16/07/20

What does the new Google decision by the Belgian DPA mean for other organisations?

On 14 July 2020, the Belgian DPA fined Google 600.000 EUR, by far the highest fine handed out to date in Belgium. The decision is interesting not just for Google (and Google users) but also for other organisations, due to the lessons it holds regarding international jurisdiction, special categories of personal data and the conditions for the right to erasure or "right to be forgotten".

The facts are fairly simple: 12 results of a Google search for X, the CEO of an undertaking ("dirigeant" in French), appeared to suggest ties between X and a specific political party or referred to an old harassment complaint that was set aside already in 2010. X, as data subject, requested the delisting of such results by Google; Google refused for various reasons (pages that did not appear to exist, pages that were inaccessible, pages which did not meet Google's criteria for removal).

1. Jurisdiction of the Belgian DPA over Google

The issue of international jurisdiction in data protection matters has been given much attention over the past few years as a result of the combination of case law of the Court of Justice of the European Union (CJEU), the GDPR's provisions on territorial scope (Art. 3 GDPR) and the "one-stop shop" mechanism in the GDPR, which provides for specific jurisdictional rules regarding the relationship between a "lead supervisory authority" and other supervisory authorities.

The entire analysis will likely be of keen interest to many data protection lawyers and academics throughout the European Union, but for the purposes of this newsletter we have sought to identify the most practical considerations.

a) Belgium vs Ireland: inapplicability of "one-stop shop" mechanism

Google disputed the jurisdiction of the Belgian DPA's Litigation Chamber by stating that:

(i) Google's "main establishment" in the EU for the purposes of the GDPR is Google Ireland Ltd;

(ii) Google Ireland Ltd is "controller" within the meaning of the GDPR for processing of user data (e.g. search history, to help adapt search results);

(iii) As a result of the "one-stop shop" mechanism, only the Irish Data Protection Commissioner (the "Irish DPC") – the lead supervisory authority – should handle such cases.

However, those activities regarding user data were not – seemingly of Google's own admission – the same as the processing activities examined in the case at hand (search engine indexing). For the latter, Google stated that Google LLC (in the USA) was the controller.

Moreover, on 23 June 2020 – i.e. towards the end of the case before the Litigation Chamber – Google LLC itself sent a letter to the Irish DPC stating it would no longer object to local (national, non-lead) supervisory authorities exercising local data protection jurisdiction within the scope of Google LLC's responsibilities. It is likely this letter will become important in "right to be forgotten" cases throughout the European Union.

The Litigation Chamber used these admissions by Google to consider that Google Ireland Ltd was not the relevant controller for search engine indexing (and delisting, i.e. removal from search results) but that it was Google LLC. There remain certain inconsistencies and grey zones here (it is not entirely clear where Google LLC's controllership on search results ends in Google activities, and where Google Ireland Ltd's controllership regarding "adapting" search results starts), and this appears to have been a factor in the Litigation Chamber's reasoning.

As a result, despite the designation of the Irish DPC as lead supervisory authority, the Belgian DPA could have jurisdiction because the case did not relate to Google Ireland Ltd's processing activities.

What does this mean for other groups of companies or organisations?
Having a clear description of responsibilities in a group helps clarify jurisdiction – and avoid protracted arguments about which entity should be involved in proceedings. In addition, the one-stop shop mechanism might not prevent other supervisory authorities from examining processing activities that do not relate to the activities of the main EU establishment.

b) Belgium vs United States: local activities creating jurisdiction over controller abroad

The Litigation Chamber then examined whether Google Belgium SA, Google's entity in Belgium providing consultancy services for the commercialisation of other Google entities' services in Belgium, was the appropriate defendant – i.e. the controller for search engine indexing – in this case.

In practice, the Litigation Chamber applied the Google Spain and Google v CNIL judgments of the CJEU to consider that Google Belgium SA's activities and those of Google LLC were "inextricably linked", such that "the processing in question is carried out in the context of the activities of Google's establishment in Belgium" and Google Belgium SA "can be treated in the same manner as a controller of data processing carried out in the framework of the functioning of the Google search engine and the management of delisting requests in Belgium".

The Litigation Chamber then applied the Wirtschaftsakademie judgment of the CJEU, setting out reasons for which in the Litigation Chamber's view this judgment (which, like Google Spain, is based on rules that predate the GDPR) remains relevant in the framework of the GDPR. The outcome of applying the principles set out in Wirtschaftsakademie here was that Google Belgium SA could be kept as sole defendant in this case, and that it did not matter whether the actual processing in this case was carried out in Belgium or outside of the European Union by Google LLC employees.

What does this mean for other groups of companies or organisations?
Structure data processing activities as you see fit, but know that local supervisory authorities will always seek to give effect to the protections foreseen by the GDPR, drawing arguments from recent case law of the CJEU.

c) Territorial scope of delisting

Finally, the Litigation Chamber examined what scope a delisting request should have. Based on the aforementioned Google v CNIL judgment, the Litigation Chamber held that a global delisting request was not justified for various reasons (the plaintiff did not show "that he is also affected regarding his interests in (the territory of) other Member States or other States", but also there was no clear basis that would allow the Litigation Chamber to order a global delisting).

At the same time, the Litigation Chamber appeared to suggest that a delisting request could not be limited to Belgium: "delisting can only be effective if it applies to searches carried out from outside of Belgium. Within the European area without internal borders, it would not be useful to order a delisting limited to searches carried out from the Belgian territory". However, the Litigation Chamber did not explicitly state which European versions of Google should be impacted by the delisting request in the case at hand.

What does this mean for other companies or organisations?
Most organisations are not search engine operators, so delisting requests can appear irrelevant. However, they are a specific implementation of the right to erasure (Art. 17 GDPR). The key lesson for other organisations is that the implementation of an erasure request must be effective – which translates into territorial scope for search engine operators with national versions of the search engine, but may also translate into the range of systems examined for other organisations. For instance, backups and archives might not have to be included by default, but any process for retrieving data from an archive should take erasure requests into account where appropriate.

2. Assessment of the delisting requests

Having established that it had jurisdiction over the case in question and Google Belgium SA (and through it, Google LLC's activities), the Litigation Chamber examined the delisting requests themselves and whether Google had acted in breach of the GDPR.

a) Circumstances relevant for all delisting requests

Delisting of search results is fundamentally a limitation of the right of freedom of expression and information. According to the Litigation Chamber, therefore, two key considerations for all delisting requests are the following:

  • whether the data subject plays in public life, and
  • whether the search results contain special categories of personal data (Art. 9 GDPR) – in this particular case, data on political views.

As regards the first aspect, the Litigation Chamber concluded that the data subject played a role in public life, which meant that a higher threshold applied before the right to erasure could prevail over the right of freedom of expression and information.

On the second aspect, the data subject had claimed that the results showed ties between him and a specific political party, and that there was therefore processing of special categories of personal data. The Litigation Chamber disagreed, noting that the results in question merely showed professional ties with the relevant party (e.g. the fact that the data subject had the support of the party in question for a particular position) but did not reveal the data subject's own political opinions – while Art. 9 GDPR specifically states that it covers personal data that reveals political opinions.

b) Appropriateness of delisting requests

On the basis of these considerations, the Litigation Chamber examined each individual delisting request and determined whether the request was justified (i.e. prevailing over freedom of expression and information), excessive (i.e. freedom of expression and information prevailed) or no longer relevant (because the search result no longer appeared in the first pages of a Google search).

The Litigation Chamber rejected the delisting requests for 8 results. However, it confirmed the delisting request for the remaining 4 results, which were deemed to concern personal data that was not up to date and was no longer relevant. The articles in question were deemed  to be old (approximately 10 years) and based on unproven allegations; in addition, the Litigation Chamber stated that the allegations could have harmful repercussions in the data subject's professional and private life. As a result, despite having once potentially helped create a public debate, the results in question were obsolete and no longer necessary.

c) Assessment of Google's actions

In exchanges with the data subject, Google had rejected the delisting request for those last 4 results, and the Litigation Chamber considered that this rejection was in breach of Article 17 GDPR (as the erasure request was justified) and that by continuing to display the search results, Google was also in breach of Article 6 GDPR (as the processing was no longer lawful).

In addition, because Google merely sent a short response without explanations as to the reasons for rejecting the request, the Litigation Chamber considered that Google was in breach of Article 12 GDPR (transparency obligations).

The Litigation Chamber concluded that a fine was appropriate for each of these GDPR violations: 500,000 EUR for the violation of Articles 17 and 6 GDPR, and 100,000 EUR in addition for the violation of Article 12 GDPR.

What does this mean for other companies or organisations?
Keep personal data up to date and relevant, for instance through regular data quality checks, and ensure that if you reject a data subject request, you provide a justification. 

3. Conclusion

This Google decision is significant for the Belgian DPA, as it shows the Litigation Chamber's approach in terms of international jurisdiction and represents at the same time the highest fine it has handed down to date.

For organisations other than Google, it also contains useful guidance in relation to the structuring of data processing activities, the importance of data quality processes and requirements in relation to the handling of data subject requests. If you feel that it may be worthwhile looking over your processes once more, feel free to reach out.

The decision is available in French.

dotted_texture