Some big tech firms have been heavily targeted for General Data Protection Regulation (GDPR) fines in the EU, but Google has been relatively fortunate thus far. Aside from two multimillion-dollar judgements issued in 2020 (in France and Sweden), the company has largely managed to avoid substantial punishments from regional regulators. It has now received one from Spain, however, for violations of the GDPR’s “right to be forgotten” provisions and for improperly passing EU personal data overseas.
€10 million GDPR fine from Spain described as “very serious” by regulators
Spanish data protection authority Agencia Española de Protección de Datos (AEPD) called the two infringements that led to the GDPR fine “very serious.” Both relate to Google’s transfer of EU citizen data to an academic research project based in the United States.
The decision centers on the Lumen Project, an ongoing study conducted by Harvard’s Berkman Klein Center and supported by the Electronic Frontier Foundation. The project, which began in 2001, collects cease-and-desist letters related to online activity with an eye to determining any effect they might have on free speech. Google has contributed to the archive since 2002, first motivated to action when the Church of Scientology filed bad faith takedown requests in order to silence websites critical of them.
The Lumen Project has typically focused on takedown requests made under the United States Digital Millennium Copyright Act (DMCA), but has also begun collecting data deletion requests made by EU citizens under the rights granted by the GDPR. The first of the Spanish regulator’s findings was that Google could not demonstrate a legal right to pass these requests on to a third party, as it was not providing users with notification or a choice.
The AEPD also found that Google tripped over the “right to be forgotten” granted by Article 17 of the GDPR by putting the deletion request itself, and the attendant details, beyond their reach. The form that users were asked to fill out to request removal of their data from Lumen Project was also found to be faulty and confusing in its structure.
While AEPD has little recourse directly against Lumen Project, the organization has said that it has honored a request by the AEPD (via Google) to delete the data of users found to have been communicated to it without a legal basis. Google has said that it is reviewing the AEPD’s GDPR fine and that it is re-evaluating how it shares data with Lumen Project in light of the decision.
One of Google’s two prior GDPR fines also related to the right to be forgotten, but in that case a de-indexing stipulation for search engines that was first established in 2014 (and later incorporated into the GDPR terms). Sweden fined Google the equivalent of about $8 million in 2020 over failure to keep up with de-indexing requests in a timely manner and failure to remove the full range of web addresses attached to certain requests.
Jurisdiction and efficiency of GDPR fines called into question by Spain decision
The AEPD judgment is noteworthy not just for being a rare GDPR fine for Google, but also for shining a spotlight on a bottleneck of cases created by the Irish Data Protection Commission (DPC)’s lead role in regulating cases involving the tech giant.
Complaints that involve Google generally wind up in the hands of the Irish DPC for investigation and enforcement decisions, under the “one stop shop” provision of the GDPR that sends them to the country the company in question keeps its EU headquarters in. Like other tech firms headquartered in Dublin for the tax benefits, Google has also enjoyed the benefit of a lead regulator that frequently takes years to investigate complaints about big tech firms and proposes minimal GDPR fines when it does finally reach a decision. The Irish DPC has several complaints against Google that remain under investigation, the longest of these now stretching back to when the GDPR first went into effect in 2018.
The case with Lumen Project was an anomaly that allowed Spain to take point as the initial complaint was filed there, the data of Spanish citizens was being processed and the processing was taking place at the US end. The AEPD was required to confer with the Irish DPC beforehand to determine jurisdiction. The other EU case in which Google previously received a GDPR fine, a 2020 judgment by the French data protection authority, also relied on something of a loophole in the usual due process; Google was found to be “forum shopping” by moving the data of impacted French citizens to Ireland, allowing France to address the complaint directly.
Google’s ongoing investigations in Ireland include probes over use of location data and the workings of its advertising services, among other issues. The Irish DPC was sued in March by the Irish Council for Civil Liberties over its slow movement on issues relating to Google complaints.