GDPR infringements might lead to block .be-websites

The Belgian Data Protection Authority (BDPA) and DNS Belgium, responsible for the registration and management of all .be domain names (as well as .vlaanderen and .brussels domain names), have concluded a cooperation protocol that allows .be websites to be taken offline for GDPR infringements. 

The cooperation protocol is available in Dutch and French.

Cooperation in two areas

1. Cooperation in investigations by the BDPA Inspection Service

The cooperation protocol stipulates that DNS Belgium is to report to the BDPA Inspection Service:

• all information at itsdisposal, whenever the Inspection Service of the BDPA deems it useful for its task of investigation as laid down in the Act of 3 December 2017 establishing the Data Protection Authority,
• any information carriers for inspection and provide copies of them in any form whatsoever, if the BDPA Inspection Service deems them useful to it as defined in the Act of 3 December 2017.

If this information forms part of an ongoing investigative or judicial investigation, the cooperation protocol provides that it will be provided only with the prior authorisation of the public prosecutor or the investigating judge.

2. Notice & action procedure (N&A procedure)

Existing collaborations 

DNS Belgium already has existing and similar collaborations, for example with the FPS Economy. As a result, fraudulent websites, such as fake webshops, fake collection agencies or phishing websites, can be blocked very quickly. According to DNS Belgium, no fewer than 5,733 domain names were blocked in 2019.

The simplified N&A procedure, which complements other DNS Belgium procedures, allows fraudulent websites with correct identification data (or identification data that could not be proven to be false) to be blocked without theneed for a request to the public prosecutor. This can save a few weeks. 

The intention is that this N&A procedure should only be applied to serious infringements. The registrant also has a period of two weeks in which to respond. Only after six months will the blocked domain name expire. 

BDPA now joins the N&A procedure

The protocol of cooperation between DNS Belgium and the BDPA, applicable since 1 December 2020, also allows the BDPA to make use of a similar N&A procedure in case of breaches of the GDPR. 

However, the scope ofthe N&A procedure is limited to serious infringements, i.e.: “infringements which most seriously harm the interests to be protected, committed by organisations or individuals who knowingly infringe this legislation and yet continue to process personal data, even though the Inspection Service or the BDPA's Dispute Chamber previously ordered them to suspend, restrict, freeze or halt (temporarily) the processing of personal data.” (free translation and own emphasis)

It must therefore be an infringement:

• that is serious (i.e. the fundamental data protection principles),
• is committed intentionally, and 
• continues despite an order to (temporarily) suspend, restrict, freeze or halt the processing.

According to the cooperation protocol, a limitation of the scope of the N&A procedure is necessary in order to maintain a fairbalance between:

• on the one hand, the objective of putting an end to violations of the fundamental principles of the protection of privacy in the interests of citizens, and
• on the other hand, the use of the necessary technical means by DNS Belgium to meet this objective.

Procedure

The BDPA can send a request by e-mail to DNS Belgium to have a certain .be domain name blocked. DNS Belgium will then notify the registrant and have the domain name redirected to a BDPA warning page. 

The registrant then has two weeks to react and take remedial action. Within the framework of the cooperation of the FPS Economy, domain name holders almost never make use of this possibility, according to DNS Belgium. This would indicate that most of them are in fact fraudsters. 

Open questions

For the BDPA, the N&A procedure is an additionalinstrument toquickly put an end to serious GDPR infringements. Nevertheless, it does not affect the processing of personal data already collected via the website. 

There are also a number of open questions:

• Which infringements are sufficiently serious for the application of the N&A procedure?
• Will websites that violate the cookie rules also be blocked?
• Does the blocking also have an impact on a possible administrative fine?
• What about the lost revenue in the event of unjustified blocking (the cooperation protocol stipulates that the BDPA - not DNS Belgium - will be responsible for any incorrect qualification of the infringement)?
• Should there be a direct link between the website and the GDPR infringement (e.g. can a website be blocked for a breach of camera legislation)?
• What will be on the BDPA warning page?

The cooperation protocol also includes a commitment to extend cooperation to the domain name zones .vlaanderen and .brussels in the future.

We will keep you informed of developments. 

Has your organisation's website been (unjustifiably) blocked? Or do you have other questions about data protection or cookies? Please contact us. You can also follow us on LinkedIn.