Google and your right to be forgotten.

Once posted, always online?

The Spanish Personal Data Authority has in May 2022 a fine of

€10,000,000 imposed on Google for unlawfully transferring personal data to a third party and obstructing the exercise of the right to be forgotten.

The right to be forgotten on Google

Before we go into the concrete facts of this case, it is important to go back to the previous problems surrounding the right to be forgotten on Google.

In 2014, before the entry into force of the GDPR, the European Court of Justice ruled on the right to be forgotten.

In the Judgment Google Spain (CJEU 13 May 2014, case C-131/12, there was a dispute between Mario Costeja González and Google.

Mr Costeja González’s complaint arose from the fact that if the name González was Googled search results appeared about the public sale of the buildings of the people involved in the context of a seizure for the recovery of social security debts. However, the auction dated back many years before.

The European Court of Justice ruled in this case that the activities of a search engine such as Google must be considered processing within the meaning of the old Privacy Directive.

This means that Google must always have a lawful basis for the processing of this personal data, whereby the privacy interest of the applicant and the interest of the right to freedom of expression and the right to information must be weighed against each other.

In concrete terms, in this case Mr. Costeja González’s right to privacy took precedence over Google’s possible economic interest and over the public’s interest in obtaining information.


The Google/Spain judgment and the GDPR

The right to be forgotten was first recognized in the Google v Spain judgment.

hen the GDPR entered into force, this principle was explicitly laid down as a law.

Article 17 of the GDPR stipulates that there are a number of cases in which companies such as Google must delete your data if you request this, specifically when:

  • your personal data is no longer needed;
  • you withdraw your consent;
  • you object to the processing of your data ;
  • the personal data were processed unlawfully, or
  • you are under the age of 16 and the personal data was obtained while using an online service.

This request can be refused if the processing of your personal data is necessary:

  • for exercising the right to freedom of expression and the right to information;
  • for complying with a law requiring the processing of data or for fulfilling a task of public interest or exercising public authority;
  • For public health reasons;
  • For scientific or historical research or for statistical purposes;
  • for the institution, exercise or substantiation of a legal claim.

Why was Google fined by the Spanish Data Protection Authority in 2022?

In 2018, the Spanish Data Protection Authority received a complaint that raised doubts about whether Google, as the data controller, handled requests for content (under the right to be forgotten) in a legally correct manner.

Google was accused of sending unauthorized copies of users’ takedown requests to a third party

The Lumen Project a US-based academic project of the Berkman Klein Center for Internet & Society at Harvard University, which aims to address legal requests for the removal of online information collect and study. They do this by creating a database of content removal requests.


Google has already violated the right to be forgotten several times, both before and after the entry into force of the GDPR.

It’s about time Google took both the right to be forgotten and the GDPR seriously.

Google’s current way of working can lead to very unpleasant consequences, think of inappropriate photos that come up as the first hit when your prospective employer searches your name on Google, or certain information that you don’t want it to still be associated with.

Strict enforcement of the GDPR could help encourage companies like Google to improve its practices.


Meer berichten

Onzichtbare Bedreiging Voor Privacy

Invisible Threat To Privacy

Introduction Companies use personal data to optimize their marketing campaigns, perform accurate analysis and improve their business strategies. But as the value

cyber security tips

10 Cyber Security Tips for SMEs

Cyber security is critical for SMEs. A cyber attack can have serious consequences, from data loss to financial and reputational damage. Here

de toekomst van GDPR

The Future of Data Protection

Introduction: Since its implementation in 2018, the General Data Protection Regulation (GDPR) has had a significant impact on how organizations worldwide collect,


©DPO Associates Alle rechten voorbehouden. Privacy verklaringCookie verklaring | Algemene voorwaarden