Highest sanction imposed by the Spanish Data Protection Authority

It was after anonymous individuals filed various complaints against the big-tech company alluding the inadequate processing of personal data obtained from a particular form which had to be completed by the users who wanted to require the removal of a certain content in Google in exercise of their erasure rights. This form had to be filled out with their personal information such as names, last names, nationality, email address, etc. The conflicted processing was not the information collection, but its transfer to the "Lumen Project", a third-party company that received access to the users' removal requests, processed and even published them as a way of managing such claims and removing the content when appropriate.

This particular processing was doomed since the beginning. In the referred form, Google limited itself to only mentioning that the data was going to be transferred to Lumen Project, with no chance to oppose to such processing, which differed from the original processing of collection the information for the content removal processes. Hence, the consent was not a valid source of lawfulness, as it no longer had the characteristics required by the GDPR: "a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data", when also violating the users' opposition rights. 

Google was justifying the processing through their legitimate interests consisting of maintaining the transparency of the content removal claims to protect other's rights such as intellectual property, trademarks, right to honor, rights of defense, etc. They also emphasized that Lumen’s interests were solely oriented to educational and research purposes, as well as to contribute to transparency on the internet. However, the AEPD did not accept this rationale for two reasons: (i) the alleged lawfulness of the processing was not duly informed beforehand to the users, therefore, it is not possible to assess the balancing of interests and conclude whether the legitimate interest of the controller or third parties indeed prevails; (ii) the processing of personal data was not truly necessary for the final purpose of the data (the content removal process), which is also a mandatory prerequisite to invoke the legitimate interest.

Moreover, the ways habilitated by Google to execute their users' rights of erasure was conditioned by yet another processing of the data (when communicating the data to a third-party), which constitutes an obstacle to the right itself. Mostly because, instead of performing the action of "erasing", it's publishing the information once again in a complaints database that is accessible by everyone.

In this sense, the AEPD concluded that Google violated the GDPR, specifically articles 6 (lack of lawfulness) and article 17 (right to erasure and to be forgotten), condemning them to pay in total a 10 million euros fine. Nevertheless, the imposition of this penalty was not undeliberate. The AEPD considered some facts to impose this administrative fine, such as the nature, gravity and duration of the infringement, the intentionality or negligence of the controller, whether there is a use of sensible data, the entailment between the use of data and the controller’s activity and the responsibility degree of the controller and the measures they applied. These factors were duly analyzed by the supervisory authority, concluding that Google’s infringement indeed was serious, with a considerable duration, done with negligence, processing sensible data, and having enough responsibility degree as they were not applying adequate measures to obtain and process the personal data.

The GDPR, as well as the European Data Protection Board (EDPB) Guidelines 04/2022 on the calculation of administrative fines under the GDPR Adopted on 12th May reminds us that the administrative fines imposed shall always be effective, proportionate and dissuasive. The effectiveness and proportionality of the penalty is sufficiently clear, but what about the dissuasiveness? Is a 10 million euro fine sufficiently high to have a dissuasive effect to one of the largest companies in the world?

According to the EDPB's criteria, "a fine is dissuasive where it prevents an individual from infringing the objectives pursued and rules laid down by (European) Union law", based by the fear of such fine being imposed. Although, the dissuasiveness can be weakened by the chance of this decision being appealed and revoked.

Thus far, Google has declared that that they're currently reviewing the decision and considering the proper modifications in their forms, banners and policies to comply with AEPD's considerations. Therefore, in principle, we can say that this considerably large penalty may have truly been dissuasive, as Google may not be likely to commit the same infringement again (specific deterrence), and even the others may be drawn to avoid committing the same (general deterrence). 

Considering the apparent sufficient motivation of the decision, and Google’s reaction towards correction more than complaint, we can confirm that this decision has a clear and driven dissuasive purpose. However, to determine if it has been dissuasive enough to prevent Google or any other company committing the same infringements we will have to wait and see.