Belgium: Belgian DPA fines Google Belgium €600,000 for violation of right to be forgotten, imposes subsidiary responsibility
The Belgian Data Protection Authority ('the Belgian DPA') issued, on 14 July 2020, a decision in which it fined Google Belgium SA €600,000, its highest fine to date, following Google's refusal of a Belgian citizen's request to be dereferenced from outdated articles considered to be seriously damaging to their reputation, as well as a lack of transparency in Google's form for dereferencing requests. In particular, the Belgian DPA agreed that certain articles pertaining to the individual's relation to certain political parties, given their public role, were of public interest and could remain online. However, the Belgian DPA found that articles concerning unfounded harassment complaints could have serious repercussions for the individual and Google Belgium was therefore negligent in refusing this request for dereferencing. As a result, the Belgian DPA imposed a fine of €500,000 for violations of Articles 17 (1)(a) and 6(1)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as well as a fine of €100,000 for violation of Article 12(1)(4) of the GDPR. Furthermore, the Belgian DPA requested that Google Belgium both remove the concerned articles and adapt, within two months of the issuance of the decision, its forms for dereferencing requests in order to provide more clarity as to which entity acts as data controller for which processing activities.
In addition, in terms of the Belgian DPA's jurisdiction, the Belgian DPA found that, despite Google claiming that the complaint has no basis since it was brought against Google Belgium while the data controller is Google LLC, the activities of Google Belgium and Google LLC are inextricably linked and that, as a result, Google Belgium can be held responsible.