Data Protection Summer Dive - Fines imposed on digital services providers

Each week in July and August, our focus will be on a different topic that has been scrutinized by the Belgian Data Protection Authority. With a few simple tips, your summer cocktail of data protection news will be complete.

This week’s topic: Fines imposed on digital services providers

In two recent decisions, the Litigation Chamber of the Belgian Data Protection Authority (“DPA”) has imposed administrative fines on digital services providers. A fine of EUR 50,000 was imposed on a social network operator, and a fine of EUR 600,000 (highest administrative fine so far) was imposed on Google Belgium.

These decisions are however not only relevant for digital services providers. The most important “lessons learned” are summarized below.

1.    Social network operator

  • Belgian DPA volunteered to be the ‘lead authority’ in this case. Given the cross-border nature of the data processing activities, 23 EU supervisory authorities had declared their involvement.
  • Case referred to Inspection Service of Belgian DPA by Management Committee. Report of Inspection Service was transferred to Litigation Chamber, which found the “invite-a-friend” practices of the social network operator to be non-compliant.
  • Social network users had to import their address book, which meant that contact details of ‘non users’ ended up on the social network's servers. When adding contacts, members of the network were confronted with pre-ticked options, whereby their contacts were already selected.
  • Litigation Chamber found that:
    • defendant had no legal ground for storing and processing the personal data of non-users of and using them to send an invitation e-mail;
    • only the data subject whose personal data are processed can validly consent to the processing of his/her data, except in cases of parental consent or another legal power of attorney;
    • a user of a social media platform cannot give valid consent in the name and on behalf of a non-user of the social media platform; and
    • the storage of contact information of non-users can only be necessary in the context of "compare and forget" processes, and under certain strict requirements and safeguards.
  • The social network operator also invoked the “household exception” included in article 2, §2, c) GDPR. However, the DPA confirmed that the GDPR does apply to controllers or processors providing the means for processing personal data for such personal or household activities. They themselves cannot benefit from the “household exception”.

2.    Google Belgium

  • Activities of Google Belgium and Google LLC were deemed to be inextricably linked, and the Belgian subsidiary/establishment of the US data controller can therefore be held liable.
  • Fine imposed for failure to comply with the right to be forgotten, after Google rejected the data subject’s request to remove from its search results outdated articles that damaged his reputation.
  • Litigation Chamber considered that a fair balance must be struck between the public's right of access to information, on the one hand, and the rights of the person concerned, on the other hand.
  • Regarding web pages referring to possible links with a political party, the Litigation Chamber found in Google’s favour. It took the view that, considering the plaintiff’s role in public life, maintaining these pages in the search results was necessary for public interest reasons. Regarding the pages referring to a complaint against the plaintiff, it ruled that the request for removal was well-founded and that Google was negligent in refusing the request because it had evidence that the facts were irrelevant and outdated.
  • Also the lack of proper communication of the exact reasons for the refusal of the deletion request by Google, and the lack of transparency in the Google application form for deletion requests were emphasized.
  • Order to de-reference imposed by Belgian DPA extends to Google search results made available in the entire European Economic Area.