Skip to content
Exterro for Law Enforcement
Get a Demo

Data Privacy Alert: Spanish Data Protection Authority Fines Google €10 Million

Download the privacy alert!

Why This Privacy Law is Important:

The Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD), issued its largest fine ever in May 2022 against Google for violating the General Data Protection Regulation (GDPR), Google’s fourth fine under the regime that went into effect in 2018.
 

Overview:

On May 18, 2022, the AEPD issued its decision against Google, imposing a fine of €10 million for violations of two articles of GDPR. The two violations were against Article Six, regarding lawful processing of data, and Article 17, regarding the “right to be forgotten.”

Google’s Article 17 violations primarily consisted of making it difficult for users to submit requests for the removal of content. To request deletion of content, Google required users to follow a complicated process that included selecting which Google service(s) it wanted data removed from; the grounds upon which the request was being made (e.g., defamation, copyright infringement, harassment, personally identifying information, etc.); and then only routing users who selected certain pre-defined grounds for deletion to the web form.

Once the form was submitted, the data was then sent to the Lumen Project. According to AEPD, Google violated Article Six in its dealings with Lumen, a US-based legal database. Google’s privacy policy did not address its data transfers to Lumen, which included identifying information, email addresses, and legal claims, and it also failed to allow its users to opt out of the data transfers. Additionally, he Spanish DPA held that Google should have anonymized the data before transferring it to Lumen.

The fine is the fourth received by Google under GDPR and the second largest overall, following a €50 million fine from the French DPA in 2019. Sweden and Belgium have both levied fines against Google under GDPR.
In response, a Google spokesperson explained, “We are reviewing the decision and continually engage with privacy regulators, including the AEPD, to reassess our practices. We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data sharing practices with Lumen in light of these proceedings.”

Download the Privacy Alert to the right to get the full text and expert analysis!