Google – Complaint Upheld (Austria, 2024)

On the 11 November 2021, the data subject filed an access request with Google LLC through a digital form provided by Google LLC, here controller 1. The data subject specifically requested not to be referred to privacy policies or settings. Google LLC responded to the access request by providing links to privacy policies and flagging that the data subject can download his data through his Google account. On the 15 December 2021, the data subject, represented by noyb filed a complaint with the Austrian DPA (Datenschutzbehörde – DSB) against Google LLC registered in the United States. The data subject alleged that Google LLC had infringed his right to access to information under Article 15 GDPR. The data subject brought forward that the information provided by Google LLC was only accessible through tedious collation of information included in different privacy statements and further this information was vague and not specifically related to the data subject and therefore inadequate. On the 15 March 2022, Google LLC submitted that it is only responsible for a select few data processing activities such as the removal of search results. As the access request was not related to this practice, Google LLC argued that Google Ireland Ltd. was the responsible controller. It claimed that controllership had been transferred from Google LLC to Google Ireland Ltd. on the 22 January 2019. Further in the proceedings, Google LLC brought forward that it now functions as a processor for Google Ireland Ltd. and that Google Ireland Ltd. is the sole responsible controller in the EEA and Switzerland. Controllership The DSB assessed that Google LLC qualifies as a controlling parent company based on for example the fact that Google LLC could not show that Google Ireland Ltd independently develops new products. The DSB drew on the CJEU case IAB Europe which demonstrated that joint controllership is established when both controllers influence the means and processing of data.