25/12/20

A Christmas "present": say hello to penalty fines in Belgium for GDPR infringements

On 23 December 2020, the Belgian DPA published two documents in relation to the Litigation Chamber's approach to decisions on GDPR infringements: one policy in relation to penalty fines [i.e. fines per day of non-compliance after an order to comply], and one policy in relation to the publication of decisions.

These policies are of great interest to us as lawyers, because these policies help us better anticipate how the Litigation Chamber will handle cases in the future (and therefore, how we should advise and defend our clients).

But what do they mean for you and your organisation?

In summary, know that there are now clear rules on what the maximum amount would be for a penalty fine (dwangsom / astreinte), i.e. fines due by your organisation if (i) in a decision on the merits, the Litigation Chamber orders your organisation to adapt processes, respond to a data subject request, etc., and (ii) your organisation fails to do so by the deadline set by the Litigation Chamber. This could be 25.000 EUR per day or 5% of the average daily worldwide turnover (whichever is higher). This amount would not be applied all the time, but the Litigation Chamber would in any event not go beyond that (high) threshold.

Moreover, as a rule, any GDPR infringement decision concerning your organisation will be published by the Litigation Chamber, but your organisation will only be named in exceptional cases (e.g. because full publication is a sanction in and of itself, because there is a public interest in the identity of the organisation being identifiable, etc.).

If you would like more details, read on. Otherwise, bookmark this text for when you need to discuss risks regarding proceedings before the Litigation Chamber (along with our data protection litigation newsletter of October).

a) Penalty fines

The first policy, on penalty fines (dwangsommen / astreintes), sets out the maximum fine that could be taken into account by the Litigation Chamber if after a given period of time, the controller/processor has not complied with an order by the Litigation Chamber (e.g. an order to respond to a data subject request, to modify or cease a processing activity, etc.).

The Belgian Act creating the Belgian DPA explicitly foresees the power of the Litigation Chamber to impose penalty fines, but there were previously no rules on how and when such penalty fines would apply. The policy appears to be an attempt to remedy this. 

This is not a policy on fines for non-compliance, given that it only concerns penalty fines. The policy moreover explicitly states that "[a]s a general rule, the Litigation Chamber does not impose any penalty fine in the event of an order to pay an administrative fine on the basis of the GDPR" (though in our experience, using the terms "as a general rule" implies that there may be some exceptions).

According to the Litigation Chamber, penalty fines will be calculated as follows:

Frequency: an amount per "time unit" (the default option), a lump-sum amount or an amount per infringement;
Amount: the maximum amount of the penalty fine for legal entities will be (i) 25.000 EUR per day or (ii) 5% of the average daily turnover (based on the total worldwide turnover in the previous financial year) per day of delay as from the day set in the decision, whichever is higher. A separate maximum applies to natural persons.

This does not mean that this amount will be foreseen in all decisions – it is a maximum penalty fine, after all. However, it does suggest that the Litigation Chamber will now start regularly using penalty fines as an additional means of pressure on organisations. 

Because of case law of the Market Court, a division of the Brussels Court of Appeal that hears appeals against Litigation Chamber decisions, the policy explicitly states that any intention to impose a penalty fine as well as the amount and frequency of the fine will be mentioned in the "fine proposal" document the Litigation Chamber makes available prior to finalising its decision. This will allow the organisation to react in writing within three weeks (for more explanations on this aspect of Litigation Chamber proceedings, see our newsletter on data protection litigation).

It remains to be seen how this policy will fare before the Market Court, in particular given the fact that there remain questions as to the Litigation Chamber's power to enforce its own decisions.

This penalty fine policy is available in French and in Dutch.

b) Publication of decisions

Over the past year, we have noticed an evolution in the Litigation Chamber's practice to publishing decisions.

At one point, a decision against one of our clients was published within just a couple of hours after we (as external counsel and main contact for the proceedings) had received a copy – leaving us barely any time to examine the decision, let alone discuss with our client what to make of it. Since then, and after making some suggestions regarding timing of publication, we have noticed a greater lapse of time between the date of the decision and publication thereof. The new policy on decision publications does not address the issue of timing of publications, but it does say that "all of [the Litigation Chamber's] decisions, with limited exceptions, will be published on its website, with a view to the general objective of transparency, but also visibility and accountability".

One issue with publication of decisions is identification of the relevant parties. To illustrate, the decision we mention above was poorly anonymised, as a result of which it was possible to find our client's identity by looking at certain document titles (not everyone has an "ABC Privacy Charter" with a section X.Y concerning a specific topic), e-mail links ("mailto:" hyperlinks left in the text), etc. It was fortunately possible for us to obtain re-publication of a properly anonymised version of the decision within just a few hours. Since then, we had had to repeat this "verification, further anonymisation and re-publication" process a few times (and have even suggested anonymisation improvements in cases we did not handle, but where re-identification was possible). Overall, though, the quality of the Litigation Chamber's anonymisation has improved over the past few months. 

The decision publication policy confirms that de-identification will be the rule, but it states (likely because of the number of times the press, other data protection professionals and ourselves have been successful at re-identifying an organisation) that "[t]he Belgian DPA cannot be held liable for these re-identifications".

Again, though, where there is a "rule", there can be exceptions, and the Litigation Chamber states clearly that the identity of the relevant organisation may be published in certain cases, such as the following examples that we have already encountered:

"Publication is imposed as a sanction" (in practice, this can sometimes be anticipated if a "fine proposal" document mentions the concept of "gross negligence")
The organisation "requests that its identity be retained in the decision" (though we doubt this will often be requested in the case of negative decisions)
"Identification of the legal entity is a matter of public interest" (the Litigation Chamber has already used this argument to reject anonymisation requests in certain cases regarding large organisations that are well-known to the public or play a key role in day-to-day life)

An interesting novelty is the reference to listed companies: because decisions might contain information that can affect the share value of listed companies, the Litigation Chamber is prepared to take this factor into account, but it would then enter into contact with the Belgian Financial Services and Markets Authority (FSMA).

It is in our view unfortunate that the Litigation Chamber did not commit to a specific minimum timeframe before publication, so as to allow the organisation itself (and its counsel, where relevant) to take stock of the decision before anyone else sees it, but we hope the Litigation Chamber will continue to take these considerations into account. 

This publication policy is available in French and in Dutch.

In general, these policies underline the importance of having a good data protection strategy in place, so limit your organisation's risks in relation to potential infringements and investigations by regulators. So if you are not yet fully confident in this respect, put this item high on your agenda for 2021. In the meantime, stay safe and have a merry festive season. 

dotted_texture