Incident Response

Data privacy alert: Spanish DPA fines Google €10 million


On May 18, 2022, the AEPD issued its decision against Google, imposing a fine of €10 million for violations of two articles of GDPR. The two violations were against Article Six, regarding lawful processing of data, and Article 17, regarding the “right to be forgotten.”

Google’s Article 17 violations primarily consisted of making it difficult for users to submit requests for the removal of content. Google required users to follow a complicated process that included selecting which Google service(s) it wanted data removed from; the grounds upon which the request was being made (e.g., defamation, copyright infringement, harassment, personally identifying information, etc.); and then only routing users who selected certain pre-defined grounds for deletion to the web form.

Download the alert now!

According to AEPD, Google violated Article Six in its dealings with the Lumen Project, a US-based legal database where these requests were sent. Google’s privacy policy did not address its data transfers to Lumen, which included non-anonymized identifying information, email addresses, and legal claims. It also failed to allow its users to opt out of the data transfers.

The fine is the fourth received by Google under GDPR and the second largest overall, following a €50 million fine from the French DPA in 2019. Sweden and Belgium have both levied fines against Google under GDPR.


AEPD issued fines of €5 million for each of the two violations of GDPR, bringing the total to €10 million, or approximately $10.2 million. Google is also required to bring its data processing into compliance with GDPR. Factors influencing the size of the fine included:

  • Lumen processes data in a non-member state, the US
  • Data subjects could not object to the transfer
  • The data processing continued over a long period of time, even prior to GDPR
  • The database holding the private data was publicly accessible

Expert Analysis from Amalia Barthel, CIPM, CIPT, MPC Co-Founder, University of Toronto Lecturer and Advisor

In 2009, a Spaniard by the name of Costeja González asked a newspaper to remove some decade-old information about his past. His case against Google eventually reached the European Court of Justice, Europe’s highest court. In May 2014, the ECJ found against Google. It recognized that when we enter someone’s name as a search query, scattered moments of their life are presented mechanistically, with a significance distorted by lack of context, creating a detailed but selective profile.

Google negotiated with the EU DPAs to take ownership of the process of allowing individuals to exercise their rights and request “to be forgotten.” Google made the process to apply to exercise this right burdensome to the point that it “frustrate[d] the purpose of exercising the right of suppression." Because of these burdens, the Spanish DPA ruled consent obtained from individuals this way invalid, because of lack of options given. Organizations must make give individuals the ability to exercise their rights in a straightforward manner, not confuse their own policies with the law as the deciding factor when fulfilling such requests.

Data Privacy Tip

As the grandparent of modern data privacy regulations, GDPR still offers a lot of lessons for organizations. Learn about DSAR compliance in the Exterro whitepaper, Managing Employee DSARs: What GDPR Can Teach Us.

By Tim Rollins

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.