In its Decision 37/2020 of 14 July 2020 X c/Google (Decision) the Belgian Data Protection Authority (APD/GBA) fined Google Belgium 600,000 euros for failing to respect a citizen’s right to have certain harmful information delisted. (The right is sometimes referred to as the ‘right to be forgotten’). This is the highest fine imposed by the APD/GBA to date. The APD/GBA also ordered delisting of the content in the European Economic Area (EU + Iceland, Liechtenstein and Norway) – but it stopped short of ordering the worldwide ban that the Plaintiff (“X”) had called for.
Facts
X brought a complaint against Google Belgium SA (GB) complaining that GB had refused to deregister certain out of date articles appearing on web-pages available from Google Search (Search) which X alleged were damaging to X’s reputation. X has a prominent position in public life. The case therefore meant that the APD/GBA Litigation Chamber had to assess the correct balance between X’s fundamental rights to protection for personal data (Article 7 and 8 EU Charter of Fundamental Rights {EUCFR}) against the public interest right to freedom of information, (Article 11 EUCFR).
The decision has five operative parts each of which is summarised in the headings below.
1. Jurisdiction of the APD/GBA; and
2. Is Google Belgium a data controller for the purpose of the complaint?
The Litigation Chamber had asked to be informed about the roles of the different entities in the Google Group (GB, Google Ireland Ltd. and Google LLC, established in California (hereafter together ‘Google’). GB argued that the complaint was unfounded because the data controller was Google LLC in California.
That argument should be viewed in the light of the well-known May 2014 judgment of the CJEU in Costeja (Case C-131/12) which found that Google’s national subsidiaries in the EU are establishments of the company and that processing for Search is carried out in the context of the activities of those establishments – which makes them subject to EU data protection rules.
3. Although the APD/GBA accepted that Google LLC was the data controller it held that, because the activities of Google Belgium and Google LLC are inextricably linked, the Belgian subsidiary should be considered to be an establishment of the data controller within the EU, subject to compliance with EU data-protection rules and against whom X’s complaint could properly be brought. The territorial application of a request for delisting
X requested a worldwide delisting. The Litigation Chamber had some doubts that a worldwide delisting might be unenforceable. On the other hand it consulted informally with its counterpart supervisory authorities on an EEA-wide delisting to ensure that they considered such an order would not disproportionately infringe the freedom of information of Internet users in other Member States. With one exception the other authorities supported such a course of action.
4. X’s specific requests for delisting
X made two categories of specific de-listing requests, first concerning political affiliation and second regarding an allegation of harassment that had been declared unfounded more than ten years ago. Google decided not to de-list any of the pages in question. The APD/GBA found that maintenance of the pages concerning X’s political affiliation was in the public interest in view of X’s role in public life. However, concerning the harassment allegations, APD/GBA found the request for delisting was well-founded and that Google’s refusal was negligent and constituted a serious breach because it had clear evidence that the facts alleged had been dismissed.
5. Infractions of the GDPR and the penalties applied
The €600,000 fine imposed took account of the lack of transparency in the delisting form that Google provided, the lack of information provided to X to justify the refusal to delist as well as the negligent refusal to delist the historical allegations of harassment. Google was also ordered to change its de-listing request forms so as to clarify which entity or entities are the data controller(s) responsible for the data processing.
Conclusions
In the APD/GBA Press Release Hielke Hijmans, Chairman of the APD/GBA Litigation Chamber, is reported to have commented: (our informal translation): ‘This decision is historic for the protection of personal data in Belgium, not only because of the amount of the penalty, but also because it ensures that full and effective protection of the citizen is supported in cases related to large international groups’ (…) whose structure is very complex. The Decision can be appealed within thirty days.
Practical takeaways from the case include that:
- Data controllers should ensure their privacy policies and their answers to data subject requests are precise and transparent.
- Data subjects have an interest in bringing their complaints before the competent data protection authorities (DPA) as the costs are likely to be less, the DPA has its own investigative powers and the procedure is likely to be quicker.
- The range of sanctions available to a DPA is important and they are being used more actively as experience of implementing GDPR builds up.
- The case confirms the Costeja jurisprudence that, as regards GDPR enforcement, where the activities of an EU subsidiary are inextricably linked with those of a data controller outside the EU a GDPR complaint may be legitimately brought against the EU subsidiary and the competent DPA will have jurisdiction to decide the complaint.
Leonard Hawkes
Of Counsel
leonard.hawkes@flinn.law
+32 2 274 51 88
FLINN.law
Avenue des Arts 46, 1000 Brussels, Belgium
+32 2 274 51 80
Disclaimer: This general memorandum may not deal with every important topic or cover all important aspects of the subject matter. It is not intended, and should not be used, as a substitute for seeking appropriate legal advice on specific questions.
Leave a Reply
Want to join the discussion?Feel free to contribute!