Spanish Regulator Fines Google 10 Million Euros For Transferring Data to Third Parties Illegally

Another privacy regulator has imposed a fine on Google for illegal data practices. The Spanish Data Protection Agency (AEPD) accused Google of transferring users’ data to third parties illegally and also hindering their right to erasure.

The privacy regulator slammed the leading search engine with a 10 million Euro fine, saying Google transferred information of citizens, including their identification, e-mail address, etc to third parties.

It should be recalled that in September 2020, the French data protection authority imposed a $57 million fine on Google, its highest penalty under the new law, for failing to disclose how its users’ data is processed. Later in the same year, the French regulator fined Google and Amazon €100 million ($120 million) and Amazon €35 million ($42 million) for using tracking cookies without users’ consent.

Earlier this year, Investors King reported that France’s National Commission on Informatics and Liberty fined both Google and Facebook another $170 million and $70 million, respectively for making it hard for citizens to refuse cookies.

In Google’s latest fine, the Spanish regulator said Google’s actions contravene Articles 6 and 17 entrenched in the European General Data Protection Regulation (GDPR). 

In a statement announcing the fine, AEPD said: “Google LLC acted as controller of the analysed processing, which was conducted in the United States. In the case of disclosure of data to third parties, the AEPD has found that Google LLC sent information of requests made to it by citizens, including their identification, e-mail address, the reasons given, and the URL claimed to the Lumen Project. The task of this project is to collect and make available requests for the removal of content, and the Agency, therefore, considers that, since all the information contained in the citizen’s request is sent for inclusion in another publicly accessible database and for dissemination via a website, the purpose of exercising the right of erasure results in practice frustrated.

“This communication of data by Google LLC to the Lumen Project is imposed on the user who intends to use Google forms, without the option of objecting to it and, therefore, without a valid consent for such communication to be made. Establishing such a condition for the exercise of the right to erasure granted to data subjects is in breach of the General Data Protection Regulation by generating “an additional processing of the data contained in the request for erasure when communicating them to a third party,” the Agency added.

Responding to the fine, Google stated that it has started reviewing the fine and will continue to engage regulators on privacy and how to reassess its practices. 

“We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data-sharing practices with Lumen in light of these proceedings”, Google noted.