Google is the latest tech giant to be fined for violations of GDPR provisions. The €10 mn (US$11 mn, AU$15mn) fine was issued by the Spanish data protection authority for two infringements, including violations of 'right to be forgotten' obligations.
While Google has yet to be fined by the Irish Data Protection Commission (its local regulator under the one-stop-shop provision of GDPR) it has previously been fined by Swedish and Belgian regulators for failure to comply with the right to be forgotten.
So what happened, and what can other organisations learn about protecting personal information from unauthorized use or disclosure?
What happened?
The right to be forgotten requires that Google erase information obtained from its searches. Google makes forms available in order to process this type of request, including the details that the requester wants to be removed.
This withdrawal request itself contains personal information. Google provides this data to the Lumen Project, a legal initiative which collects information about requests and complaints related to the removal of online information. In essence, it defeats the purpose of the GDPR provisions by allowing those details to remain in a publicly accessible database.
Critically, Google failed to adequately inform requesters that the data would be shared, or allow them to opt-out.
Cross-border implications
The Google case highlights the intricacies of cross-border processing or transfer of personal information. Google is regulated by the Irish Data Protection Commission under the one-stop shop provision of GDPR; most complaints against Google will be processed there. In this case, the following intricacies allowed the Spanish regulator to take a direct approach:
- The initial complaint was filed in Spain
- The data in question involved Spanish citizens
- The processing of that data was occurring in the US, not within the European Union
The interaction between legislation and regulators across international and local borders add complexity, particularly in relation to similar 'right to be forgotten' legislation either already in effect (such as the California's 'right to deletion' under the CPPA) or being contemplated by legislators.
Are you in control of the data you collect?
Documents leaked from Facebook engineers in April 2022 portrayed one key message: Facebook doesn't know where its user data is stored or where it goes once it enters their network. If you were asked to remove or de-identify an individual's information, do you know where to start? (Hint: The regulator won't give you any credits for how complex your internal environment is).
Key for all organisations is understanding what personal information it collects and what happens to it. You may want to consider not only the legislation in the regions you operate, but also expected social norms around data privacy and protection. Here are some key things to consider:
- When you collect personal information, has the individual provided consent? Does that consent only apply to specific purposes or uses of the information?
- Once it is collected, do you know where it is stored?
- Are there any established processes that allow or require that information to be shared? If yes, has the individual provided consent? Do you know what those third parties do with the data? Do your customers?
- Do you have data warehouses or data lakes where data is replicated, repurposed or transformed for other purposes? Is that data pushed elsewhere?
- Does your privacy policy cover all of those scenarios while addressing regulatory requirements?
One way to address this is to construct data flow maps that show when personal information is collected, what purpose it was collected for, and how it is processed, shared, de-identified or deleted. That task may not be easy for complex environments with multiple products or related entities, but it may help avoid landing in a similar situation to Google. Once constructed, compliance or legal teams may be able to leverage them to streamline their activities, improving assurance. If you operate in GDPR-regulated jurisdictions data maps should align with your Data Protection Impact Assessments.
How to manage your risks
Privacy law around the globe doesn't stand still, with many countries proposing updates. One hot topic has been the collection and use of health information as a result of the COVID-19 pandemic.
Here are our key thoughts on how to manage your data risks:
- Have a clearly defined process and centralised system for managing obligations across jurisdictions, including monitoring for change
- Consider your governance structure and operating model to ensure effective management of data
- Consider the implications of sharing data across borders and have controls in place to ensure early detection of breaches
- Be open and transparent with regulators on the personal data you collect and ensure data records are easily accessible.
- Ensure common knowledge and awareness of data management risks across your organisation
- Mapping can help communicate to other stakeholders how you are managing data
If you want to know more about risk management in the enterprise, our Enterprise Risk Management: Moving from a Siloed to a True Enterprise Approach webinar is available for you to watch on demand. Register and view the webinar here.
