What does the new Google decision by the Belgian DPA mean for other organisations?
On 14 July 2020, the Belgian DPA fined Google 600.000 EUR, by far the highest fine handed out to date in Belgium. The decision is interesting not just for Google (and Google users) but also for other organisations, due to the lessons it holds regarding international jurisdiction, special categories of personal data and the conditions for the right to erasure or "right to be forgotten".
The facts are fairly simple: 12 results of a Google search for X, the CEO of an undertaking ("dirigeant" in French), appeared to suggest ties between X and a specific political party or referred to an old harassment complaint that was set aside already in 2010. X, as data subject, requested the delisting of such results by Google; Google refused for various reasons (pages that did not appear to exist, pages that were inaccessible, pages which did not meet Google's criteria for removal).
1. Jurisdiction of the Belgian DPA over Google
The issue of international jurisdiction in data protection matters has been given much attention over the past few years as a result of the combination of case law of the Court of Justice of the European Union (CJEU), the GDPR's provisions on territorial scope (Art. 3 GDPR) and the "one-stop shop" mechanism in the GDPR, which provides for specific jurisdictional rules regarding the relationship between a "lead supervisory authority" and other supervisory authorities.