Right-to-be-forgotten Breaches Lead to $8m GDPR Fine for Google in Sweden

In Sweden, the Data Protection Authority (DPA) hit Goggle with a 75 million kronor (US$8 million) General Data Protection Regulation Penalty (GDPR) for a “failure to comply with the right to be forgotten.

This decision was taken after Google was found to have constantly come up short when asked to remove search result hyperlinks in line with right-to-be-forgotten requests. Along with this there was a surprising move when the DPA also demanded that Google end informing website owners that their URLs is about to be de-indexed following the completion of their request.

Under the right-to-be-forgotten regulation, which was created prior to the introduction of GDPR on May 25 2018, a process was implemented that would allow for the delisting of certain web pages that contain potentially “damaging” information. In its essence, it permitted those who the information related to the right to contact Google, and other search engines, and ask that information be removed from Search Engine Result Pages. Since the ruling took effect in 2014, millions of de-indexing requests have been sent to Google. However less than half of these requests have been completed to date. In 2018 the right-to-be-forgotten rights were further enhanced with the previously-mentioned introduction of GDPR.

The report made referred to one instance which it stated: “Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing. In the second case Google has failed to remove the search result listing without undue delay”.

The Swedish regulator also admonished Google for advising websites’ owners that these links were due to be removed, which then allowed the owners to move the information to a different web address, according to the report.

The DPA stated: “Google does not have a legal basis for informing site-owners when search result listings are removed and furthermore gives individuals misleading information by the statement in the request form. That is why the DPA orders Google to cease and desist from this practice.”

Reacting to the report and the penalty, a Google representative said that the group “disagree with this decision on principle and plan to appeal.”

This decision by the Swedish Data Protection Authority comes as American companies are becoming subject to all of the EU data protections bodies applying GDPR more stringently in order to safeguard the private data of EU citizens. GDPR was created to improve cybersecurity and the EU Member States appear willing to apply it to the letter of the law which can lead to a fine of €20m or 4% of annual global revenue for the previous financial year for firms that do not adhere to it.