In one of many lawsuits brought against Google (GOOGL 0.55%) stemming from a change in its privacy policy first announced in January 2012 and instituted in March of that year, Spain's data protection agency, Agencia Espanola Proteccion de Datos (AEPD), announced today it has ruled the search giant committed three "serious" user privacy violations, and fined Google $411,000 for each offense, for a total penalty of $1.23 million.
The AEPD found that Google's privacy policy does not adequately inform users of what data is collected when a Google-affiliated site is visited, including its search engine, what the collected data is used for, nor how long data is housed. As such, according to the AEPD, Google violated users' "right to the protection of personal data laid down in article 18 of the Spanish Constitution and regulated in the LOPD [Law on the Protection of Personal Data]."
The AEPD added that it also found Google makes it difficult, if not impossible, for users to access and either delete or update their own data by using "scattered" links, multiple web pages, and some pages that are not available to all users.
The AEPD asked Google to "implement without delay the necessary measures to meet the applicable legal requirements." According to The Associated Press, Marisa Toro, Google's spokesperson in Spain, said the company was studying the statement.
In addition to lawsuits filed in the U.S. citing similar concerns over Google's privacy policy, the AEPD's findings come on the heels of a European Union (EU) joint investigation of the new policy that began in April 2013. The joint EU members found Google would need to adopt several changes in order to be in compliance with EU user privacy laws. However, "in the absence of any substantial reaction on the part of Google," the Spanish government pursued its own investigation.
