The Spanish Data Protection Agency (AEPD) has fined Vodafone España €3.94 million and Google €10 million for failing to comply with European data protection regulations affecting users and customers.
Vodafone España’s penalty relates to breaches concerning the confidentiality and integrity of personal data, as defined under applicable data protection law.
The fine imposed on Google addresses two serious infringements. The AEPD found that Google transferred personal data to third parties without a lawful basis and impeded individuals’ right to erasure.
According to the decision, Google LLC acted as the controller for the processing examined, which was carried out in the United States. In particular, the AEPD determined that Google LLC transmitted details of citizens’ removal requests—including identifiers, email addresses, stated reasons and the URLs in question—to the Lumen Project. Because the Lumen Project collects and publishes removal requests in a publicly accessible database and through its website, the Agency concluded that forwarding all the information in a citizen’s request effectively undermines the right to erasure.
The decision notes that Google LLC conditions the submission of requests via its forms on the transmission of this information to the Lumen Project, without offering users the ability to object. As a result, there is no valid consent for such disclosure. Imposing this requirement in order to exercise the right to erasure breaches the General Data Protection Regulation by creating an additional processing of the data contained in the removal request when they are communicated to a third party. The AEPD also found that Google LLC’s privacy policy does not mention this processing activity nor does it list communication to the Lumen Project among the purposes for which personal data are processed.
Moreover, once an individual has exercised their right to have content removed and personal data deleted, there is no legal basis for further processing—such as the disclosures Google LLC makes to the Lumen Project, the decision states.
Regarding the exercise of citizens’ rights more broadly, the AEPD observed that the forms provided by Google make it difficult to determine whether a request is being made under data protection laws, because those rules are not referenced in any of the forms except one titled “Withdrawal under EU Privacy Law,” which is the sole form explicitly mentioning data protection rights.
Beyond the financial penalty, the AEPD has ordered Google LLC to stop transmitting data to the Lumen Project and to align its procedures for handling erasure requests related to content removal with data protection requirements. Google must also update the information supplied to users so it accurately reflects how personal data are processed. The company is required to delete all personal data that have been shared with the Lumen Project following erasure requests and to take steps to ensure Lumen ceases using and removes any such personal data communicated to it.
Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week, hosted in Amsterdam, California and London, to discover practical strategies for advancing your digital initiatives.