600.000 EUR fine to Google Belgium for misapplying the right to be forgotten

19.11.2020

The right to be forgotten is one of the more complex rights in the GDPR, requiring a careful balancing of principles and interests. In a recent case before the Belgian data protection authority, Google Belgium was accused of interpreting the right too narrowly. The authority agreed, and imposed a significant fine.

The Belgian data protection authority recently examined a case where a citizen complained about a decision by Google, in which Google denied the citizen's invocation of their right to be forgotten. As is typical of such cases, the citizen argued that Google's search engine referenced search results which were dated and no longer relevant, and which were disproportionately harmful to their interests.

The right to be forgotten is one of the more complex rights in the GDPR, requiring a careful balancing of principles and interests. The nature of the data being targeted matters, as does the degree of harm to the data subject, and their personal status: public figures are generally required to bear a broader burden in relation to publications affecting them privately.

This particular case related to a citizen holding a public but non-political office, who used to have an affiliation with a political party. Since these affiliations were publicly known and published in the press (including online), searches for the citizen's name still clearly indicated their past political affiliation. In addition, the citizen had in the past faced legal proceedings for harassment, but this complaint had been dismissed. The complaint still appeared in search results as well. The citizen argued that, since these issues were both a matter of the past, it was no longer reasonable and indeed actively harmful to link them to such articles. Google declined to remove both categories of links.

The authority ultimately sided with the citizen, but only in relation to the harassment complaint. Given the public office held by the citizen, the authority ruled that their past political affiliation was still relevant as being a matter of public interest. The continued linking to the dismissed legal complaint however was deemed to be unlawful, and Google's refusal to suppress these links were deemed a clear violation of the GDPR, given that Google was aware of the dismissal. The authority therefore imposed a 600.000 EUR fine - the highest Belgian fine to date.

The case is highly interesting on two counts. Firstly, it shows the great importance (and arguably unpredictability) of factual assessment in such proceedings: political affiliation was deemed sufficiently relevant to be maintained, dismissed legal complaints were not. The decision might have been very different if the citizen was running for an electable office, and likely also if the complaints had not been dismissed. Search engines are required to engage in a careful balancing act in such matters.

Secondly, the case is relevant because of the relative magnitude of the fine: 600.000 EUR is the highest fine imposed in Belgium thus far, and also a very significant sum for what is ultimately a reasonable disagreement on the outcome of a balancing exercise. However, the Belgian data protection authority continued its reasoning as also set out in prior discussions, taking the turnover of the data controller and its mother company Google Inc (slightly over 161 billion USD) into account as a key yardstick for establishing a fine. Based on that logic and Google's financial position, it qualified the fine as reasonable and proportionate.

https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-37-2020.pdf

 

Article provided by: Hans Graux (Time.lex, Belgium)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.