Home » 600,000 euro fine: Belgian DPA fines Google Belgium for not respecting the right to be forgotten

Follow this link to read the full version of the Belgian DPA’s decision (only available in French): https://lnkd.in/d2xyxQw

Link to press release in French: https://lnkd.in/gJSCxJ7

Link to press release in Dutch: https://lnkd.in/dyZbruy

Non-official English translation of the press release by EDPO below:

14 JULY 2020

The Belgian Data Protection Authority fined Google Belgium 600,000 euros for failing to respect a citizen’s right to be forgotten after Google refused his request to dereference obsolete articles that damage his reputation. This is the highest fine ever imposed by the Belgian DPA.

Request for dereferencing of web pages from Google Belgium

The complainant, who by virtue of his position plays a role in public life in Belgium, asked Google Belgium to delete search results linked to his name on the search engine (so-called “de-referencing”). Part of the pages that he wanted to be dereferenced in this way concerned possible political labelling, which he refutes; a second part relates to a complaint of harassment against him, which was declared unfounded many years ago. Google decided to not dereference any of the pages in question.

Right to be forgotten

Regarding the pages concerning political labelling, the Belgian DPA’s Litigation Chamber considered that, given the complainant’s role in public life, the maintenance of the referencing was necessary in the public interest and thus ruled in Google’s favor.

Regarding the pages concerning a complaint against the complainant, the Belgian DPA believes that the request for dereferencing is well-founded and that Google demonstrated a serious breach by refusing it. Since the facts were not established, are old, and are likely to have serious repercussions for the complainant, the rights and interests of the person concerned must prevail. According to the Litigation Chamber, Google was particularly negligent given that the company had evidence that the facts were irrelevant and outdated.

Hielke Hijmans, President of the Litigation Chamber: “In the right to be forgotten, a fair balance must be struck between the public’s right to access information on the one hand and the rights and interests of the person concerned on the other. While some of the articles cited by the complainant may be considered necessary for the right to information, the others, which relate to unproven acts of harassment that are about 10 years old, must be allowed to be forgotten. By maintaining links accessible via its search engine, which is widely used by Internet users and which can cause significant damage to the complainant’s reputation, Google has shown clear negligence.”

The penalty: 600,000 euro fine

The Belgian DPA thus imposed a fine of 600,000 euro on Google for failing to dereference the pages which report the outdated complaint against the complainant, for the lack of information provided to the complainant to justify the refusal to dereference the pages, and for the lack of transparency in the dereferencing form proposed by Google.

It also orders Google to cease referencing the pages concerned in the European Economic Area and to adapt its dereferencing request forms to provide more clarity as to which entity or entities are responsible for this data processing.

This fine imposed on Google is the highest ever decided by Belgian DPA. To this day, the highest fine imposed by its Litigation Chamber was €50,000.

Hielke Hijmans adds: “This decision is historic for the protection of personal data in Belgium, not only because of the amount of the sanction, but also because it ensures that the full and effective protection of the citizen is maintained in cases related to large international groups such as Google, whose structure is very complex.”

The Belgian DPA’s competence vis-à-vis Google Belgium

In the case at hand, Google argued that the complaint cannot be well-founded because it is brought against Google Belgium, while the controller is not Google’s Belgian subsidiary, but Google LLC, based in California.

The Litigation Chamber did not accept this argument. In its view, the activities of Google Belgium and Google LLC are inextricably linked and, consequently, the Belgian subsidiary may be held liable.

This is crucial to ensure full and effective protection of the GDPR, as it is not easy for a national authority in Europe to exercise effective control and impose sanctions on a company located in the United States.

On the other hand, the Litigation Chamber followed Google’s argument that its principal place of business in Europe (Google Ireland) is not responsible for the dereferencing.

David Stevens, President of the Belgian DPA: “This decision is not only important for our Belgian citizens, it is also proof of our ambition to better protect privacy ‘online’ in collaboration with our European counterparts, which requires concrete actions against global players. In this way, we want to actively contribute to the development of a real data protection culture at European level.”

*Translated by EDPO