• The company communicates to the Lumen Project without a valid legal basis information about user requests, including their identification, email, the reasons given and the URL claimed
  • The Agency declares two very serious breaches of data protection rules and imposes a fine of EUR 10 million

(18 May 2022). The Spanish Data Protection Agency (AEPD) has ruled on the procedure initiated against the company Google LLC in which it declares the existence of two very serious breaches of data protection rules and imposes a penalty of 10 million euros for transferring data to third parties without standing to do so and hinder the right of citizens to be suppressed (Articles 6 and 17 of the General Data Protection Regulation).

Google LLC is responsible for the analyzed treatment and carries it out in the US. In the case of the communication of data to third parties, the Agency has found that Google LLC sends the Lumen Project information of requests made by citizens, including their identification, e-mail address, the reasons given and the URL claimed. The task of this project is to collect and make available requests for withdrawal of content and the Agency therefore considers that, Since all the information contained in the citizen’s request is sent for inclusion in another database accessible to the public and for dissemination via a website, “it is in practice to frustrate the purpose of exercising the right of erasure”.

The resolution states that this communication of data by Google LLC to the Lumen Project is imposed on the user who intends to use its forms, without the option of opposing it and, therefore, without a valid consent for that communication to take place. Establishing this condition in the exercise of a right granted to data subjects is not covered by the General Data Protection Regulation when “additional processing of the data covered by the request for deletion is generated when communicating them to a third party”. In addition, in the privacy policy of Google LLC, no mention is made of this processing of personal data of users, nor does communication to the Lumen Project appear among the purposes.

The AEPD also includes in its resolution that, submitted the request for withdrawal of content and fulfilled the right, that is, agreed deletion of personal data, “There is no room for further treatment of them, as is the communication that Google LLC makes to the Lumen Project”.

Regarding the exercise of citizens’ rights, the AEPD details in its resolution that “it is difficult to deduce whether the request is made on the basis of personal data protection rules, simply because these rules are not mentioned in any of the forms, irrespective of the reason the data subject chooses from among the options proposed, except in the form called ‘Withdrawal under EU privacy law’, the only available form containing an express reference to this regulation”.

The system designed by Google LLC, which leads the interested party through various pages to get to fill in your request, forcing you to pre-mark the options offered, “may cause you to end up setting an option that suits the reasons that you consider appropriate to your interest, but that takes you away from your original intention, which may be clearly linked to the protection of your personal data, unaware that these options place you in a different regulatory regime because it has wanted Google LLC or that your request will be resolved according to the internal policies established by this entity”. The Agency resolution states that this system is equivalent to “leave it to Google LLC to decide when it applies and when it does not apply the GDPR, and this would mean accepting that this entity can circumvent the application of personal data protection regulations and, more specifically, in this case, accept that the right to delete personal data is conditioned by the content removal system designed by the responsible entity”.

In addition to the financial sanction imposed in the resolution, the Agency has also requested Google LLC to comply with the rules of personal data protection the communication of data to the Lumen Project, and the processes of exercise and attention of the right of deletion, in connection with requests to withdraw content from its products and services, as well as the information it provides to its users. In addition, Google LLC must delete all personal data that have been the subject of a request for the right of deletion communicated to the Lumen Project, and has the obligation to urge the latter to delete and cease the use of the personal data communicated to it.

Barcelona, 26.05.2022