Belgian DPA’s 600.000 EUR fine record against Google for GDPR infringements

In a Decision dated 14 July 2020, the Belgian Data Protection Authority (DPA) imposed a record administrative fine of 600.000 EUR against Google Belgium for non-compliance with provisions of the GDPR, i.e. mainly the right to erasure (right to be forgotten) and its application to search engines, the right to de-referencing.

Before his complaint to the Litigation Chamber of the DPA, the complainant asked Google, by way of the latter’s online form, to erase links referring on the one hand 1) to content suggesting ties between him and a Belgian political party and, on the other hand, 2) to information reporting a harassment complaint against him. He considers that this political labelling is inaccurate and that the content relating to the complaint is no longer up to date since it was declared unfounded several years ago. Google rejected this request.

1. The DPA has jurisdiction over Google Belgium SA

The Litigation Chamber rejects the application of the “one-stop shop” mechanism that applies to cross-border processing. So, even though Google has its European main establishment in Ireland (Google Ireland Ltd), according to the Litigation Chamber, the data processing in the present case does not fall within the activities of Google Ireland Ltd (§§ 26 and 30). Indeed, the development and management of the search engine is an exclusive competence of Google LLC (§ 28).

The Litigation Chamber then confirms its jurisdiction over Google Belgium SA (a subsidiary of Google LLC), which is considered to be responsible for processing the complainant's applications for de-referencing. Although Google Belgium does not determine the purposes and means of the processing in the strict sense (§ 49), the processing is carried out in the context of the activities of Google Belgium. In application of the Google Spain (C-131/12) and Wirtschaftsakademie (C-210/16) case law, the Litigation Chamber states that Google Belgium constitutes an “establishment”, thereby triggering the application of the GDPR (§ 48). Consequently, it declares itself competent to treat the complaint against Google Belgium.

2. The DPA analyses the disputed links

Two elements are highlighted before the analysis of the disputed URLs. Firstly, the Litigation Chamber confirms that the complainant is a public person (§ 107). Secondly, it considers that the disclosure of ties between the complainant and the political party does not automatically imply a disclosure of the political opinions of the complainant. Therefore, the specific framework regarding political data does not apply (§ 112).

Taking these two premises into account, the Litigation Chamber validates Google's decision to maintain the links relating to the political ties. Pursuant to Article 17(3)(a) of the GDPR, the links are indeed deemed necessary for exercising the right of freedom of expression and information.

As regards the refusal to erase the links to the harassment complaint, the DPA rules that Google does not comply with the provisions of the GDPR. Under a balance of interests test, the Litigation Chamber underlines the dated nature of the information and the lack of updates to conclude that maintaining these links (referring to dated information) on the basis of the right to freedom of expression and information is not justified (§ 153).

3. The DPA fines Google Belgium SA

The Litigation Chamber concludes that Google has infringed the right to erasure (Art. 17(1)(a)), the principle of lawfulness of processing (Art. 6(1)(f)), and the principle of transparency (Art. 12(1) and (4)).

The Belgian DPA therefore 1) requires Google Belgium to cease referencing the disputed links with effect throughout the European Union (§ 91), and 2) fines Google 600.000 EUR. This high amount is justified by the seriousness of the breach and the fact that the violation of Article 17(1)(a) constitutes a violation of an essential principle of the GDPR (§ 175).

4. Conclusion

This decision is a decision of principle (§ 13): the Litigation Chamber wanted to take this opportunity to settle some fundamental aspects relating to the right of de-referencing and to the jurisdiction of the DPA.

As regards the implementation of the right to be forgotten, the Litigation Chamber however essentially applies the recent developments of the CJEU case law. On the other hand, the decision is interesting because, as of today, it is the highest fine imposed by the Belgian DPA, but also (and above all) because it specifically deals with the right to be forgotten that the DPA qualifies as a “clear obligation” (§§ 175, (iv) and 163). This statement may be surprising since this right is still being built and understood as EU decisions thereon are being taken. In fact, the application of the right to be forgotten does not seem very clear (yet).

Finally, the DPA’s decision affects not only Google and search engines but also other companies and/or organisations, as they regularly need to check the accuracy of the personal data and the lawfulness of their processing activities. In addition to that, companies or organisations must be able to give clear information on the exercise of the data subject rights. This should thus become easier, as the scope of the data subject rights are (become) clear(er).

By Edouard Cruysmans, Cyril Fischer and Erik Valgaeren.