02/12/20

(Alleged) data protection infringement? Say bye-bye to your .be domain name

The Belgian Data Protection Authority (BDPA) published on 30 November 2020 a cooperation agreement with DNS Belgium, the registry for .be, on the consequences of (alleged) data protection infringements.

Under this cooperation agreement, DNS Belgium is tasked with suspending .be domain names that are linked to data protection infringements.

The procedure is meant to be used "when the Inspection Service or the Litigation Chamber of the BDPA conclude that a processing of personal data, carried out via a website linked to a .be domain name, constitutes an infringement on the fundamental principles of the protection of personal data, and where the controllers or processors do not act upon the order to (provisionally) suspend, restrict, "freeze" or cease a given processing of personal data within the imposed timeframe".

Inspection Service, Litigation Chamber, what?

The Inspection Service and the Litigation Chamber are two of the BDPA's five bodies, each of which has different tasks.

The Litigation Chamber is best known among the two, as it is the body within the BDPA with the power to impose sanctions for infringements – in a way, the "judge". Its powers include imposing fines as well as ordering a halt to specific processing activities (and it has already used this power, in some cases with a grace period).

The Litigation Chamber deals mostly with cases based on data subject complaints. When a data subject complains to the BDPA about a certain processing activity, a prior admissibility check is carried out, after which the complaint is transferred to the Litigation Chamber. In turn, the Litigation Chamber can decide to handle the complaint on its own or to request the Inspection Service to carry out an investigation.

Litigation Chamber referrals are not the only cases in which the Inspection Service has the power to investigate; it can also be tasked with an investigation by the Executive Committee (bringing together the five directors of the BDPA) and can even investigate of its own initiative when it "notes the existence of a practice that can give rise to an infringement on the fundamental principles of the protection of personal data".

According to the Act of 3 December 2017 creating the BDPA, the Inspector-General and inspectors of the Inspection Service can order a controller or processor to provisionally suspend, restrict or "freeze" a processing activity "if this is necessary to avoid harm that is serious, immediate and difficult to remedy" (the term in Dutch is "nadeel", which can be translated as "disadvantage" as well as "harm", but the French term is "préjudice", i.e. injury, damage or loss).

How does this .be mechanism work?

Based on this cooperation agreement, if the Inspection Service or the Litigation Chamber consider that there is a severe infringement and a refusal to comply with an order to suspend, restrict, (temporarily) freeze or cease a given processing of personal data, they are authorised to send a "notice and action" request to DNS Belgium.

DNS Belgium then informs the domain name holder (within 1 working day) that the "observed" infringement constitutes a violation of the DNS Belgium terms and conditions (which state notably that the domain name holder represents and warrants that the domain name is "not registered for an unlawful purpose" and is "not used in violation of any applicable laws or regulations").

Surprisingly, the cooperation agreement does not foresee any possibility for the domain name holder to defend itself vis-à-vis DNS Belgium before the following step occurs, namely the activation by DNS Belgium of a redirection of the domain name towards a warning page of the BDPA (the content of which is, according to the cooperation agreement, "in principle standard", though it is unclear whether this will be akin to the "blocked due to IP piracy" type of pages commonly used in case of infringements of intellectual property). 

As described in the cooperation agreement: "At the same time as the sending of the e-mail to the domain name holder, DNS Belgium takes the necessary technical measures to redirect the domain name in question towards a warning page of the BDPA, hosted by DNS Belgium. This measure has the effect of ensuring that the website initially linked to the domain name can no longer be visited through the domain name in question." (emphasis ours)

If DNS Belgium receives within 14 days confirmation that the necessary "reparation" (ready: remediation) measures and the BDPA does not protest, the link between the domain name and the website is re-established. Otherwise, the redirection is maintained during an additional 6-month period, after which the domain name is cancelled and placed in quarantine for 40 days. After that, it becomes available once more – for anyone to register.

What if the decision is wrong?

The cooperation agreement contains a reference to liability in case of wrongful decisions, stating that "the BDPA assumes responsibility for the classification of the infringement" and that if the domain name holder considers that this classification is "a mistake" that has caused him damage/loss, "the general civil liability rules apply vis-à-vis the BDPA". The choice of wording here is strategic: in Dutch, the term "fout" is used, which means both "mistake" and "tortious act"; in French, "erreur" is used – i.e. only "mistake". It is unclear whether this concept of "mistake" will cover e.g. the case in which the BDPA's decision is overturned on appeal.

Is this legal? And what about the rights of defence?

This situation makes it very clear that the Inspection Service can become prosecutor, judge and executioner, and all it takes is one small e-mail to DNS Belgium for it to cause significant (and sometimes lethal) damage to an organisation. This raises significant questions in terms of lawfulness of the entire cooperation agreement.

Moreover, the Inspection Service has repeatedly told us and our clients that there is no right to be heard before the Inspection Service, only an obligation for controllers and processors to provide whatever information they require (sometimes within unreasonable timeframes).

Even the Litigation Chamber's involvement can raise questions, given that its power to enforce its own decisions is disputed.

Yet there must be an effective right of appeal, as the Market Court (the appeal court for BDPA decisions) confirmed in a judgment of 16 September 2020 in a case we pleaded. On this basis, it is our impression that this cooperation agreement will be brought into question – whether before the Market Court or before other bodies.

In any event, this cooperation agreement could have a chilling effect in relation to the use of the .be domain name extension. If authorities are able to suspend it without respecting the rights of defence, and if the BDPA starts using this mechanism for e.g. the use of advertising cookies or the existence of incomplete privacy statements, it may have the unfortunate effect of discouraging the use of .be.

The cooperation agreement is available in French and in Dutch.

dotted_texture