The Spanish Data Protection Agency (AEPD) has issued resolution of the procedure initiated against the company Google LLC in which he declares the existence of two very serious offenses of data protection regulations and imposes a sanction of 10 million euros by transfer data to third parties without legitimacy to do so and hinder the right of deletion of citizens (Articles 6 and 17 of the General Data Protection Regulation).
Google LLC is responsible for the data processing analyzed and carries it out in the USA. In the case of the communication of data to third parties, the Agency has verified that Google LLC sends the Lumen Project information on requests made by citizens, including their identification, email address, the alleged reasons and the URL claimed. The mission of this project is to collect and make available content removal requests, so the Agency considers that, since all the information contained in the citizen’s request is sent to be included in another accessible database to the public and for it to be disclosed through a website, “in practice means frustrating the purpose of exercising the right of deletion”.
The resolution states that this communication of data by Google LLC to the Lumen Project is imposed on the user who intends to use its forms, no option to object to it and, therefore, without the existence of valid consent for such communication to take place. Establishing this condition in the exercise of a right recognized to the interested parties is not covered by the General Data Protection Regulation when generating “additional processing of the data on which the deletion request relates by communicating them to a third party”. In addition, in the privacy policy of Google LLC, there is no mention of this processing of personal data of users, nor does communication to the Lumen Project appear among the purposes.
The AEPD also includes in its resolution that, once the request for the removal of content has been submitted and the right has been met, that is, the deletion of personal data has been agreed, “there is no room for further processing of the same, as is the communication that Google LLC makes to Project Lumen”.
Regarding the exercise of rights of citizens, the AEPD details in its resolution that “it is difficult to deduce if the request is made invoking the personal data protection regulations, simply because this regulation is not mentioned in any of the forms, regardless of the reason that the interested party selects among the proposed options, except in the form called ‘Withdrawal under EU privacy law’, the only one available that contains an express reference to this regulation”.
The system designed by Google LLC, which leads the interested party through various pages to complete their request, previously forcing them to mark the options offered, “may cause them to end up marking an option that suits the reasons they consider appropriate to their interest, but that deviate from their original intention, which may be clearly linked to the protection of their personal data, unaware that these options place them in a different regulatory regime because Google LLC has wanted it or that your request will be resolved according to the internal policies established by this entity”. The Agency’s resolution states that this system is equivalent to “leave the decision on when the GDPR applies and when not to Google LLC, and this would mean accepting that this entity can evade the application of the personal data protection regulations and, more specifically for this case, accepting that the right of deletion of personal data is conditioned by the content removal system designed by the responsible entity”.
In addition to the economic sanction imposed in the resolution, the Agency has also required Google LLC to adapt the communication of data to the Lumen Project to the personal data protection regulations, and the processes of exercise and attention to the right of deletion, in in relation to requests to remove content from its products and services, as well as the information it offers to its users. Likewise, Google LLC must delete all personal data that has been the subject of a request for the right of deletion communicated to the Lumen Project, and has the obligation to urge the latter to delete and cease the use of personal data that has been provided to it. release.