Sweden: Datainspektionen fines Google €7M for GDPR violations
The Swedish data protection authority ('Datainspektionen') announced, on 11 March 2020, that it had fined Google LLC €7 million for violations under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') for not fulfilling its obligations in respect of the right to request delisting ('the Decision'). In particular, Datainspektionen outlined that in 2017, it had completed a review of how Google handles the right of individuals to have search results removed from Google's search engine, and that Datainspektionen had then instructed Google to remove a number of search results. Furthermore, Datainspektionen noted that in 2018 it had initiated a further review of Google's practices after receiving indications that several of the results that should have been removed were still appearing in searches.
Moreover, Datainspektionen criticised Google for not having removed two of the search results, as instructed in 2017. Specifically, Google was criticised for having made too narrow an assessment of which URLs ought to actually be removed from search results, and, on another occasion, had not removed a search result in a timely manner. Furthermore, Datainspektionen held that when Google removes a search result listing and notifies the website owner of which webpage link was removed and who was behind the delisting request, it was in fact doing so without a legal basis, and, therefore, Datainspektionen ordered Google to cease and desist from that practice.
UPDATE (12 March 2020)
EDPB issues statement on Datainspektionen fining Google €7M
The European Data Protection Board ('EDPB') issued, on 12 March 2020, a statement ('the Statement') on the Datainspektionen’s decision to fine Google €7 million for violations under the GDPR for not fulfilling its obligations in respect of the right to request delisting.
You can read the Statement here.