

Google is the latest tech giant to be fined for violations of GDPR provisions. The €10 mn (US$11 mn, AU$15mn) fine was issued by the Spanish data protection authority for two infringements, including violations of 'right to be forgotten' obligations.
While Google has yet to be fined by the Irish Data Protection Commission (its local regulator under the one-stop-shop provision of GDPR) it has previously been fined by Swedish and Belgian regulators for failure to comply with the right to be forgotten.
So what happened, and what can other organisations learn about protecting personal information from unauthorized use or disclosure?
The right to be forgotten requires that Google erase information obtained from its searches. Google makes forms available in order to process this type of request, including the details that the requester wants to be removed.
This withdrawal request itself contains personal information. Google provides this data to the Lumen Project, a legal initiative which collects information about requests and complaints related to the removal of online information. In essence, it defeats the purpose of the GDPR provisions by allowing those details to remain in a publicly accessible database.
Critically, Google failed to adequately inform requesters that the data would be shared, or allow them to opt-out.
The Google case highlights the intricacies of cross-border processing or transfer of personal information. Google is regulated by the Irish Data Protection Commission under the one-stop shop provision of GDPR; most complaints against Google will be processed there. In this case, the following intricacies allowed the Spanish regulator to take a direct approach:
The interaction between legislation and regulators across international and local borders add complexity, particularly in relation to similar 'right to be forgotten' legislation either already in effect (such as the California's 'right to deletion' under the CPPA) or being contemplated by legislators.
Documents leaked from Facebook engineers in April 2022 portrayed one key message: Facebook doesn't know where its user data is stored or where it goes once it enters their network. If you were asked to remove or de-identify an individual's information, do you know where to start? (Hint: The regulator won't give you any credits for how complex your internal environment is).
Key for all organisations is understanding what personal information it collects and what happens to it. You may want to consider not only the legislation in the regions you operate, but also expected social norms around data privacy and protection. Here are some key things to consider:
One way to address this is to construct data flow maps that show when personal information is collected, what purpose it was collected for, and how it is processed, shared, de-identified or deleted. That task may not be easy for complex environments with multiple products or related entities, but it may help avoid landing in a similar situation to Google. Once constructed, compliance or legal teams may be able to leverage them to streamline their activities, improving assurance. If you operate in GDPR-regulated jurisdictions data maps should align with your Data Protection Impact Assessments.
Privacy law around the globe doesn't stand still, with many countries proposing updates. One hot topic has been the collection and use of health information as a result of the COVID-19 pandemic.
Here are our key thoughts on how to manage your data risks:
If you want to know more about risk management in the enterprise, our Enterprise Risk Management: Moving from a Siloed to a True Enterprise Approach webinar is available for you to watch on demand. Register and view the webinar here.
4470 W Sunset Blvd Suite 107 PMB 95227 Los Angeles
California 90027
United States
Toll free: +1 (833) 328 5471
info@protechtgroup.com
77 New Cavendish Street
The Harley Building
London W1W 6XB
United Kingdom
+44 (0) 20 3978 1360
info@protechtgroup.com