Sweden’s Data Protection Authority has fined internet giant Google 75 million Swedish Kroner (U.S. $7.6 million) for its failure to comply with the General Data Protection Regulation (GDPR).
It is Google’s second fine to date under Europe’s strict data privacy rules (it received a €50 million (U.S. $56 million) fine from the French Data Protection Authority in January 2019), and it’s the ninth highest penalty handed out to a company since the GDPR took effect in May 2018, according to the GDPR Enforcement Tracker.
In 2017 the Swedish Data Protection Authority finalized an audit concerning how Google deals with an individual’s “right to be forgotten,” which means people can have search result listings for searches that include his or her name removed if, for example, the inclusion of such details were shown to be inaccurate, irrelevant, or superfluous.
The “right to be forgotten” has been in place under EU law since 2014 and was bolstered further by the introduction of the GDPR four years later. It is not, however, an “absolute” right: Individuals can request a search engine to remove their details—not demand it to do so.
Following its audit, the watchdog concluded a number of search result listings should be removed and subsequently ordered Google to do so.
The regulator initiated a follow-up audit in 2018, however, after it found Google had not fully complied with the previously issued order.
The regulator found Google did not properly remove two of the search result listings it had ordered the company to remove back in 2017. In one of the cases, the regulator said the search engine had taken “too narrow an interpretation” of what Web addresses needed to be removed from the search result listing. In the second case Google had failed to remove the search result listing “without undue delay.”
The agency was also critical of Google’s approach to “delisting” such information generally.
The regulator explained when Google removes a search result listing, it notifies the Website to which the link is directed in a way that gives the site owner knowledge of which Webpage link was removed, as well as who was behind the delisting request. This allows the site owner to re-publish the Webpage on another Web address that will then be displayed in a Google search, thereby republishing the same information without correction and “undermining the effectiveness of the right to be forgotten,” says Olle Pettersson, legal advisor at the Swedish Data Protection Authority.
“We disagree with this decision on principle and plan to appeal,” a Google spokesperson said.