Belgium’s Data Protection Authority (APD) fined Google Belgium €600,000 (U.S. $670,000) for refusing to delete search results linked to a Belgian public official, a provision of the EU’s General Data Protection Regulation (GDPR) known as the “right to be forgotten.”
The APD announced the fine Tuesday as punishment for Google Belgium’s “serious breach” of the GDPR for refusing to delete search results, known as dereferencing. The fine is the largest ever levied by the APD; the previous high was a fine of €50,000 (U.S. $56,000).
The public official had appealed to the APD to force Google Belgium to delete two search results after the internet giant’s subsidiary refused to do so. In response, the APD issued the fine regarding Google Belgium’s refusal to delete one search result but agreed with its stance on the other.
The search result that drew the fine involved “a complaint of harassment against” the public official, who said the harassment claim had been “declared unfounded many years ago,” according to the APD.
“The APD considers that the request for dereference is well founded and that Google has expressed a serious breach by refusing it,” the APD wrote in its translated press release. “Since the facts have not been established, are old, and are likely to have serious repercussions for the complainant, the rights and interests of the person concerned must prevail.” The APD called Google’s decision “particularly negligent, given that the company had evidence of irrelevance and out-of-date facts.”
The APD fined Google “for not having dereferenced the pages reporting the obsolete complaint against the complainant, for the lack of information provided to the complainant to justify the refusal of dereference,” and the lack of transparency in the dereference form.
A second search result related to “a possible political labeling” of the public official, a label which the official refuted. The APD agreed Google had the right to refuse to delete the search results, “considered that, given the role of the complainant in public life, maintaining their referencing was necessary in the public interest.”
The APD ordered Google to “stop referencing the pages concerned in the European Economic Area and to adapt its dereference request forms in order to provide more clarity in relation to which entity (ies) are responsible for this data processing.”
“In the right to be forgotten, a balance must be struck between, on the one hand, the right of the public to access information, and, on the other, any interests of the data subject,” said Hielke Hijmans, president of the APD’s litigation chamber. “If some of the articles cited by the complainant can be considered necessary for the right to information, the others, which relate to unproven harassment and are about 10 years old, must be able to be forgotten. By now providing links through its widely used search engine that can cause serious damage to the complainant’s reputation, Google has shown clear negligence.”
A spokesperson for Google and its parent company Alphabet said: “Since 2014, we’ve worked hard to implement the right to be forgotten in Europe and to strike a sensible, principled balance between people’s rights of access to information and privacy. We didn’t believe this case met the European Court of Justice’s criteria for delisting published journalism from search—we thought it was in the public’s interest that this reporting remain searchable. The DPA disagreed. We’re going to ask the Courts to decide.”
Google’s EU headquarters is based in Ireland, but it has been other EU countries—first France, then Sweden, and now Belgium—to issue fines against Google for GDPR violations.
France fined Google €50 million (U.S. $57 million) in 2019; then a French court shot down Google’s appeal last month. Sweden’s Data Protection Authority fined Google 75 million Swedish Kroner (U.S. $7.6 million) in March for its failure to comply with the GDPR, also related to the “right to be forgotten.”