The Swedish data protection authority (DPA) has hit Google with a £6.1 million (75 million krona) GDPR fine for “right to be forgotten” failures, saying Google is revealing who requested the delisting — in a dispute that shows how contested certain aspects of the sweeping data protection framework remain.
“When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site-owner knowledge of which webpage link was removed and who was behind the delisting request” the DPA said; a step its legal advisors said on March 11 “does not have a legal basis”.
Google says doing this is consistent with GDPR.
The GDPR fine follows three years of audits by the DPA into how Google handles the requested removal of individuals’ search results, when information published on websites is “demonstrably false, irrelevant or superfluous.”
After an initial audit in 2017 the DPA found certain links that should be removed and told Google to do so. The data watchdog said it later became aware that Google had not “fully complied” with its orders, and has now issued the fine as a result.
In its delisting request form Google states that the site-owner will be notified of the request in a way that might result in individuals refraining from exercising their right to request delisting, thereby undermining the effectiveness of this right, said Olle Pettersson, legal advisor at the Swedish DPA who has participated in the audit.
He added: “This allows the site-owner to re-publish the webpage in question on another web address that will then be displayed in a Google search.”
Google Responds: “We Disagree on Principle”
A Google spokesperson told Computer Business Review: “We disagree with this decision on principle and plan to appeal.”
The term the “right to be forgotten” became a legally formal one following a 2014 European Court of Justice ruling. In that case — Google Spain v Mario Costeja González — the EU court ruled that internet search engine operators have significant power over the processing of an individual’s data that appears in search links.
The court ruled that people have the right to request the removal of links to web pages from internet search engine results if they “Appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed.”
Lena Lindgren Schelin, Director General at the Swedish DPA commented on its fine that: “The General Data Protection Regulation, GDPR, increases the level of responsibility for organisations that collect and process personal data, and strengthens the rights of individuals. An important part of those rights is the possibility for individuals to have their search result delisted. We have found that Google is not fully complying with its obligations in relation to this data protection right.”