can get a decision and an enforcement (it is in fact one of the most active data protection authorities in the EU), critics will surely ask why Ireland cannot?

Google’s first French GDPR spanking, meanwhile, was only possible because the adtech giant had yet to reconfigure its business to reduce its “regulatory risk” in the region, via the “forum shopping” OSS, moving citizen accounts to its Ireland-based company. entity – thus placing EU users under the jurisdiction of the (meticulous) Irish DPC.

So how did Spain get around the bottleneck of GDPR DPC enforcement in this Google-Lumen case?

Basically, the agency has jurisdiction because Google’s American business was carrying out the processing in question, as well as the Lumen project itself being based in the United States. The regulator was also, presumably, able to show that Spanish citizens’ data was being processed, meaning it could intervene on their behalf.

The AEPD has confirmed that it relies on a mechanism in the GDPR to liaise with the Irish DPC on the issue of jurisdiction, tell us: “Once this process has been completed and after jurisdiction has been determined, the AEPD has agreed to open this sanction procedure.”

techcrunch Gt

Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.