This is a doozy of an article with Spain taking the lead and suing Google and loses over 10 million Euro's because they are sending the right to be forgotten removals and requests overseas to the Lumen Project in a sneaky but creative effort to keep the stuff they really don't want to delete online. This time they got caught with their hand in the cookie jar as their usual protection with the Irish DPC taking years to handle and review a case is also being sued by the Irish Council for Civil Liberties over its slow movement on issues relating to Google complaints which may or may not be on purpose but from my friends who work at Google they sound off that the company isn't so "Don't Be Evil" anymore...
Full article can be found here: https://www.cpomagazine.com/data-protection/spain-hands-google-e10-million-gdpr-fine-for-violation-of-right-to-be-forgotten-rules/
"Spanish data protection authority Agencia Española de Protección de Datos (AEPD) called the two infringements that led to the GDPR fine “very serious.” Both relate to Google’s transfer of EU citizen data to an academic research project based in the United States.
The decision centers on the Lumen Project, an ongoing study conducted by Harvard’s Berkman Klein Center and supported by the Electronic Frontier Foundation. The project, which began in 2001, collects cease-and-desist letters related to online activity with an eye to determining any effect they might have on free speech. Google has contributed to the archive since 2002, first motivated to action when the Church of Scientology filed bad faith takedown requests in order to silence websites critical of them.
The Lumen Project has typically focused on takedown requests made under the United States Digital Millennium Copyright Act (DMCA), but has also begun collecting data deletion requests made by EU citizens under the rights granted by the GDPR. The first of the Spanish regulator’s findings was that Google could not demonstrate a legal right to pass these requests on to a third party, as it was not providing users with notification or a choice.
The AEPD also found that Google tripped over the “right to be forgotten” granted by Article 17 of the GDPR by putting the deletion request itself, and the attendant details, beyond their reach. The form that users were asked to fill out to request removal of their data from Lumen Project was also found to be faulty and confusing in its structure.
While AEPD has little recourse directly against Lumen Project, the organization has said that it has honored a request by the AEPD (via Google) to delete the data of users found to have been communicated to it without a legal basis. Google has said that it is reviewing the AEPD’s GDPR fine and that it is re-evaluating how it shares data with Lumen Project in light of the decision.
One of Google’s two prior GDPR fines also related to the right to be forgotten, but in that case a de-indexing stipulation for search engines that was first established in 2014 (and later incorporated into the GDPR terms). Sweden fined Google the equivalent of about $8 million in 2020 over failure to keep up with de-indexing requests in a timely manner and failure to remove the full range of web addresses attached to certain requests.
Jurisdiction and efficiency of GDPR fines called into question by Spain decision
The AEPD judgment is noteworthy not just for being a rare GDPR fine for Google, but also for shining a spotlight on a bottleneck of cases created by the Irish Data Protection Commission (DPC)’s lead role in regulating cases involving the tech giant."