Sweden fines Google $8 million for right-to-be-forgotten violations and demands it keep websites in the dark

Sweden’s Data Protection Authority (DPA) has slapped Google with a 75 million kronor ($8 million) fine for “failure to comply” with Europe’s General Data Protection Regulation (GDPR) after the internet giant reportedly failed to adequately remove search result links under right-to-be-forgotten requests. In a notable twist, the DPA also demanded that Google refrain from informing website operators their URLs will be de-indexed.

The right-to-be-forgotten regulation, which dates back to 2014 in Europe, was designed to help people delist specific web pages that contain potentially “damaging” information. Rather than asking website operators to remove a web page, Google — and other search engines — are required to hide the page from European search results. Since the ruling took effect, Google has received millions of de-indexing requests, though it reports that fewer than 45% have been fulfilled.

The right-to-be-forgotten rule was bolstered back in 2018 with the introduction of GDPR, which ushered in far-reaching regulations that place a stronger onus on companies to ensure adequate data protections are in place — this also enshrined the right to have personal information removed upon request. The EU bloc can fine a company up to 4% of its total annual revenue after determining the business has taken insufficient measures to protect data.

The crux of the Swedish DPA’s complaint is that Google did not “properly remove” two search result listings after the DPA instructed it to do so back in 2017. “In one of the cases, Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing,” the DPA wrote in its statement. “In the second case, Google has failed to remove the search result listing without undue delay.”

But inadequate and tardy removals are only part of the issue, according to Sweden’s DPA, which also argues that Google should keep website operators in the dark about removal requests.

Notification

When Google approves a de-index request, it routinely lets the website operator know which web page is impacted and who was behind the request. So if a blogger knows that “http://www.mygreatblog.com/sensitivedata” will no longer show up in Google’s search results for certain search terms, they can simply move the content to another URL on their site to avoid being blacklisted. However, the DPA has now ordered Google to “cease and desist” the notification that sets this in motion.

“This, in practice, puts the right to delisting out of effect,” the DPA wrote, adding that this could deter individuals from “exercising their right to request delisting, thereby undermining the effectiveness of this right.”

This particular facet of the report will likely spark some debate. On the one hand, it’s easy to see why notifying a website owner about a de-indexing request runs contrary to the spirit of the right-to-be-forgotten rule. On the other hand, some might argue that a website owner should at least know that one of their pages is subject to a right-to-be-forgotten request. Google is now in tricky situation in terms of ensuring transparency for all parties concerned.

“Google does not have a legal basis for informing site owners when search result listings are removed, and furthermore gives individuals misleading information by the statement in the request form,” the DPA added.

Google has landed in hot water over this practice in the past. When online news outlets have received notifications about articles that will be de-indexed, this has naturally led to articles about those removal requests — and Google has subsequently been asked to remove those links too.

With GDPR now in place, however, the heftier penalties could see the right-to-be-forgotten ruling applied much more stringently in the future.

GDPR so far

Nearly $150 million in GDPR fines have been handed out in the past two years. Google received the biggest fine to date when the French data privacy body hit it with a $57 million penalty. This could be eclipsed by British Airways, which is currently appealing a gargantuan $230 million fine over a major data leak.

If Google’s latest fine is upheld — the company has three weeks to appeal — it would rank among the top seven largest GDPR penalties of all time.

VentureBeat has reached out to Google for comment and will update here when we hear back.

Source: Read Full Article