Sweden’s Data Protection Authority (DPA) has slapped Google with a 75 million kronor ($8 million) fine for “failure to comply” with Europe’s General Data Protection Regulation (GDPR) after the internet giant reportedly failed to adequately remove search result links under right-to-be-forgotten requests. In a notable twist, the DPA also demanded that Google refrain from informing website operators their URLs will be de-indexed.

Europe’s right-to-be-forgotten regulation, which dates back to 2014, was designed to help people delist specific web pages that contain potentially “damaging” information. Rather than asking website operators to remove a web page, Google — and other search engines — are required to hide the page from European search results. Since the ruling took effect, Google has received millions of de-indexing requests, though it reports that fewer than 45% have been fulfilled.

The right-to-be-forgotten rule was bolstered in 2018 by the introduction of GDPR, whose far-reaching regulations place greater pressure on companies to ensure adequate data protections are in place. GDPR also enshrined the right to have personal information removed upon request. The EU bloc can fine a company up to 4% of its total annual revenue after determining the business has taken insufficient measures to protect data.

The crux of the Swedish DPA’s complaint is that Google did not “properly remove” two search result listings after it was instructed to do so back in 2017. “In one of the cases, Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing,” the DPA wrote in its statement. “In the second case, Google has failed to remove the search result listing without undue delay.”

But inadequate and tardy removals are only part of the issue, according to Sweden’s DPA, which also argues that Google should keep website operators in the dark about removal requests.

Notification

When Google approves a de-index request, it routinely lets the website operator know which web page is impacted and who was behind the request. So if a blogger knows that “http://www.mygreatblog.com/sensitivedata” will no longer show up in Google’s search results for certain search terms, they can simply move the content to another URL on their site to avoid being blacklisted. However, the DPA has now ordered Google to “cease and desist” the notification that sets this in motion.

“This, in practice, puts the right to delisting out of effect,” the DPA wrote, adding that it could deter individuals from “exercising their right to request delisting, thereby undermining the effectiveness of this right.”

This particular facet of the report will likely spark some debate. On the one hand, it’s easy to see why notifying a website owner about a de-indexing request runs contrary to the spirit of the right-to-be-forgotten rule. On the other hand, some might argue that a website owner should be informed if one of their pages is implicated in a request. The new ruling will make it impossible for Google to keep everyone happy.

“Google does not have a legal basis for informing site owners when search result listings are removed, and furthermore gives individuals misleading information by the statement in the request form,” the DPA added.

Google has landed in hot water over its notification practice in the past. When online news outlets have received notifications about articles that will be de-indexed, they have naturally published stories about the removal requests — and Google has subsequently been asked to remove those links too.

With GDPR now in place, however, heftier penalties could see the right-to-be-forgotten ruling applied much more stringently in the future.

GDPR so far

GDPR fines handed out in the past two years amount to nearly $150 million. Google received the biggest fine to date when the French data privacy body hit it with a $57 million penalty. This could be eclipsed by British Airways, which is currently appealing a gargantuan $230 million fine over a major data leak.

If Google’s latest fine is upheld — the company has three weeks to appeal — it would rank among the seven largest GDPR penalties of all time. Google confirmed to VentureBeat that it does indeed intend to file an appeal.

“We disagree with this decision on principle and plan to appeal,” the spokesperson said.