The Swedish Administrative Court of Stockholm confirmed Google violated the EU General Data Protection Regulation in several instances and rejected Google's motion that Sweden's data protection authority's, Datainspektionen, decisions repealed due to formal deficiencies. The court upheld the fine of SEK 50 million, while the court lowered the fine for one violation from SEK 25 million to 2 million.
The fine was lowered because one complaint was partly dismissed and one instance was not considered a violation (since Google adhered to the injunction without undue delay). Also, Google's failure to comply with previous injunctions under the previous data protection legislation could not be considered as an aggravating circumstance.
Google shall now delist specific search results and cease to inform site owners of requests. Also, Google must adapt its data subject rights procedure within eight weeks after the court's judgment has gained legal force.
The case in short
It started in 2017 when the Datainspektionen ordered Google to delist specific individuals' names from its search engine due to inaccuracy, irrelevance and superfluous information. The requests concerned both special categories of data and information about criminal convictions and offenses. In 2018, the Swedish DPA initiated an inspection as they had received indications that Google was not complying with the previous orders. The Swedish DPA concluded the inspection by issuing an administrative sanction in Spring 2020.
In its March 10 decision, the Swedish DPA criticized that Google did not delist two of the search results that it was ordered to delete in 2017. In one case, it was determined that Google made a too narrow assessment of which URLs to remove from search results. In the other case, Google did not delist the search result without undue delay. A full analysis of this decision can be found in The Privacy Advisor.
Google appealed the decision on formal deficiencies.
Points of interest
The guidance confirms that the controller's obligation to investigate a request for deletion is far-reaching and they may not dictate the process for how the individual can request the erasure of their data.
The court states there are no formal requirements in the GDPR that state how a request for removal under Article 17.1 shall be formulated. According to Article 12(2), the controller shall facilitate the exercise of the data subject's rights by Articles 15 through 22 of the GDPR.
"The fact that he had not provided the information in the manner requested by Google, i.e. by entering each specific URL in Google's form, does not mean that Google may disregard the other information provided. As stated above, there are no formal requirements for a request for removal in the General Data Protection Regulation and Google cannot restrict the rights of the data subject by designing its form." –Judgement, page 7
The process that the controller sets up for how to handle deletion requests must facilitate for the individual to exercise its rights. As a result, any process that restricts the rights of the individual may violate Articles 15 through 22 of the GDPR.
Violations of previous privacy legislation is not an aggravating circumstance when imposing sanctions under the GDPR — possible appeal from the Swedish DPA?
The Swedish DPA argued that violations of privacy that occurred under the Data Protection Directive 95/46/EC of 24 October 1995 shall be considered as aggravating circumstances under Article 83.2(e) of the GDPR.
The court states that under Article 83.2(e) of the GDPR, consideration should be taken to any relevant past infringements that the controller has committed. However, the provision is aimed at violations of the GDPR, i.e., violations that have occurred after the date of entry into force of the regulation May 25, 2018. In other words, the court states Google's failure to comply with an injunction under the Data Protection Directive cannot be considered as an aggravating circumstance when deciding on the sanction.
It seems highly likely that the Swedish DPA may challenge this point and appeal to the higher court to try this principle. There is case law from, e.g., the Germany's Federal Commissioner for Data Protection and Freedom of Information (Delivery Hero, 19 September 2019) and Greece's Hellenic Data Protection Authority (Decision 31/2019, Decision 34/2019) where violations of previous privacy legislation (where the equivalent requirements and obligations applied) were considered as an aggravating factor when imposing sanctions for violation of the GDPR. (This would not, however, be the case if, e.g., the controller under the Data Protection Directive had failed to notify the DPA of processing since that requirement does not exist under the GDPR.) The existence of previous and ongoing violations may also be argued as evidence that the violation is of long duration and was done by intent rather than negligence — in themselves aggravating factors.
The court confirmed that related uses of personal data when meeting a data subject access request is not covered by legal obligations, nor legitimate interest.
Google argued the notifications of the delisting to the website owners were lawful as a legal obligation (Articles 6.1.c and 17.2 of the GDPR) or legitimate interest as applicable. The Swedish DPA concluded that the lawful basis of legal obligation is narrow in scope and does not cover uses of data that are related or goes beyond the strict obligations of the controller. No criteria to demonstrate legitimate interest were found; the website owners' interest to determine its responsibilities regarding the delisting is not a legitimate interest under the GDPR.
The court reaffirmed the Swedish DPA's opinion and added:
"Firstly, Google asserts that messages to webmasters ensure transparency in the delisting decision and enable webmasters to question, if necessary, a delisting decision, for example, to detect misuse or fraudulent removal requests. The Administrative Court finds it difficult to understand this argument. The messages in question are only sent after Google has removed a search result. The purpose of the processing has thus already expired when the message is sent… / Thus since the messages cannot be considered effective in achieving the purpose specified by Google, it is not necessary for the purpose Google invokes." –Judgment, page 17
If legal obligation and legitimate interest are not applicable as a legal basis there remains at least consent. And for consent to be valid under the GDPR, it must be informed, explicit and freely given. Privacy professionals are wise to have this in mind when designing the data subject rights processes.
The balancing act that would legitimize a legitimate interest assessment shall be done beforehand. The court states that when a search result has been removed by a search engine provider, it means that a balance of interests has been carried out, and that balance has resulted in the benefit of the individual. It should not be allowed for the search engine provider to take measures that jeopardize the delisting's intended effect.
"The Administrative Court, therefore, finds that an individual's interest in effective protection of their privacy and personal data, after Google has granted the removal of a search result, generally outweighs the interests of Google until to sends messages to webmasters." –Judgement, page 20
Furthermore, the court emphasizes that the right to deletion has a very marginal impact on the freedom of speech and information since it only deletes search results of a person's name. The website itself remains intact.
Hence, the controller must establish a legitimate interest before the processing. Here, the court states that the deletion of search results means that the scale already has tipped towards the individual.
The privacy professional would be wise to have this in mind when designing the data subject rights processes.
Examples of specific aggravating circumstances are given.
The court adds specific factors that can be considered as aggravating factors when DPA's shall impose sanctions, which adds to the growing case law:
- The violations refer to systematic actions that the company has been carrying out as part of company policy.
- The actions (messages to webmasters made after the delisting) undermine the effectiveness of the delisting.
- Potentially 5,690 individuals are concerned (which was considered high).
- Misleading information to a person requesting delisting.
- Sensitive data involved.
- Infringement is still in process since May 25, 2018.
- The company at least indirectly avoids financial losses.
The court adds that it is "particularly serious that in many cases the messages may be assumed to erode the fundamental right the individual tries to safeguard through their request for removal" (page 34 of the judgment).
The court assesses overall that the sanction fee decided by the Swedish DPA of SEK 50 million, based on the criteria that the fee should be effective, proportionate and deterrent, is justified and "at least not too high."
Photo by Bill Oxford on Unsplash