On December 1st, 2020, a cooperation protocol between, on one hand, the Belgian Data Protection Authority (“DPA”), and on the other hand, the non-profit organization Domain Name Service Belgium (“DNS”) entered into force in order to monitor the implementation of the Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) by holders of Belgian domain names (.be), to identify abuses in terms of personal data processing, and to sanction any violations on Belgian websites.
Context
A. DNS Belgium
DNS Belgium is an independent non-profit organization established in 1999 with the aim of organizing the registration of .be domain names, making the Internet accessible, and promoting its use.
Despite its crucial role within Belgian Internet traffic, DNS Belgium is not a judicial body. Therefore, the non-profit organization is not authorized to conduct legal assessments of potential violations of the law committed by users of .be domain names.
B. The Data Protection Authority (“DPA”)
The DPA, on its side, is an independent authority responsible for monitoring the correct application of the general principles outlined within the GDPR.1
In accordance with its legal obligations 2, the DPA must carry out its missions in consultation with all private and public stakeholders concerned with the protection of the freedoms and fundamental rights of natural persons regarding the processing of their personal data, including DNS Belgium.
The DPA is composed, among other bodies, of a Litigation Chamber and an Inspection Service :
- The Litigation Chamber of the DPA is the body of the DPA responsible for administrative disputes. This body is, among other things, competent to order the freezing, limitation, or prohibition of the processing of personal data by an entity. 3
On its side, the Inspection Service is the investigative body of the DPA. Its mission is to examine complaints as well as serious indications of violations of legislation regarding personal data.4
C. Objectives of the collaboration.
The collaboration protocol aims to enforce the Notice & Action procedure described below in order to suspend the dissemination on the Internet of content contrary to the GDPR. To achieve this, DNS Belgium intervenes to provide appropriate technical measures regarding the use of a domain right.
The procedure also aims to ensure the principle of proportionality of the sanction, the fundamental rights of domain name holders, and the security of the DNS Belgium network.
Cooperation at two levels
The protocol establishes cooperation at two levels: cooperation from DNS Belgium to the investigations of the DPA’s Inspection Service and cooperation in the exercise of a particular procedure called “Notice & Action”.
A. Cooperation with the investigations of the DPA’s Inspection Service
Initially, DNS undertakes to provide the Inspection Service with all information and information materials available to the non-profit organization about .be domain name holders, whenever the Inspection Service deems it useful for its investigative mission.
B. The “Notice & Action” procedure
This procedure, already established in March 2012 within a working group of DNS Belgium, begins with the sending of a notification to DNS Belgium at the initiative of the President of the DPA mentioning the domain name suspected of being in violation of the GDPR.
Upon receipt of this notification, DNS Belgium communicates its content to the holder of the concerned domain name and informs them that their processing is also contrary to the general terms and conditions of DNS Belgium.
In parallel, DNS Belgium implements all appropriate measures to redirect the domain name to a warning page of the DPA, hosted by DNS Belgium. This measure has the effect that the website originally linked to the contested domain name can no longer be visited via said domain name.
In accordance with these general conditions, the holder of the relevant domain name is obliged to comply within 14 days by ceasing the violations; otherwise, DNS Belgium will have the right to permanently delete said domain name.
However, the redirection will be interrupted, and the original website reinstated:
- If it is established that the domain name holder is not actually in violation ;
- If they have meanwhile complied ; or
- If the DPA requests DNS Belgium to suspend or stop the procedure.
After the expiration of this 14-day period, DNS Belgium sends a reminder to the DPA to verify whether the domain name holder has indeed not complied or if there are new elements calling for a suspension or termination of the procedure.
Then, the DPA informs DNS Belgium whether the domain name should be removed from its network and communicates the decision to its holder. Three scenarios must be considered at this stage of the procedure :
- Either DNS receives information from the DPA that the holder has complied with what was reproached, or, for other reasons, the procedure must be canceled or suspended, or DNS receives no information from the DPA on the matter within 14 days, then DNS will remove the redirection to the warning page and reintegrate the domain name on the net ;
- Or DNS is informed that the domain name holder has taken remedial measures within the 14-day period. Then it will inform the DPA directly within 2 working days. Within a second 14-day period after this notification, the DPA will inform DNS Belgium whether the holder has complied or whether there are other reasons to suspend or cancel the procedure. If so, or if the DPA has not responded within the notification period, then DNS Belgium will remove the redirection to the warning page and reintegrate the domain name on the net ;
- Or if the holder has not complied with the legal infringements that were reproached and the DPA has not requested to suspend or cancel the procedure, then DNS Belgium will maintain the redirection of the domain name to the warning page for a further 6 months. At the end of these 6 months, DNS will attach the contested domain name to one of its temporary domain names and cancel the original domain name. At that time, the original domain name will be in “quarantine” for a period of 40 days, after which it will be released and available for re-registration.
Comments
The analysis of this Protocol calls for several comments.
First, the initiation of the procedure is based solely on the President of the DPA, which suggests that its activation will likely depend on denunciations or complaints from third parties, perhaps even competitors of the concerned domain name holder. Within the protocol itself (article 5), DNS Belgium explicitly admits to being in an uncomfortable position regarding this issue.
Secondly, the introduction and conduct of the procedure do not seem to take the form of a adversarial debate, meaning that the accused domain name holder does not really have the opportunity to explain themselves through a discussion with the Authorities. Indeed, at no point in the procedure does the protocol reserve the right for the domain name holder to be heard or to provide evidence of the legality of their activities. This observation leaves us perplexed about the protocol’s respect for fundamental rights.
Even in the presence of an irregularity under the GDPR, the procedure only allows 14 days for the domain name holder to comply. This particularly short period seems poorly adapted to the reality of the situation. Indeed, depending on the GDPR violation that will be noted, this period may seem extremely short. For example, consider the case of a photographer who publishes thousands of photographs on the Internet, including portraits and images of people. The right to image and the right to privacy, which are also covered by the GDPR, require the photographer to obtain prior consent from the people he photographs not only regarding the taking of the image but also the dissemination of these images on the Internet. Sorting through thousands of photographs published within a 14-day period will likely require significant work.
Furthermore, there is no specific judicial recourse available to the domain name holder to oppose the facts alleged against them. This lack of a second level of recourse may seem disproportionate given the significant consequences that the cancellation of a domain name can have on a company’s visibility on the Internet.
In this case, the only option for the domain name holder will be to turn to the Court of Markets, a division of the Brussels Court of Appeal, which is competent to review administrative decisions of the DPA.
Finally, the protocol seems to limit its scope only to “offenses that cause the greatest harm to the interests to be protected”. As to which GDPR violations fall within or outside this definition, the protocol remains vague and imprecise.
In this regard, it only mentions ” offenses deliberately committed by organizations or individuals that violate this legislation and continue their processing of personal data despite the prior injunction of the Inspection Service or the Litigation Chamber to suspend, limit, freeze (temporarily), or terminate it ». Are these the only two situations envisaged by the Protocol, or does it allow for more interpretation ? The question remains open and unanswered at this time.
Nevertheless, the emergence of this Protocol is also a good thing in terms of respecting privacy on the Internet. We know how extremely complicated it is today to control websites for compliance with current laws and also their content. Thanks to this collaboration between DNS Belgium and the DPA, we can expect increased compliance with the GDPR and more respect for this fundamental right to privacy.
However, it should be remembered that this Protocol only targets websites with a “.be” suffix, so its application remains strictly limited.
In conclusion, as mentioned earlier, this Protocol has significant consequences for the accused domain name holders, but it also constitutes an additional incentive for respecting personal data. Now, this Protocol calls for a global compliance of Belgian websites, which notably implies a review of privacy policies and, above all, better transparency and communication with Internet users. This need is all the more pressing as the parties to the Protocol aim to extend it to other domain name zones that DNS Belgium also manages, namely .vlaanderen and .brussels.
Frédéric Dechamps, Alicia De Mulder & Adeline Balza , lawyers at Lex4u.
Notes
- The DPA was created in 2017 by the law of December 3, 2017 establishing the Data Protection Authority, hereinafter referred to as “LCA”.
- Article 52 of the law of December 3, 2017, known as the “LCA”.
- Article 58 of the GDPR and Article 100 of the law of December 3, 2017, known as the “LCA”.
- Article 52 of the law of December 3, 2017, known as the “LCA”.
