Datainspektionen, the Swedish Data Protection Authority, has imposed a fine of SEK 75 million on Google due to several violations of the GDPR originating in failure to comply with the right to request delisting from search engines under the GDPR. The right stems from the judgment in case C-131/12 issued by the Court of Justice of the European Union in 2014 and has since been strengthened through the right to be forgotten under the GDPR. In 2019, Google’s responsibilities under the GDPR were also addressed e.g. in cases C-136/17 and C-507/17.
Today’s fine is a consequence of two audits, of which the first was carried out in 2017. The second was carried out in 2018 due to indications that Google had not complied with the order to remove a number of search result listings issued following the first audit. The fine is issued due to Google’s failure to remove two of these result listings, where one was removed too late and the other not at all. Also, following decisions on removal, Google has regularly been notifying the owners of websites where information has been published. According to Datainspektionen, this enables the site-owners to identify their affected website and subsequently re-publish it which in turn will cause it to re-appear in searches on Google. Datainspektionen has held that Google does not have a legal basis for informing the site-owners and that the information provided by Google in its request form is misleading.
The fine is the third of its kind issued in Sweden and by far the heftiest in monetary amount. Datainspektionen’s decision can be read in full here (in Swedish). Google will reportedly appeal the decision.
TIME DANOWSKY continuously provides advice within the field of data protection. If you would like to know more or need assistance with data protection legislation, please reach out to Alexander Berger, partner.