The Spanish Data Protection Agency fined Google $10.6 million for GDPR violations.
Google was fined a record 10 million euros (US $10.6 million) by Spain's data protection authority for two "serious infractions" of the European Union's General Data Protection Regulation (GDPR).
The fine is the highest the Agencia Espanola de Protección de Datos (AEPD) has ever imposed, surpassing the €8.15 million (then-US $9.72 million) fine Vodafone Spain received in March 2021. According to the AEPD, Google broke the GDPR's Article 6 regarding lawful data processing and Article 17's "right to be forgotten."
The fine is Google's fourth under the GDPR, and the second largest in terms of dollar value, following a €50 million (then-US $57 million) penalty imposed in France in 2019. Sweden and Belgium are two other countries that have sanctioned the tech giant. In accordance with the GDPR's one-stop shop mechanism, Google has yet to be fined in its European home country of Ireland, where its primary regulator is located.
In a translated press release, the AEPD claimed that Google's sharing of data with the US legal database Lumen violates the GDPR because it does not allow users to object. Identification, email addresses, and legal claims are among the data being transferred.
In terms of deletion requests, the AEPD chastised Google for making it difficult for users to submit successful claims for content removal. The AEPD stated that the Google-designed system may "end up marking an option that suits the reasons they consider appropriate to your interest but that separates you from your original intention, which may be clearly linked to the protection of your personal data, unaware that these options place you in a different regulatory regime because Google has wanted it that way."
In addition to the fine, the AEPD has ordered Google to delete all EU personal data it has shared with Lumen, and Lumen has been urged to do the same.
In an emailed statement, a Google spokesperson said, "we are reviewing the decision and continually engage with privacy regulators, including the AEPD, to reassess our practices. We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data sharing practices with Lumen in light of these proceedings."
By fLEXI tEAM