The AEPD has imposed a sanction on Google LLC for transferring personal data to third parties unlawfully and for hindering the exercise of the right to erasure

(18 May 2022). The Spanish Data Protection Agency (AEPD) has issued a decision on the administrative procedure initiated against Google LLC declaring the existence of two very serious infringements of data protection rules and has imposed a penalty of ten million euros on the firm for transferring data to third parties without legal base to do so and for hindering citizens’ right to erasure (Articles 6 and 17 of the General Data Protection Regulation).

Google LLC acted as controller of the analysed processing, which was conducted in the US. In the case of disclosure of data to third parties, the AEPD has found that Google LLC sent information of requests made to it by citizens, including their identification, e-mail address, the reasons given, and the URL claimed to the Lumen Project. The task of this project is to collect and make available requests for the removal of content, and the Agency therefore considers that, since all the information contained in the citizen’s request is sent for inclusion in another publicly accessible database and for dissemination via a website, “the purpose of exercising the right of erasure results in practice frustrated”.

The decision states that this communication of data by Google LLC to the Lumen Project is imposed on the user who intends to use Google forms, without the option of objecting to it and, therefore, without a valid consent for such communication to be made. Establishing such a condition for the exercise of the right to erasure granted to data subjects is in breach of the General Data Protection Regulation by generating “an additional processing of the data contained in the request for erasure when communicating them to a third party”. Furthermore, in the privacy policy of Google LLC, no mention is made of this processing of personal data of users, nor does communication to Project Lumen appear among the purposes.

To this is added that, submitted the request for the removal of content and the deletion of the personal data having been exercised, “there is no legal grounds for a further processing such as the communication that Google LLC makes to the Lumen Project”.

As regards the exercise of citizens’ rights, the AEPD states in its decision that “it is difficult to infer whether the request is made on the basis of the rules on the protection of personal data, simply because these rules are not mentioned in any of the forms, irrespective of the reason the data subject chooses from the proposed options, except on the form entitled 'Withdrawal under EU Privacy Law', the only one available containing an express reference to these rules”.

The system designed by Google LLC, which leads the data subject through various pages to complete his/her application, forcing him previously to mark the options offered, “may cause the data subject to end up marking an option that suits the reasons it deems appropriate to his or her interest, but which departs him from its original intention, which may be clearly linked to the protection of his personal data, not knowing that these options place him in a different regulatory regime because Google LLC so wished or that his request will be decided in accordance with the internal policies established by this entity”. The Agency’s decision states that this system is equivalent to “leaving Google LLC’s decision as to when and when not GDPR applies, and this would mean accepting that this entity can circumvent the application of personal data protection rules and, more specifically, accept that the right to erase personal data is conditioned by the content removal system designed by the responsible entity”.

In addition to the financial penalty imposed in its decision, the Agency has also required Google LLC to put the communication of data to the Lumen Project, the procedures for the exercise of the right of erasure in relation to requests for the removal of content from its products and services, and the information it offers to its users, in line with data protection rules. Furthermore, Google LLC must delete all personal data that have been the subject of a request for the right of erasure communicated to Project Lumen, and it has the obligation to urge the latter to erase and cease the use of the personal data communicated to it.