In 2017, the Swedish Data Protection Authority (DPA) ordered Google to delist certain search results about several different data subjects from Google’s search engine. In 2018, responding to complaints that Google had not complied with the previously issued order, the DPA initiated a follow-up audit.
The DPA discovered that Google had not properly removed result listings it had been ordered to remove. This violated the General Data Protection Regulation (GDPR) right to erasure. Google also violated the GDPR by processing special categories of personal data and data relating to criminal convictions and offences. Google had in one case suggested that it was not obliged to remove the data, as this was not part of the person’s previous request, but the DPA did not agree.
In addition, the DPA found that Google had not removed another person’s data which also was ordered removed in 2017. Google’s failure to remove the search result listing without undue delay constituted a failure to comply with the GDPR right to erasure, and the DPA determined that Google also processed the person’s personal data relating to criminal offences, another violation.
In the process of delisting search results, Google also notified the site owner to which the link was directed that a webpage link was removed. This may have effectively given the site owners information about which person requested the delisting. The DPA found that such processing of personal data was unlawful under the GDPR, since it was incompatible with the initial purpose and Google had no legal basis for this type of processing without authorisation by the person requesting a delisting. The DPA therefore required Google to cease informing site owners of delistings. According to the DPA, Google also misled a person who requested delisting by informing the person that information about the delisting may be sent to the site owner. This was found misleading and unlawful, since a person may not want to request a delisting if he or she knew that the site owner would be notified. The DPA required Google to cease providing such information to persons requesting delistings.
The DPA imposed a fine of SEK 25 million for Google’s failure to comply with the right to erasure and its unlawful processing of special categories of personal data and data relating to criminal convictions. The amount of the fine was justified on the basis that Google’s processing and publishing of sensitive and personal data about criminal convictions can have a significant impact on privacy rights, and that Google had not followed the DPA’s earlier decision about erasure.
The DPA imposed a further fine of SEK 50 million for unlawfully notifying site owners. The DPA justified this fine on the basis that the information given to persons requesting delisting was misleading, and that many of them may not have wanted to proceed with the request if they had known that the site owners would be notified. The violation thus resulted in a lost opportunity for individuals to exercise their rights, and created a lack of control over their personal data and unauthorized disclosure. As many as 5,690 persons may have been affected by this. The violation had been occurring since 25 May 2018 and was ongoing when the DPA made its decision on 11 March 2020.