The Swedish Data Protection Authority imposes administrative fine on Google

11 March 2020

The Swedish Data Protection Authority imposes a fine of 75 million Swedish kronor (approximately 7 million euro) on Google for failure to comply with the GDPR. Google as a search engine operator has not fulfilled its obligations in respect of the right to request delisting.

In 2017 the Swedish Data Protection Authority (DPA) finalised an audit concerning how Google handles individuals’ right to have search result listings for searches that includes their name removed from Google’s search engine in case of for example lack of accuracy, relevance or if considered superfluous. In its decision the DPA concluded that a number of search result listings should be removed and subsequently ordered Google to do so.


In 2018, due to indications that Google had not fully complied with the previously issued order, the DPA initiated a follow-up audit. This audit is now finalised and the DPA is issuing a fine against Google.


– The General Data Protection Regulation, GDPR, increases the level of responsibility for organisations that collect and process personal data, and strengthens the rights of individuals. An important part of those rights is the possibility for individuals to have their search result delisted. We have found that Google is not fully complying with its obligations in relation to this data protection right, says Lena Lindgren Schelin, Director General at the Swedish DPA.


The Swedish Data Protection Authority is critical to the fact that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. In one of the cases Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing. In the second case Google has failed to remove the search result listing without undue delay.


When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site-owner knowledge of which webpage link was removed and who was behind the delisting request. This allows the site-owner to re-publish the webpage in question on another web address that will then be displayed in a Google search. This in practice puts the right to delisting out of effect.


– In its delisting request form Google states that the site-owner will be notified of the request in a way that might result in individuals refraining from exercising their right to request delisting, thereby undermining the effectiveness of this right, says Olle Pettersson, legal advisor at the Swedish DPA who has participated in this audit of Google.


Google does not have a legal basis for informing site-owners when search result listings are removed and furthermore gives individuals misleading information by the statement in the request form. That is why the DPA orders Google to cease and desist from this practice.

Facts about the right to have search result listings removed
In May 2014 the Court of Justice of the EU ruled that an individual may request a search engine provider such as Google to remove a search result listing that contains the name of an individual in case the listing is incorrect, irrelevant or superfluous. This right was strengthened with the GDPR entering into force 25th May 2018. The right is however not absolute, you cannot demand that all search results are to be removed. Individuals who wish to exercise their right to request delisting should contact the search engine provider directly.

 

What happens next?
Google may appeal the decision of the Swedish DPA within three weeks. If Google decides not to appeal, the decision will enter into force by the end of that time period. Once the decision has entered into force it will be handed over to the Legal, Financial and Administrative Services Agency (Kammarkollegiet) that handles the administration of fines under the GDPR.

 

Note to editors:

The personal data processing in question is part of the processing operations carried out by Google as a search engine operator. For this part of Google’s activity it is Google LLC (parent company of the Google group) established in the United States that decides the purpose and means of the processing. Since there is no main establishment within the EU for this part of Google’s operations, each Supervisory Authority in the EU is competent for investigating possible infringements of the GDPR within their territory.

 

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: imy@imy.se

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.