Google has been fined SEK 75 million (approximately 7 million euros) by the Swedish DPA for not complying with its obligations regarding the right to be forgotten. It has also been ordered to delist certain search results, to stop informing websites when such results occur and to otherwise adapt its data subject rights process.
The case in short
It all started in 2017 when the Swedish Data Protection Authority ordered Google to delist certain individuals’ names from its search engine due to inaccuracy, irrelevance and superfluous information. The requests concerned both special categories of data and information about criminal convictions and offenses. The Swedish DPA initiated an inspection in 2018, as it had received indications that Google was not complying with the previous orders. The Swedish DPA has now concluded the inspection with issuing an administrative sanction.
In its 10 March 2020 decision, the Swedish DPA criticized that Google did not delist two of the search results it was ordered to delete in 2017. In one case, it was concluded that Google made a too narrow assessment of which URLs should actually be removed from search results. In the other case, it was concluded Google did not delist the search result without undue delay.
Undermining the data subjects’ rights
Google’s practice when managing a request for delisting a search result was found to undermine the data subjects’ rights. When Google delists search results, it is practice that the site owner is notified of what webpage and data subject it concerns via Google’s service Search Console (previously Webmaster Tools). This process makes it possible for the site owner to republish the webpage with a new URL which will be visible in Google searches.
“In its removal web form, Google informs that messages are sent to site owners, in a way that may discourage individuals from exercising their right to request removal, which also undermines the effectiveness of this right," Swedish DPA Legal Advisor Olle Pettersson said.
In its deletion form, Google had published the text: “If URLs are removed from our search results as a result of your request, we can provide information to the webmasters for the removed URLs." Such information was found to be misleading, as the data subject was made to understand that its consent to the notification was required in order to process the request for delisting.
This process meant Google violated Article 5(1)(a) of the EU General Data Protection Regulation, in that the procedure is designed to induce individuals to refrain from exercising its right to request removal. Google is ordered to delete any misleading information and not to inform the website owner, unless the data subject has agreed thereto.
Unlawful second use
The DPA also found Google did not have a lawful basis to inform website owners when search results were delisted. Providing information was beyond any strict legal obligations according to the Swedish DPA. Informing the site owner meant that the personal data was used beyond its original purpose, which violates Articles 5(1)(b) and 6(4) of the GDPR.
Sanction
The sanction from the Swedish DPA was divided into two parts. The first part was in respect of the two complaints and amounted to SEK 25 million (approximately 2.3 million euros). The second part was in respect of notifying webmasters and giving misleading information in 5,690 cases (potentially affecting up to 5,690 individuals), and amounted to SEK 50 million (4.6 million euros). Therefore the sanction in total amounted to SEK 75 million (approximately 7 million euros) for the observed violations.
The violations are considered serious because they concern sensitive information and, moreover, are part of a systematic process made with intent, as the process was part of official company routines. The presumption is that Google has gained financially, at least indirectly, by avoiding costs as individuals may have refrained from exercising their right to be forgotten.
Points of interests
The obligation to investigate a request for deletion is quite far reaching
Interestingly, the data controller has relatively far reaching obligations to investigate the circumstances of a request. In this case, Google received a request to delist the entire discussion thread specified. Google argued that the request was not sufficiently specific to motivate the delisting of both the search result and other webpages that identified the data subject. Should Google nevertheless choose to interpret the request and delist both the search result and other webpages that identified the data subject, it would violate the individual right, since the individual had not requested that specific course of action. However, the Swedish DPA stated that “a discussion thread is judged as a whole and cannot, which Google has done, solely be assessed on the basis of the information provided that appears on the page to which a search result links.” Google should have continued to investigate and interpret the request to include the entire discussion thread.
One-stop mechanism is not applicable; national DPAs are competent supervisory authorities
Google (established in the U.S.) decides the purposes and means for the processing. As of January 2019, Google has identified Ireland as its main establishment for part of its operations. The place for its central administration shall be empowered to make decisions about the purposes and means of the processing in question (Article 4(16) and Recital 36 of the GDPR). According to the Swedish DPA, Google has not established that Google Ireland has the decisive influence over the search engine operations, thus why the one-stop mechanism under Articles 56 and 60 of the GDPR are not applicable. Hence, the Swedish DPA is competent supervisory authority in this matter.
Related uses of personal data when meeting a data subject access request is not covered by legal obligations, nor legitimate interest.
Google argued that the notifications of the delisting to the website owners were lawful as a legal obligation (Articles 6(1)(c) and 17(2) of the GDPR or legitimate interest as applicable. The DPA concluded that the lawful basis of legal obligation is narrow in scope and does not cover uses of data that are related or goes beyond the strict obligations of the controller. No criteria to demonstrate legitimate interest were found; the website owners’ interest to determine its own obligations is not a legitimate interest under the GDPR.
The privacy professional would be wise to have this in mind when designing the data subject rights processes.
Photo by Chiara Daneluzzi on Unsplash