May 2022 saw a tale of two firsts for the Spanish Data Protection Agency (“AEPD”) with its highest fine issued to date together with it being the first fine to be issued to a data controller outside the EU. As previously highlighted, the AEPD shows no sign of slowing down its enforcement action and we explore the Google LLC (“Google”) fine in greater detail here.
The AEPD has issued its highest fine to date for €10 million to Google for violating Articles 6 and 17 of the GDPR. The AEPD found that Google unlawfully disclosed personal data to Lumen, an independent research project, and infringed data subjects’ right to erasure. It is the first of such fines for the Spanish DPA to be imposed on a data controller established outside of the EU to Google LLC (the US entity).
The recent decision confirms (once again) the upward trend in the fines imposed by the AEPD, which began in December 2020 with the fining of a bank, BBVA (Banco Bilbao Vizcaya Argentaria), in the sum of 5 million euros. Our article in July 2021 co-authored with our Madrid office identified trends in the AEPD’s enforcement action. Since then, the AEPD shows no signs of slowing down its enforcement action and continues to issue the most GDPR fines in Europe. So far in 2022, the Spanish DPA has issued around 75 fines. The AEPD has broken the 1 million euro barrier at least 10 times.
The fine against Google
The complaint against Google related to the transfer of removal requests relating to content which users asked to be taken down from Google's various products and platforms, including YouTube and Google's search engine, via a third party, referred to as the ‘Lumen Project’. The ‘Lumen Project’ is an “independent research project at Harvard University studying takedown notices along with other legal removal requests and demands concerning online content.” It is based in the United States.
The AEPD’s investigation found that users who wanted to remove content from Google’s various products and platforms would be required to submit their request via "lumendatabase.org". In particular, the AEPD found that Google required users to use the relevant forms which would transfer their data to the USA where their content removal request forms would then be published on 'lumendatabase.org'.
In the AEPD’s decision, the information provided by Google to users regarding the transfer of personal data to the ‘Lumen Project’ was insufficient to comply with GDPR. The AEPD found that Google’s privacy notice was in contravention of Article 6 GDPR since it stated that Google did not share personal data. However, the ‘Lumen Project’s’ privacy notice confirms that it’s database “grows by more than 40,000 notices per week, with voluntary submissions provided by companies such as Google, Twitter, YouTube…”
Google’s claim that its actions were justified by serving as 'legitimate interests' (i.e. that its contribution to the Lumen Project aided transparency and accountability) was rejected by the AEPD; instead, they found that users had not been adequately informed about the legal basis that would justify the transfer of their personal data to the Lumen Project. A final finding in the AEPD’s investigation was that Google also violated Article 17 of the GDPR because the Google forms used did not provide the user with the right to erase their data or to object to its transfer.
The €10 million fine was made up of €5 million for unlawfully disclosing personal data to the Lumen Project and €5 million for infringing the GDPR’s right to erasure. Google now has the right to appeal the AEPD’s ruling to the Spanish High Court, Audiencia Nacional. It is yet to be seen whether Google is appealing the decision.
Although the decision is not final, it confirms that the AEPD continues to show a particular interest in enforcing against organisations in the TMT, finance, and public sectors. Its latest fine provides further confirmation of the same.
While the AEPD has not yet arrived at the hundred-million fines imposed by other data protection authorities, there is an upward trend in the fines imposed. Notably, the most significant fines are typically related to analysing data controllers’ general policies and investigating those which do not comply with the GDPR. It appears that the AEPD does not impose these fines because it considers that data controllers have infringed the GDPR in a specific case (i.e. affecting a data subjects only), but instead uses the specific cases against large organisations to illustrate general policies which violate the GDPR so that others do not fall foul of the same mistakes.
This decision is a salutary reminder that the AEPD does not shy away from issuing fines to those entities registered outside of the EU, and organisations should be mindful of this if they conduct business in Spain.
