Skip to main content

Clifford Chance

Clifford Chance
All

Data

Talking Tech

Spanish data protection agency imposes 10 million euro fine on Google - highest fine to date

Data Privacy Consumer Big Tech 27 May 2022

Introduction

The Spanish Data Protection Agency (Agencia Española de Protecction de Datos, "AEPD") published a decision on 18 May 2022 imposing its highest fine to date: 10 million euros.

This new decision confirms (once again) the upward trend in the fines imposed by the AEPD, which began in December 2020 with the fining of BBVA for 5 million euros. Since then, the AEPD has broken the 1 million euro barrier at least 11 times.

Moreover, it is the first of such fines to be imposed on a data controller established outside the European Economic Area: Google LLC (Google).

Framework of the procedure

The sanctioning procedure, which was brought following a complaint by an individual, concerns the procedures that Google makes available to the public so that data subjects (Applicants) can request the withdrawal or erasure of online content managed by Google, based on copyright infringement, defamation, court rulings, trademarks, etc.

As the complainant informed the AEPD, Google's forms required Applicants to enter certain personal data, which, along with the requests, were transferred by Google to a third party: Harvard University's Berkman Klein Center for Internet & Society, which is dedicated to collecting and making requests to withdraw content from webpages available to the general public. This project is known as Lumen. This third party in turn published the requests submitted by Applicants (Google users) on its website (lumendatabase.org), so anyone could access their personal data. 

The above having been established, the procedure was aimed at analysing the (il)legality of the transfer by Google to Lumen of personal data related to the withdrawal of online content, as well as a possible violation of the right to erase data.

Infringements of the law

The AEPD concluded that Google had infringed articles 6 (lack of legal basis for the transfer) and 17 GDPR (right to erasure). Each of these infringements carries a fine of 5 million euros.

Infringement of article 6 GDPR

Google argued that the transfer of personal data to Lumen was protected by a legitimate interest (article 6.1(e) GDPR) of both Google and Lumen: the publication of requests to withdraw content contributes to the project with the goal of transparency and accountability, while preventing abuse and fraud.

The AEPD disagreed and held that:

  • Google had not informed Applicants of this legitimate interest (the applicable privacy policy only contained a reference to the transfer; nothing else) nor had it given them the opportunity to oppose the processing in question.
  • Google had not provided evidence of having weighed up the different interests involved prior to using this legal basis.
  • The alleged legitimate interest to not exist, since the processing of personal data is not strictly necessary to satisfy the legitimate interest alleged, or in other words, the legitimate interest could be satisfied without transferring the Applicants' personal data.

Furthermore, the AEPD reiterated that signing the form cannot be considered a valid way of giving consent to the transfer of personal data: among other requirements, for consent to be valid it must be free, that is, Applicants must have a real option not to grant consent to the disclosure of their data, without this involving any penalty in their use of the content withdrawal service.

This was not the case here: the disclosure of personal data was inextricably linked to the sending of the request.

Infringement of article 17 GDPR

The AEPD held that the system designed by Google to fulfil the request for the withdrawal of content could be misleading and confusing to users, who are given the impression that they are requesting the erasure of their personal data, when in reality Google is treating this as a request for the erasure of online content.

Therefore, according to the AEPD, while Google "provides the user with means to exercise the right to erasure", in reality "the requests that are made are not treated as such". In fact, not only is the personal data not erased, as requested by the data subject, it is also transferred to a third party (Lumen), which "in practice defeats the purpose of exercising the right to erasure".

Conclusion 

Although the decision is not final (Google may choose to appeal the decision before the AEPD itself, or, alternatively, directly file an appeal for judicial review before Spain's National Court), it confirms that:

  • While the AEPD has not yet arrived at the hundred-million fines imposed by other national data protection authorities, there is an upward trend in the fines imposed.
  • The most significant fines are related to the analysis of general policies adopted by data controllers. Therefore, the AEPD does not impose these fines because it considers that data controllers have infringed the GDPR in a specific case (i.e. affecting a particular data subject), but uses the specific cases as a sample of a general policy that is considered to infringe the GDPR.

Toolkits & Client Log-in