Spain: AEPD fines Google €10M for unlawful transfer of personal data and failure to facilitate right to erasure
The Spanish data protection authority ('AEPD') published, on 18 May 2022, its decision in proceeding PS-00140-2020, in which it imposed a fine of €10 million on Google LLC for the violation of Articles 6 and 17 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following two complaints and subsequent investigation from the AEPD.
Background to the decision
In particular, the AEDP noted that the complaints concerned the transfer of requests related to the removal of content from Google's various products and platforms, such as the Google search engine and YouTube, to a third party, the 'Lumen Project'. Specifically, the AEPD explained that to enable the removal of content, Google required users that used the relevant forms to accept the transfer of copies of content removal requests to 'lumendatabase.org', on which they would, subsequently, be published.
Regarding the Lumen Project, the AEDP outlined that its purpose, as an independent research project, is to study requests for withdrawal or removal of online content made to Internet publishers, search engines, and service providers, facilitate the investigation of its different types, and educate the public, among others. In addition, the AEPD further outlined that, with respect to the information provided to users about the transfer of personal data to the Lumen Project, the only information offered by Google was a notice inserted in the Google forms themselves, used for the submission of the request, according to which Google does not suppress any information contained in the requests it receives and that, instead, it is the Lumen Project which anonymises the user's contact details.
Findings of the AEPD
Following its investigation, the AEPD rejected the legal basis of 'legitimate interests' claimed by Google, i.e. its contribution to the Lumen Project for purposes of transparency and accountability, as well as to avoid abuse and fraud, finding that users were not duly informed about the legal basis that would justify the transfer of their personal data to the Lumen Project. In this regard, the AEPD determined that the privacy notice stated that Google does not share information with companies, outside of Google, unless the interested party gives their consent, which contradicted Google's said argument. As such, the AEPD found a violation of Article 6 of the GDPR. Lastly, the AEPD found that Google violated Article 17 of the GDPR because the Google forms used did not facilitate the right to erase users' personal data and did not provide the option to object to such transfer.
In reaching this decision, the AEPD considered, among other things:
- the nature and seriousness of the infringement, considering that the data transfer was made to a third entity in a third country, and was carried out without the interested party having the opportunity to oppose to it;
- the duration of the infringement;
- the nature, scope, or purpose of the processing activity in question;
- the large number of interested parties;
- the negligence on the part of Google; and
- the lack of adequate procedures to process personal data surrounding removal requests of online content.
Consequently, the AEPD imposed the fines of:
- €5 million for the violation of Article 6 of the GDPR; and
- €5 million for the violation of Article 17 of the GDPR.
Additionally, the AEPD ordered Google to adopt, within a period of six months from the notification of the decision, the necessary measures to adapt its processing activities to the data protection regulations, and to delete all personal data that have been the subject of a request for the right of erasure communicated to the Lumen Project.