Belgium: Belgian DPA imposes a EUR600,000 fine, its highest fine ever, on Google Belgium for non-compliance with right to be forgotten
- On 29 July 2020
Until recently, most decisions of the Belgian Data Protection Authority (Belgian DPA) concerned national companies or individuals.
However, on 14 July 2020, the Belgian DPA imposed a fine of EUR600,000 on Google Belgium SA/NV (Google Belgium) for not respecting a Belgian resident’s right to be forgotten. This is the highest fine ever imposed by the Belgian DPA.
In its decision, the Belgian DPA stresses the importance of its decision by calling it a “landmark decision” (“décision de principe”) in which it decides on certain “fundamental aspects” linked to de-referencing (on the basis of CJEU case-law), as well as on the demarcation of its powers to act.
The case against Google Belgium
The case against Google Belgium SA was initiated by a complaint filed with the Belgian DPA by a Belgian resident on 12 august 2019.
The complainant, an executive at an unnamed large company, had requested the removal of 12 URLs which he considered to be harmful to his reputation. These URLs concerned, on the one hand, search results regarding alleged links with a certain political party, and on the other hand, a harassment complaint declared unfounded in 2010. As Google had refused to remove several of the concerned links, the complainant referred the case to the Belgian DPA.
1. Competence of the Belgian DPA to act
The Belgian DPA declares itself competent to act against Google Belgium on the basis of article 55.1 GDPR, which grants supervisory authorities the right to exercise its powers on the territory of their own member states.
The one-stop-shop mechanism does not, in its opinion, apply because (i) there was no cross-border processing and (ii) Google Belgium’s counsel confirmed during the proceedings that Google Ireland Ltd (Google’s main establishment in the EU) is not involved in the processing activity that was the subject of the complaint and that Google LLC is the relevant data controller.
Building on the principles developed by the CJEU in the Google Spain and Google/CNIL cases, the Belgian DPA argued that:
- the GDPR applies to Google LLC on the basis of article 3.1 GDPR. Article 3.2 GDPR is not applicable in the absence of the appointment of a representative (article 27 GDPR);
- Google Belgium is an establishment of Google LLC , triggering the applicability of the GDPR under article 3.1;
- the personal data concerned are considered to be processed within the framework of the activities of said establishment.
Taking into account the fact that the complainant’s habitual residence and professional career were located in Belgium, the Belgian DPA considered that it was best placed to assess the impact on the data subject’s right to be forgotten1.
2. The de-referencing requests and its territorial scope
Concerning the territorial scope of the request to erasure/ right to be forgotten, the Belgian DPA held that, while the request could, in this instance, not have a worldwide scope (as requested by the complainant), it should however apply throughout the entire European Economic Area (EEA), as the mere de-referencing in Belgium would not be “useful”. According to the Google/CNIL judgement, the Belgian DPA consulted the other European data protection authorities in this regard by launching a request for voluntary mutual assistance under article 61 GDPR. The competent data protection authorities in Spain, Portugal, Hungary, Slovakia, Germany (Hamburg and Baden-Wuerttemberg), France, Italy and Ireland, all expressed their support for such European-wide de-referencing (except the authority from Hamburg), which gave sufficient comfort to the Belgian DPA to issue an EU-wide de-referencing order.
On the de-referencing request(s) itself, the Belgian DPA distinguished between (i) the search results regarding alleged links with a political party; and (ii) the search results regarding an old harassment complaint, taking into account in particular (a) the complainant’s role in public life and (b) whether the concerned links contained sensitive data.
Concerning the former, the DPA considered that the search results concerning purported links with a certain political party did not involve processing of sensitive data as alleged by the complainant and that the complainant’s de-referencing request regarding such search results was precluded by the right of freedom of expression and information conform article 17 (3), a) of the GDPR.
Thus, this part of the complaint was held to be unfounded by the Belgian DPA.
However, with the latter, the Belgian DPA considered that the search results concerning an old harassment complaint were no longer up-to-date and thus no longer relevant, as these did not mention the fact that this harassment complaint was declared unfounded in 2010. In this regard, the Belgian DPA took into account the fact that the veracity of allegations against the complainant were not established, were (over 10 years) old and were likely to have prejudicial consequences on the complainant’s professional and private life. Such search results could, according to the Belgian DPA, be considered no longer necessary to exercise the right of freedom of expression and information conform article 17 (3), a) of the GDPR. Hence, the Belgian DPA concluded that the fundamental rights and freedoms of the data subject must be held to override the legitimate interests pursued by the controller’s processing activity, so that Google should proceed with the de-referencing of the concerned search results.
This part of the complaint was thus held to be founded, and the Belgian DPA concluded that Google Belgium had infringed the complainant’s right to be forgotten, as well as, the complainant’s information right. Moreover, the Belgian DPA considered the former infringement to be a serious infringement, as Google had failed to act diligently while having all the information required to do so.
3. The sanctions imposed by the Belgian DPA
The Belgian DPA:
- ordered Google to de-reference the concerned search results relating to the old harassment complaint for all language versions for all users consulting Google from within the EEA;
- imposed an administrative fines of EUR600,000, based on Alphabet (the Google mother company)’s annual turnover during the three previous years; and
- ordered Google to clarify the ambiguity concerning the roles of the different entities involved, and in particular to clearly and precisely clarify which entity is the data controller for Belgium and for which processing activity.
The fine imposed on Google Belgium is the highest fine ever imposed by the Belgian DPA. Hielke Hijmans, President of the Dispute Chamber of the Belgian DPA, emphasised in the Belgian DPA’s press release that Google had clearly shown negligence by continuing to make available to users search results relating to old, unproven harassment allegations and considered that this was a “historic” decision. David Stevens, the President of the Belgian DPA, also indicated that this decision is “a testament to our ambition to enhance online privacy together with our fellow European regulators” and is part of how the Belgian DPA intends to “actively contribute to a true data protection culture on a European level as well”2.
While its precise ramifications remain to be seen, this decision from the Belgian DPA will undoubtedly resonate within Belgium and Europe. By declaring itself competent , the Belgian DPA seems to further push the boundaries of its territorial competence. Moreover, by forcing Google to clarify the (data protection) role distribution within the Google group, the Belgian DPA clearly shows its intent to challenge companies on their envisioned structure, where this would not sufficiently correspond with reality.
This is not the first time that Google incurs sanctions for refusing a dereferencing request. The Swedish data protection authority imposed in fine of EUR7 million on Google LLC in March of this year and recently, an Italian court ordered Google LLC, to pay damages in the amount of EUR25,0003.
1 Referring in this regard to the CJEU’s judgement in case C-509/09 and C-161/10 of 25 October 2011 (eDate Advertising) regarding infringement of a personality right and the victim’s main center of interests being the best place to assess such infringement.
3 This case was commented by Giulio Coraggio, partner DLA Piper Italy, in a recent article.
Heidi Waem, Giles Hachez, Camille Vermosen
For further information please contact the authors or any member of the DLA Piper Data Protection, Privacy and Security team at email@example.com