HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Google Hit with Nearly $8 Million GDPR Penalty

Google has been hit with a 75 million kroner ($7.8 million) GDPR fine by the Swedish Data Protection Authority (DPA) over the failure to comply with ‘right-to-be-forgotten’ requests from EU citizens to have web pages removed from its search engine listings.

The right to be forgotten in the EU predates GDPR. It was first introduced in EU legislation in 2014 following a ruling by the Court of Justice of the European in the case, Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González. The law requires search engines to remove links to freely accessible webpages that appear in search results generated from a search of an individual’s name, if that individual requests the listing is removed and if certain conditions are satisfied.

GDPR strengthened the right to be forgotten. If a request is received from an EU citizen who wishes to exercise the right to be forgotten, provided the request does not collide with the right of freedom of expression and information, “personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing.”

Google has received millions of requests from EU citizens to have content delisted and approximately 45% of those requests have been fulfilled.


    GDPR Compliance Checklist
    for American Companies

    Immediate Access
    Privacy Policy

    The Swedish DPA conducted an audit of Google in 2017 to assess how Google was handling requests to delist webpages indexed by its search engine and Google was ordered to delist several webpages.

    In 2018, the Swedish DPA followed up on the audit and discovered Google had not delisted all the search results detailed in the order. The GDPR fine relates to two of the listings Google was ordered to remove. In one case, Google’s interpretation of the web addresses that needed to be removed was determined to be too narrow. In the second case, Google failed to delist the search result listing without undue delay.

    The Swedish DPA also found that when Google delists webpages notifications are sent to website owners alerting them about the removal of the content from its listings and information is provided about who made the request. These notifications ensure website owners are made aware of the delisting, but by doing so the website owners can simply republish the delisted content on a different URL.

    The Swedish DPA said that this approach undermines the effectiveness of the right to be forgotten, stating “Google does not have a legal basis for informing site owners when search result listings are removed, and furthermore gives individuals misleading information by the statement in the request form.”

    “We disagree with this decision on principle and plan to appeal,” said a spokesperson for Google in a statement about the financial penalty. Under EU law, the appeal must be launched within 3 weeks.

    Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.