The Spanish Data Protection Agency (AEPD) has imposed a penalty of ten million euros on Google for transferring data to third parties without a legal base to do so and for hindering citizens’ right to erasure. According to the Agency, these contravene Articles 6 and 17 of the European General Data Protection Regulation (GDPR).
AEPD said it found out that Google had passed information that could be used to identify citizens requesting deletion of their personal data under EU law, including their email address; the reasons given; and the URL claimed, to a U.S.-based third party without a valid legal basis for this further processing.
In addition to the financial penalty, the Agency also ordered Google to adjust its procedures for the exercise of the right of erasure in relation to requests for the removal of content from its products and services, and the information it offers to its users, in line with data protection rules.
What the Agency is saying
AEPD in a statement announcing the sanction said: “Google LLC acted as controller of the analysed processing, which was conducted in the US. In the case of disclosure of data to third parties, the AEPD has found that Google LLC sent information of requests made to it by citizens, including their identification, e-mail address, the reasons given, and the URL claimed to the Lumen Project. The task of this project is to collect and make available requests for the removal of content, and the Agency therefore considers that, since all the information contained in the citizen’s request is sent for inclusion in another publicly accessible database and for dissemination via a website, “the purpose of exercising the right of erasure results in practice frustrated”.
“This communication of data by Google LLC to the Lumen Project is imposed on the user who intends to use Google forms, without the option of objecting to it and, therefore, without a valid consent for such communication to be made. Establishing such a condition for the exercise of the right to erasure granted to data subjects is in breach of the General Data Protection Regulation by generating “an additional processing of the data contained in the request for erasure when communicating them to a third party,” the Agency added.
Reacting to the sanction in a statement, Google said: “We are reviewing the decision and continually engage with privacy regulators, including the AEPD, to reassess our practices. We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data sharing practices with Lumen in light of these proceedings.”
What you should know
- In 2019, Nigeria also came up with the Nigeria Data Protection Regulation (NDPR) fashioned after the European GDPR to protect the data of Nigerians on the internet.
- This has been the only data protection instrument in the country in the absence of substantive law.
- Industry analysts, however, believe that the Nigerian regulation will remain ineffective until the country passes its Data Protection Bill into law.