News and developments

Two-tier System of Cooperation for Effective Enforcement of GDPR

On November 26, 2020, Belgian Data Protection Authority (DPA) and DNS Belgium, the organization managing the “.be” domain, signed a cooperation agreement. This cooperation agreement enhances the Belgian regulatory framework by establishing a two-tier system.

What is two-tier system of cooperation?

The purpose of the cooperation is to allow DNS Belgium to suspend “.be” domain websites that are linked to infringements of the EU General Data Protection Regulation (GDPR). The GDPR requires Member States to comply with its rules on data collection and processing. Belgium relies on the DPA for the enforcement of the GDPR. The new two-tier system requires the following:

1.                  Belgium DNS must provide the DPA with the relevant information it requires for its investigations; and

2.                  Where very serious and deliberate infringements of GDPR are concerned and the offending website does not suspend or end the infringing activity to comply with the DPA’s order, the DPA may serve a “Notice and Action” notification to DNS Belgium. Upon receipt of the notice, DNS Belgium will redirect the visitors of the website to a warning page under the DPA that informs them of the violation in question.

This measure will be in place for 14 days. If the offending activity is not corrected by the end of the 14 days, the website will be cancelled and placed in quarantine for 40 days, after which it will become available for registration again. If the website owner takes remedial action in 14 days, the website owner can inform DPA accordingly of the actions taken. If the DPA approves the measures taken, the relevant domain name will be restored.

Strict criteria need to be fulfilled for the above procedure:

1.                  the processing needs to be exercised via a website linked to a “.be” domain;

2.                  the processing needs to be a serious and deliberate breach of the GDPR;

3.                  the responsible controller or processor did not comply with the official order of the DPA to suspend, limit of freeze the data processing; and

4.                  the DPA has exhausted all other measures to stop the infringement and the “Notice and Action” notification is used as the final resort.

What is the effect of the new rules?

By involving Belgium DNS in the enforcement of the GDPR, the DPA has a greater variety of tools to aid its regulatory powers. Rather than relying on blunt fines or bans, the DPA may reliably seek out information from the websites before considering harsher options like the “Notice and Action” notification. The ability to seek out information will also help potential litigation by providing evidence for litigation led by the DPA for serious harm committed under the GDPR.

Can the two-tier system be applicable in Cyprus?

Such a system of cooperation is likely to be helpful for Cyprus’ data regulator, the Commissioner for Personal Data Protection (the Commissioner). The “.cy” domain, the Cypriot counterpart to “.be”, is administrated by nic.cy. It is open to the Commissioner to pursue such an agreement with nic.cy, but this depends on whether the main mechanism for enforcement is sufficient. The Commissioner has the power to impose corrective measures such as fines or compliance orders, or to refer cases to the Police. The introduction of domain registries like nic.cy to the regulatory framework may be useful if the volume of GDPR violations is too high and costly for the Commissioner to continue pursuing or the Commissioner requires relevant information for its investigations.

Belgium DNS touts itself as a “cybersecurity pioneer” and keeps its visitors up to date with GDPR news. The collaboration between the Belgian DPA and Belgium DNS is thus a reasonably foreseeable one given the latter’s evident knowledge of and compliance with the GDPR. How the cooperation will be useful to the enforcement system is yet to be seen. However, the collaboration between the Belgian DPA and Belgium DNS can be taken as an example to be applied in Cyprus.

It should be note that considering the potential impact of the measure on the website owner including heavy penalties, it is clear that a careful and meticulous application of the procedure is required.