Belgian DPA’s 600.000 EUR fine record against Google for GDPR infringements

Belgian DPA’s 600.000 EUR fine record against Google for GDPR infring

Belgian DPA’s 600.000 EUR fine record against Google for GDPR infringements

11.08.2020 BE law

In a  decision dated 14 July 2020, the Belgian DPA imposed a record administrative fine of 600.000 EUR against Google Belgium for non-compliance with the GDPR.

In a Decision dated 14 July 2020, the Belgian Data Protection Authority (DPA) imposed a record administrative fine of 600.000 EUR against Google Belgium for non-compliance with provisions of the GDPR, i.e. mainly the right to erasure (right to be forgotten) and its application to search engines, the right to de-referencing.

Before his complaint to the Litigation Chamber of the DPA, the complainant asked Google, by way of the latter’s online form, to erase links referring on the one hand 1) to content suggesting ties between him and a Belgian political party and, on the other hand, 2) to information reporting a harassment complaint against him. He considers that this political labelling is inaccurate and that the content relating to the complaint is no longer up to date since it was declared unfounded several years ago. Google rejected this request.

1. The DPA has jurisdiction over Google Belgium SA

The Litigation Chamber rejects the application of the “one-stop shop” mechanism that applies to cross-border processing. So, even though Google has its European main establishment in Ireland (Google Ireland Ltd), according to the Litigation Chamber, the data processing in the present case does not fall within the activities of Google Ireland Ltd (§§ 26 and 30). Indeed, the development and management of the search engine is an exclusive competence of Google LLC (§ 28).

The Litigation Chamber then confirms its jurisdiction over Google Belgium SA (a subsidiary of Google LLC), which is considered to be responsible for processing the complainant's applications for de-referencing. Although Google Belgium does not determine the purposes and means of the processing in the strict sense (§ 49), the processing is carried out in the context of the activities of Google Belgium. In application of the Google Spain (C-131/12) and Wirtschaftsakademie (C-210/16) case law, the Litigation Chamber states that Google Belgium constitutes an “establishment”, thereby triggering the application of the GDPR (§ 48). Consequently, it declares itself competent to treat the complaint against Google Belgium.

2. The DPA analyses the disputed links

Two elements are highlighted before the analysis of the disputed URLs. Firstly, the Litigation Chamber confirms that the complainant is a public person (§ 107). Secondly, it considers that the disclosure of ties between the complainant and the political party does not automatically imply a disclosure of the political opinions of the complainant. Therefore, the specific framework regarding political data does not apply (§ 112).

Taking these two premises into account, the Litigation Chamber validates Google's decision to maintain the links relating to the political ties. Pursuant to Article 17(3)(a) of the GDPR, the links are indeed deemed necessary for exercising the right of freedom of expression and information.

As regards the refusal to erase the links to the harassment complaint, the DPA rules that Google does not comply with the provisions of the GDPR. Under a balance of interests test, the Litigation Chamber underlines the dated nature of the information and the lack of updates to conclude that maintaining these links (referring to dated information) on the basis of the right to freedom of expression and information is not justified (§ 153).

3. The DPA fines Google Belgium SA

The Litigation Chamber concludes that Google has infringed the right to erasure (Art. 17(1)(a)), the principle of lawfulness of processing (Art. 6(1)(f)), and the principle of transparency (Art. 12(1) and (4)).

The Belgian DPA therefore 1) requires Google Belgium to cease referencing the disputed links with effect throughout the European Union (§ 91), and 2) fines Google 600.000 EUR. This high amount is justified by the seriousness of the breach and the fact that the violation of Article 17(1)(a) constitutes a violation of an essential principle of the GDPR (§ 175).

4. Conclusion

This decision is a decision of principle (§ 13): the Litigation Chamber wanted to take this opportunity to settle some fundamental aspects relating to the right of de-referencing and to the jurisdiction of the DPA.

As regards the implementation of the right to be forgotten, the Litigation Chamber however essentially applies the recent developments of the CJEU case law. On the other hand, the decision is interesting because, as of today, it is the highest fine imposed by the Belgian DPA, but also (and above all) because it specifically deals with the right to be forgotten that the DPA qualifies as a “clear obligation” (§§ 175, (iv) and 163). This statement may be surprising since this right is still being built and understood as EU decisions thereon are being taken. In fact, the application of the right to be forgotten does not seem very clear (yet).

Finally, the DPA’s decision affects not only Google and search engines but also other companies and/or organisations, as they regularly need to check the accuracy of the personal data and the lawfulness of their processing activities. In addition to that, companies or organisations must be able to give clear information on the exercise of the data subject rights. This should thus become easier, as the scope of the data subject rights are (become) clear(er).


By Edouard Cruysmans, Cyril Fischer and Erik Valgaeren.


Related news

03.07.2020 NL law
E-book NOW-2: Second Temporary Emergency Bridging Measure Work Retention

Articles - On 17 March 2020, the Dutch cabinet announced the first emergency package of support measures to alleviate the economic consequences of the corona crisis. This emergency package inter alia comprised the First Temporary Emergency Bridging Measure for the purpose of Work Retention (“NOW-1”) and the Temporary Bridging Measure for Self-Employed Persons (“Tozo-1”).

Read more

29.07.2020 NL law
Over temperaturen ten tijde van corona

Articles - Met haar standpunt ten aanzien van het meten van temperaturen van werknemers, geeft de Autoriteit Persoonsgegevens (AP) verduidelijking over de reikwijdte van haar toezicht. Deze nuancering houdt in dat, als er geen sprake is van verwerking van persoonsgegevens, de AVG niet geldt en de AP dus niet handhavend kan optreden.

Read more

03.07.2020 NL law
E-book NOW-2: Tweede tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid

Articles - Op 17 maart 2020 kondigde het kabinet het eerste noodpakket aan met steunmaatregelen om de economische gevolgen van de coronacrisis te dempen. Onderdeel van dit noodpakket zijn onder andere de Eerste tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (“NOW-1”) en de Tijdelijke overbruggingsregeling zelfstandige ondernemers (“Tozo-1”).

Read more