Website blocking as a GDPR enforcement tool – Belgian DPA concluded protocol with DNS Belgium
Locations
1. Introduction
End of last year, the Belgian DPA ("BDPA") concluded a protocol with DNS Belgium – the not-for-profit entity managing domain names in Belgium – that has added a powerful enforcement tool to the BDPA's arsenal: when the BDPA concludes that a .be website infringes the GDPR it will have the power to take down the website.
2. Notice & Action procedure
Under the Protocol, the BDPA's Inspectorate and the Litigation Chamber can employ this so-called "Notice & Action procedure" as an accessory to their existing powers to suspend, limit, freeze or cease a data processing activity.
The Notice & Action procedure can only be initiated in cases where the Inspectorate or the Litigation Chamber has ordered a controller or processor to suspend, limit, freeze or cease a data processing activity which is considered unlawful.
If the controller or processor did not comply with this order within the timeframe provided, the BDPA can send a notice to DNS Belgium to initiate the Notice & Action procedure. It is worth adding that the Inspectorate can only invoke this procedure if there is "a serious and immediate harm that is difficult to repair". This is linked to the fact that it constitutes an interim measure, pending a decision on the merits by the Litigation Chamber.
Upon receipt of such a notice, DNS Belgium will take the following actions within 1 working day:
- First, it will inform the controller or processor of the BDPA's notice;
- Secondly, DNS Belgium will redirect the domain name at issue to a warning page of the BDPA, thus effectively blocking the website in question.
If the controller or processor fails to remedy the GDPR infringement within this cure period, DNS Belgium will maintain the redirection for an additional period of 6 months, following which it will cancel the domain name registration.
However, according to DNS Belgium, the procedure would only be used as a last resort in those cases where the GDPR infringements harm the interests of data subjects most and where they are committed knowingly.
3. What can you do about it?
Faced with such a blocking notice, the controller or processor has a few options.
The first option is obviously to remedy the infringement within 14 days. In that case, DNS Belgium will lift the redirection, as a result of which the website will be accessible again.
In cases where the controller or processor disagrees with the decision, it should also have a right to appeal the decision. Interestingly enough, the Protocol does not expressly address this point. It can however be assumed that the usual appeal procedure before the Market Court will apply, as it exists for other BDPA decisions.
4. What if the decision is wrongful?
It goes without saying that this measure can have serious consequences for organizations that depend on the use of a website to conduct their business. It therefore begs the question: what if the BDPA's assessment on the alleged infringement of data protection law turns out to be wrongful?
According to the protocol, if the holder of a domain name can demonstrate that the qualification by the BDPA is a fault causing it damage, he can hold the BDPA liable under civil tort law. Interestingly, under the French version of the protocol, this clause refers to the term "erreur", instead of "faute", which could be interpreted as a "mistake", a seemingly broader concept than "fault" under Belgian civil tort law.
The consequences of the application of Belgian tort law should not be underestimated. This would mean that the BDPA could be held liable to compensate the affected party for all foreseeable damage caused by its "fault".
5. Cause for concern?
Considering the far-reaching effects for rights holders, especially when they are permanently deprived of their right to use a domain name (which is a possible outcome of this procedure), this protocol raises several serious questions.
First, there seems to be an obvious issue around the rights of defence in cases where the Inspectorate would order a website to be taken down, considering that the defendant would not have had the right to be heard and that the Inspectorate would act as both prosecutor and judge.
Secondly, it is questionable whether the permanent cancellation of a domain name registration following a notice and action ordered by the Inspectorate, can be reconciled with the fact that the Inspectorate is only entitled to take provisional measures which cannot exceed six months.
Furthermore, the fact that DNS Belgium will block the website in parallel with its notice to the controller or processor, implies that a potential appeal lodged by the latter will not prevent the website from being taken down. This is obviously problematic.
Finally, considering the intrusiveness of the measure, one would expect that the conditions to take down a website would be crystal clear. Unfortunately, that is not the case. The threshold and conditions that must be met are not clearly defined and are open to discussion.
Following some consternation on the BDPA's new powers, DNS Belgium has attempted to clarify when the procedure would be used on its website. It states that the BDPA can only use the Notice & Action procedure where, "[r]egardless of an official order of the BDPA, the website continues to process personal data".
DNS Belgium further specifies that there must be a clear link between the website or domain name and the established privacy infringement. "DNS Belgium, for example, will not make an e-commerce website inaccessible because the company committed a breach in the management of surveillance cameras on its premises." Although these clarifications are somewhat re-assuring, they do not resolve all the concerns raised by this Protocol.
It therefore seems unavoidable that the first application of this protocol will trigger a judicial review of its legality. In addition, if the BDPA wants to avoid having to pay substantial damages to the controller or processor whose website was taken down in an unjustified manner, it'd better use this new enforcement power wisely and with restraint.