Privacy Authority to impose $8 Million Penalty
Google has announced that it intends to appeal the recent General Data Protection Regulation fine, its second, levied by Sweden’s Data Protection Authority against the internet giant. A fine of 75 million kroner (approximately $7.45 million) has been handed to Google due to its failure to remove search results connected to “right-to-be-forgotten” requests under the GDPR.
On Wednesday March 11th, the Swedish data privacy watchdog, Datainspektionen, issued the fine following Google’s failure to adequately remove two search result listings. The decision results from an investigation that was started by the bureau in 2017.
The Right to be Forgotten
The European Union’s right-to-be-forgotten regulation was first enacted in 2014, but was reinforced further under Article 17 of 2018’s GDPR.
Article 17 states that, under conditions that it goes on to outline; “The data subject (i.e. any identified or identifiable natural person) shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”
Therefore, should the pre-requisite conditions apply, under GDPR Google and its contemporaries have a legal obligation to hide certain pages from their search results in the event of a consumer requesting same.
The Subject Access Request
Given the nature of its activities, the so-called ‘right-to-be-forgotten’ is perhaps the key GDPR concern for a company such as Google. Nonetheless, given the sheer volume of personal data that search engines are in a position to gather from consumers there are other major responsibilities to be taken care of Google is to remain GDPR compliant.
Under Article 15 of GDPR, individuals can also make what is known as a subject access request. Following a request, data controllers are obliged to provide a copy of all of the personal information they hold on that person. Additionally, users may make a request that their personal information be “forgotten”. While this right is not absolute, it may be legitimate to refuse a subject access request, if for example, the following conditions apply:
-The data controller can demonstrate that is would be too expensive or take too long to deal with the request
-It is a vexatious request
-The request is repetitive
Although said exceptions exist, in general terms it is true to say that in the vast majority of cases data controllers have a duty to furnish the personal information they hold when a subject requests it.
The Case Against Google
In a statement, Lena Lindgren Schelin, Director General of the Swedish DPA, said that her agency had found that Google was failing to demonstrate full compliance with its obligations regarding data protection rights.
Ms Lindgren Schelin criticised Google’s inadequate removal of two search result listings that the DPA had directed them to remove in 2017. In the first of these cases Google’s interpretation of which web addresses had to be removed from the search result listing was too narrow. In the other case Google failed to remove the search result listing within an appropriate time frame.
When removing a search result listing, Google notifies the webpage to which the link is directed in a manner that reveals information to the owner of which website link was removed and who made the request. This permits the owner to simply re-publish the offending webpage on another web address that will then show up in a Google search, effectively nullifying the right to delisting.
Legal advisor at the Swedish DPA Olle Pettersen, says that Google’s own delisting request form states that the website-owner will be informed of the request in a manner that could result in some individuals forgoing their right to request delisting, thereby compromising the efficacy of the right.
Google appears to have no legal basis for advising site-owners when search result listings are removed. Moreover, it gives misleading information to individuals by the statement in the subject access request form. As a consequence, the Swedish DPA has ordered Google to cease and desist from this practice
Google’s Other GDPR Difficulties
Google’s GDPR compliance problems do not end there. In fact the $56 million fine imposed on Google by France’s data regulator, (Commission nationale de l’informatique et des libertés, or CNIL) in January 2020 is in fact the largest penalty charged under the European Union’s General Data Protection Regulation to date. Following a complaint from the non-profit group Noyb, CNIL concluded that Google had failed to comply with the GDPR regarding transparency and consent.
A case against Google is also pending in Ireland.
Johnny Ryan, chief policy officer of the Irish based web browser Brave, has accused Google of sharing users’ personal data between its own services without acquiring specific consent prior to doing so. This is seen as a flagrant breach of GDPR principles. Indeed, Ryan has claimed that the tech giant is effectively operating an “internal data-free-for-all”.
The case against Google specifies that it has been taking consumers’ consent for particular uses of their personal data, e.g. their YouTube viewing history and location tracking, and applying it to a host of other services that are totally invisible to them, a practice that is forbidden by GDPR.
For casual observers of the tech industry it might seem, in some respects, rather strange that Google has not put its house in order with respect to GDPR. The regulation was introduced almost two years ago and with ample fore-warning.
Did Google think it was too big for the rules to apply to it? Perhaps, despite its size and power, it was simply negligence rather than anything more sinister?
The ‘why’ Google has made such faux pas is, maybe, unimportant. The key message is potentially that the bigger the data processor, the bigger the target for non-profits, for data protection authorities, and for smaller rival companies. Those smaller companies should not, however, enjoy Google’s troubles too much. The old adage of people in glass houses throwing stones springs to mind; complaints against industry giants might be met in kind at a later date.
GDPR compliance is not optional, companies need to address their shortfallings when it comes to data security, and they need to do it now.