Once posted, always online?
The Spanish Personal Data Authority has in May 2022 a fine of
€10,000,000 imposed on Google for unlawfully transferring personal data to a third party and obstructing the exercise of the right to be forgotten.
The right to be forgotten on Google
Before we go into the concrete facts of this case, it is important to go back to the previous problems surrounding the right to be forgotten on Google.
In 2014, before the entry into force of the GDPR, the European Court of Justice ruled on the right to be forgotten.
In the Judgment Google Spain (CJEU 13 May 2014, case C-131/12, there was a dispute between Mario Costeja González and Google.
Mr Costeja González’s complaint arose from the fact that if the name González was Googled search results appeared about the public sale of the buildings of the people involved in the context of a seizure for the recovery of social security debts. However, the auction dated back many years before.
The European Court of Justice ruled in this case that the activities of a search engine such as Google must be considered processing within the meaning of the old Privacy Directive.
This means that Google must always have a lawful basis for the processing of this personal data, whereby the privacy interest of the applicant and the interest of the right to freedom of expression and the right to information must be weighed against each other.
In concrete terms, in this case Mr. Costeja González’s right to privacy took precedence over Google’s possible economic interest and over the public’s interest in obtaining information.
The Google/Spain judgment and the GDPR
The right to be forgotten was first recognized in the Google v Spain judgment.
hen the GDPR entered into force, this principle was explicitly laid down as a law.
Article 17 of the GDPR stipulates that there are a number of cases in which companies such as Google must delete your data if you request this, specifically when:
- your personal data is no longer needed;
- you withdraw your consent;
- you object to the processing of your data ;
- the personal data were processed unlawfully, or
- you are under the age of 16 and the personal data was obtained while using an online service.
This request can be refused if the processing of your personal data is necessary:
- for exercising the right to freedom of expression and the right to information;
- for complying with a law requiring the processing of data or for fulfilling a task of public interest or exercising public authority;
- For public health reasons;
- For scientific or historical research or for statistical purposes;
- for the institution, exercise or substantiation of a legal claim.
Why was Google fined by the Spanish Data Protection Authority in 2022?
In 2018, the Spanish Data Protection Authority received a complaint that raised doubts about whether Google, as the data controller, handled requests for content (under the right to be forgotten) in a legally correct manner.
Google was accused of sending unauthorized copies of users’ takedown requests to a third party
The Lumen Project a US-based academic project of the Berkman Klein Center for Internet & Society at Harvard University, which aims to address legal requests for the removal of online information collect and study. They do this by creating a database of content removal requests.
Conclusion
Google has already violated the right to be forgotten several times, both before and after the entry into force of the GDPR.
It’s about time Google took both the right to be forgotten and the GDPR seriously.
Google’s current way of working can lead to very unpleasant consequences, think of inappropriate photos that come up as the first hit when your prospective employer searches your name on Google, or certain information that you don’t want it to still be associated with.
Strict enforcement of the GDPR could help encourage companies like Google to improve its practices.