Spain’s data protection authority has issued a record fine of 10 million euros (U.S. $10.6 million) against Google for two “serious infractions” of the European Union’s General Data Protection Regulation (GDPR).

The penalty is the highest to date issued by the Agencia Española de Protección de Datos (AEPD), topping the €8.15 million (then-U.S. $9.72 million) fine Vodafone Spain received in March 2021. The AEPD alleged Google violated Article 6 of the GDPR regarding lawful data processing and Article 17’s “right to be forgotten.”

The fine is the fourth for Google under the GDPR and second highest in value following the €50 million penalty (then-U.S. $57 million) the company was hit with in France in 2019. Other countries to sanction the tech giant include Sweden and Belgium. Google has yet to be fined in its European home country of Ireland, where its primary regulator is located in accordance with the one-stop shop mechanism of the GDPR.

The details: The AEPD alleged in a translated press release Google’s sharing of information with U.S. legal database Lumen violates the GDPR because it does not allow users to oppose it. Data being transferred includes identification, email addresses, and legal claims.

Google’s privacy policy also does not address these transfers of data to Lumen, according to the agency.

Regarding deletion requests, the AEPD faulted Google for making it difficult for users to successfully submit claims for removal of content. The system designed by Google might “end up marking an option that suits the reasons they consider appropriate to your interest but that separates you from your original intention, which may be clearly linked to the protection of your personal data, unaware that these options place you in a different regulatory regime because Google has wanted it that way,” the AEPD stated.

In addition to the penalty, the AEPD has required Google to erase all EU personal data communicated to Lumen and urged Lumen to do the same.

Google response: “We are reviewing the decision and continually engage with privacy regulators, including the AEPD, to reassess our practices,” a Google spokesperson said in an emailed statement. “We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data sharing practices with Lumen in light of these proceedings.”