Data Privacy Alert: Spanish DPA Fines Google €10 Million


On May 18, 2022, the AEPD fromtook its decision against Google, imposing a fine of 10 million euros for violation of two articles of the GDPR. The two violations were aimed at article six, concerning the lawful processing of data, and article 17, concerning the “right to be forgotten”.

Google’s Section 17 violations consisted primarily of making it difficult for users to submit content removal requests. Google required users to go through a complicated process that included selecting the Google service(s) they wanted data removed from; the grounds on which the request was made (eg defamation, copyright infringement, harassment, personally identifying information, etc.); and then only route users who have selected certain predefined reasons for deletion to the web form.

– Advertising –

Download the alert now!

According to the AEPD, Google violated Article Six in its dealings with Project Lumen, a US-based legal database where these requests were sent. Google’s privacy policy did not address its data transfers to Lumen, which included non-anonymized identifying information, email addresses, and legal claims. It also did not allow its users to opt out of data transfers.

This is the fourth fine received by Google under the GDPR and the second largest overall, after a fine of 50 million euros from the French DPA in 2019. Sweden and Belgium have both imposed fines on Google under the GDPR.


The AEPD imposed fines of €5 million for each of the two GDPR violations, bringing the total to €10 million, or approximately $10.2 million. Google is also required to bring its data processing into compliance with the GDPR. Factors influencing the amount of the fine included:

  • Lumen processes data in a non-member state, the United States
  • Data subjects could not object to the transfer
  • Data processing continued for a long time, even before GDPR
  • The database containing the private data was accessible to the public

Expert analysis by Amalia Barthel, CIPM, CIPT, MPC Co-Founder, Lecturer and Advisor to the University of Toronto

In 2009, a Spaniard named Costeja González asked a newspaper to suppress decade-old information about her past. His case against Google eventually reached the European Court of Justice, Europe’s highest court. In May 2014, the CJEU found against Google. It recognized that when we enter someone’s name as a search query, scattered moments of their life are presented mechanically, with meaning distorted by the lack of context, creating a detailed but selective profile.

Google negotiated with EU DPAs to take ownership of the process for individuals to exercise their rights and request to be “forgotten”. Google has made the process for applying to exercise this right cumbersome to the point that it “frustrates[d] purpose of the exercise of the right of repression. Due to these burdens, the Spanish DPA has deemed invalid the consent obtained from individuals in this way, due to the lack of options given. Organizations should give individuals the ability to exercise their rights in a simple way, without confusing their own policies with the law as the deciding factor when meeting such requests.

Data privacy advice

As the grandparent of modern data privacy regulations, GDPR still offers many lessons for organizations. Learn more about DSAR compliance in the Exterro white paper, Managing Employee DSARs: What GDPR Can Teach Us.

By Tim Rollins

Leave a Comment