Spanish Data Protection Authority (aepd)-Google LLC (5/18/2022)

In the course of the lengthy investigation, the DPA found that Google had passed on personal data of data subjects to the so-called Lumen project.

Lumen is a project run by the Berkman Klein Center for Internet & Society at Harvard University. The project began in 2002 for the purpose of collecting requests relating to the removal of content from websites within and outside of the United States. This data may then be accessed by researchers and other interested parties.

Users of Google-operated platforms such as YouTube or Google Drive have the option of requesting that content about themselves on the platforms be removed. For this purpose, Google has provided various contact and complaint forms.

However, the data of the data subjects who use these forms was automatically transmitted to the Lumen project.
The data subjects did not have the opportunity to object to this transmission, because the automatic transmission to Lumen was a condition for using the forms.
For this reason, the DPA found that, due to the lack of possibility to object to the transfer of the data to Lumen, Google processed the data subjects’ data without a valid legal basis.

In this context, the DPA also found that Google did not sufficiently enable data subjects to exercise their right to erasure of their data.

When assessing the fine, the DPA took into account as aggravating factors that the data was not only disclosed, but also transferred to a third country without giving the data subjects the possibility to object to it. This deprived the data subjects of control over the handling of their personal data. In addition, the DPA found that the transfer took place over a very long period of time.
Also, a large number of individuals were affected and in some cases sensitive data was processed.