25/05/20

Belgium: what has GDPR year 2 taught us, and what will come next?

Today is GDPR Day – two years ago, the GDPR became applicable. When 25 May 2018 came about, the world did not end, nor were there dawn raids by data protection authorities in every corner of the European Union. Instead, what followed was a steady trickle of cases being taken up by data protection authorities, in parallel with the gradual adoption of guidance at both national and EU level.

With two years of enforcement and interpretation behind us, it appears useful to review the main teachings of the Belgian Data Protection Authority (BDPA) over the past twelve months – and look at what the third year will probably hold in store.

1. Guidance and case law of the BDPA

As the BDPA was fully formed only in April 2019, 2019-2020 was in reality the first year of proper enforcement of the GDPR in Belgium.

Between April and July 2019, the Litigation Chamber adopted a handful of decisions, most notably two sanctions for local politicians for their misuse of personal data for electoral reasons.

The first standout decision, however, was the Litigation Chamber's decision of 17 September 2019 by which it imposed a fine of 10.000 EUR upon a merchant who only gave out loyalty cards after reading customers' electronic identity card. The appeal against that decision proved to be significant for Belgian data protection law, as the decision of 19 February 2020 of the Belgian Market Court forced the Litigation Chamber to better justify fines. Analysis of the decision on appeal: Your ID for a loyalty card: no data protection fine in the end?

Afterwards came the cookie-related decision of 17 December 2019, which resulted in a fine of 15.000 EUR for issues regarding both transparency (information to provide to website users regarding the use of cookies, and how to provide that information) and consent (which cookies require consent, how to obtain it). This decision was the Litigation Chamber's first decision on cookies, and the fine represented nearly 1% of the organisation's turnover. Analysis of the decision: Cookies: Merry Christmas? New decision by litigation chamber of the Belgian data protection authority

The cookie decision was not appealed, but it was followed two months later by extensive guidance by the BDPA on direct marketing (nearly 80 pages long). This guidance included further considerations regarding cookies – themselves supplanted later by a dedicated "Cookies" set of guidance (see hereunder) – but also covered a range of other topics, in particular:

  • What is direct marketing?
  • Controller vs processor, and reliance on social media terms of use
  • Using data brokers
  • Purposes of processing: "for direct marketing purposes" too vague?
  • Right to object vs unsubscribe option

Summary of the guidance: Want to reach your customers or prospects? Important new direct marketing guidance in Belgium

On 21 February 2020, two days after the aforementioned Market Court decision on fines, the Litigation Chamber handed down a decision on a case involving two ex-employers sharing information regarding an employee. In its decision, the Litigation Chamber stated that the GDPR does not apply to oral disclosures of personal data, and it also offered insights into its interpretation of "legitimate interests" as a legal ground, in particular the legitimate interest in defending oneself in the context of present or possible litigation. Analysis of the decision: Ex-employers sharing dirt on an employee: no fine under data protection law if done orally?

On 9 April 2020, as an Easter gift, the BDPA published detailed guidance on cookies. This guidance included input on the (valid and prohibited) means of obtaining consent, what types of cookies require consent and which do not, and what type of information a cookie banner and a cookie policy must include. Summary of the guidance: Freshly baked cookie guidance from Belgian Data Protection Authority

On 15 April 2020, the Litigation Chamber handed down a decision in relation to a municipality. Although it contained specific considerations only relevant to public authorities, most elements in the decision are relevant to all organisations: the scope of an investigation by the BDPA, transparency (information, but also joint controllership aspects), the register of data processing activities and even the role of the data protection officer (DPO). Analysis of the decision: When the Belgian DPA comes knocking, who knows what it might find (or fine)

The topic of the DPO's role took on a more central position in the Litigation Chamber's teachings through a second decision on the topic, this time with a 50.000 EUR fine attached (a decision of 28 April 2020). The combination of these two decisions created insights into what the Litigation Chamber tolerates – and what it prohibits – in relation to the status of the DPO (internal or not?), the selection of the DPO, the tasks of the DPO and his/her position within the organisation. Analysis of the DPO-related decisions: You may need a new DPO, according to the Belgian Data Protection Authority

On 19 May 2020, the Litigation Chamber handed down two new decisions of note, each with a 50.000 EUR fine attached. Both decisions touched upon the issue of legal grounds (in particular consent and legitimate interests), and the combination makes for interesting lessons in relation to the processing of health-related data, the use of "invite/tell-a-friend" functionality, whether to publish a DPIA and what to check in a privacy statement. Analysis of the decisions: Belgium: two new fines for tell-a-friend and health-related GDPR violations

2. A few things to expect from GDPR year 3

One of the key events of the third year of GDPR will likely be the "Schrems II" judgment, expected on 16 July 2020, in which the Court of Justice of the European Union (CJEU) will consider (whether to decide upon) the validity of the EU-US Privacy Shield framework and of the so-called "standard contractual clauses" prepared pre-GDPR by the European Commission. In an Opinion of 19 December 2019, the Advocate General Henrik Saugmandsgaard Øe concluded that there were doubts regarding the validity of the Privacy Shield framework, but that the standard contractual clauses could be valid subject to specific process-related conditions. The judgment of the CJEU will likely have significant repercussions on data protection law, whether through the creation of a legal construction to maintain the validity of the standard contractual clauses (and possibly of Privacy Shield) or through the invalidation – possibly overnight – of these mechanisms.

Various other data protection cases are pending before the CJEU, including the M.I.C.M. / Telenet case, which relates to the balance between data protection and privacy on the one hand and the enforcement of intellectual property rights.

From a more Belgian perspective, the majority of the decisions of the Litigation Chamber stem from complaints by data subjects and not inspections on the BDPA's own initiative, likely due to staffing and budgetary concerns. This will perhaps remain the case in the immediate future. However, the scope of BDPA investigations is not limited to the scope of a complaint, as the Litigation Chamber confirmed in various decisions. This may require organisations to improve their "first response" processes in case of a request from the BDPA. 

In terms of fines, it is possible that the level of fines will increase beyond 50.000 EUR (an amount that has been applied three times over the past month), although the Market Court's decision of 19 February 2020 will give the fined organisation arguments to challenge such a fine if they consider that the fine is disproportionate or that the justification for the fine is inadequate.

2020-2021 will also likely be marked by an increase in attention by the BDPA to SMEs and general awareness of the practical consequences of the GDPR for organisations both large and small. While this will not likely lead to significant enforcement, the BDPA's aim is to increase awareness and facilitate compliance by SMEs, including in terms of mandatory documentation. For this reason, the BDPA is set to simplify its own forms (notably for data breach notifications) and to publish certain tools. It remains to be seen which tools precisely this will be, and whether they will be useful for SMEs only or also for larger organisations. 

More generally, whatever the third year of GDPR brings, ensure that your organisation continues to work towards compliance. Also bear in mind the interpretation given by the BDPA to the GDPR, for if you disagree with that interpretation, you may rapidly need to justify that position.

dotted_texture