Google has been fined ten million euros by the Spanish Data Protection Agency (AEPD) for transmitting data to third parties without a legal basis and for obstructing citizens’ right to erasure. Articles 6 and 17 of the European General Data Protection Regulation, according to the Agency, are violated (GDPR).
According to the AEPD, Google passed information that could be used to identify citizens requesting deletion of their personal data under EU law, such as their email address, the reasons given, and the URL claimed, to a third-party based in the United States without a valid legal basis for this further processing.
The Agency also ordered Google to alter its procedures for exercising the right to be forgotten in respect to requests for the removal of content from its goods and services, as well as the information it provides to its users, in accordance with data protection legislation.
AEPD in a statement announcing the sanction said: “Google LLC acted as controller of the analysed processing, which was conducted in the US. In the case of disclosure of data to third parties, the AEPD has found that Google LLC sent information of requests made to it by citizens, including their identification, e-mail address, the reasons given, and the URL claimed to the Lumen Project. The task of this project is to collect and make available requests for the removal of content, and the Agency therefore considers that, since all the information contained in the citizen’s request is sent for inclusion in another publicly accessible database and for dissemination via a website, “the purpose of exercising the right of erasure results in practice frustrated”.
“This communication of data by Google LLC to the Lumen Project is imposed on the user who intends to use Google forms, without the option of objecting to it and, therefore, without a valid consent for such communication to be made. Establishing such a condition for the exercise of the right to erasure granted to data subjects is in breach of the General Data Protection Regulation by generating “an additional processing of the data contained in the request for erasure when communicating them to a third party,” the Agency added.
Reacting to the sanction in a statement, Google said: “We are reviewing the decision and continually engage with privacy regulators, including the AEPD, to reassess our practices. We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data sharing practices with Lumen in light of these proceedings.”
Did you should know
- In 2019, Nigeria also came up with the Nigeria Data Protection Regulation (NDPR) fashioned after the European GDPR to protect the data of Nigerians on the internet.
- This has been the only data protection instrument in the country in the absence of substantive law.
- Industry analysts, however, believe that the Nigerian regulation will remain ineffective until the country passes its Data Protection Bill into law.