Google Fined $8m by Sweden for Right-to-be-forgotten Breaches

In Sweden, the Data Protection Authority (DPA) has taken the decision to sanction a 75 million kronor (US$8 million) General Data Protection Regulation Penalty in relation to a “failure to comply”.

This step was taken after Google is reported to have consistently come up short when asked to remove search result links in line with right-to-be-forgotten requests. In addition to this there was a surprising move when the DPA also demanded that Google cease advising website owners that their URLs is about to be de-indexed following the completion of their request.

Under the right-to-be-forgotten regulation, which was establish long before the introduction of GDPR on May 25 2018, a process was introduced that would allow for the delisting of certain web pages that contain potentially “damaging” information. Basically it allowed for those who the information related to the right to contact Google, and other search engines, and request that they information be removed from Search Engine Result Pages. Since the ruling took effect in 2014, millions of de-indexing requests have been submitted to Google. However less than 45% of these request have been processed so far. In 2018 the right-to-be-forgotten rights were further enhanced with the previously-mentioned introduction of GDPR.

The report made reference to one case in which it said: “Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing. In the second case Google has failed to remove the search result listing without undue delay”.

The Swedish regulator also criticized Google for its practice of informing the websites’ owners that these links were due to be removed, which then allowed the owners to move the information to a different web address, according to the report.

The DPA went on to say: “Google does not have a legal basis for informing site-owners when search result listings are removed and furthermore gives individuals misleading information by the statement in the request form. That is why the DPA orders Google to cease and desist from this practice.”

In response to the report and the accompanying fine a Google representative said that the group “disagree with this decision on principle and plan to appeal.”

This move by the Swedish Data Protection Authority comes as American companies are becoming subject to all of the EU data protections authorities applying GDPR more stringently in order to protect the private data of EU citizens. GDPR was designed to add enhance cybersecurity and the EU Member States appear willing to apply it to the letter of the law which can result in a fine of €20m or 4% of annual global revenue for the previous financial year for companies that breach it.