In a decision handed down on 19 February 2020 and published only today, the Belgian Market Court has quashed a previous decision by the litigation chamber of the Belgian Data Protection Authority (BDPA) in relation to the use of the Belgian electronic identity card (called "eID") as a means of obtaining a loyalty card at a liquor store.
The decision of the Market Court (only available in Dutch) is interesting in that it covers a range of topics, albeit not always in a manner one might have expected.
How far do the Market Court's powers go?
According to the Act creating the BDPA, the Market Court (in Brussels) has "full jurisdiction" over appeals against the decisions of the BDPA's litigation chamber, the body within the BDPA that has the power to hand down fines.
Before the Market Court, the question of the precise extent of this jurisdiction arose, because the liquor store owner requested the Market Court to quash the fine (and order reimbursement by the BDPA of the fine) and (i) say that there was no infringement and close the case or (ii) in the alternate (i.e. if the Market Court did not agree that there was no infringement), to replace the fine with a reprimand, i.e. a lighter sanction.
According to the BDPA, though, this went beyond the scope of the Market Court's authority.
The Market Court examined this argument in depth and, quoting various sources including the GDPR itself (in particular its Article 78 and its references to "effective judicial remedy"), concluded that its authority is not limited to confirming or annulling the decision of the BDPA's litigation chamber, but also extends to the power to order any sanction of its own choosing (e.g. a reprimand rather than a fine), provided this complies with the rights of defence.
Was a fine justified for forced eID use to get a loyalty card?
Next came the actual question: was the liquor store rightfully fined for requiring a customer to provide her eID in order to offer her a loyalty card?
Surely it must be excessive!
First, the Market Court looked at whether requiring an eID is excessive in the context of offering a loyalty card.
The discussion on this point is largely focussed on a change of law that occurred in Belgium not long after the initial complaint.
The complaint underlying the whole case was sent to the BDPA on 28 August 2018. On 23 December 2018, a new law (voted in the Belgian Parliament on 25 November 2018) came into effect that made the use of the eID easier in certain circumstances, but also specifically stated that "where an advantage or service is offered to a citizen via his electronic identity card in the framework of an IT application, an alternative that does not require the use of the electronic identity card must be offered to the relevant person" (rough translation).
Yet this new legal provision was precisely what the BDPA's inspection service had used as a basis for its assessment of the liquor store's system, and the BDPA's litigation chamber had taken its decision on the same basis.
The Market Court moreover mentioned that "it had not been demonstrated" (read: by the BDPA) that at the time of the complaint such an alternative had to be offered.
Finally, the Market Court noted that in this particular case, the data subject (the plaintiff) had not given her eID card – in other words, there was no processing of her personal data.
The Market Court considered that the BDPA made two unproven assumptions:
In other words, the Market Court concluded that the BDPA was wrong to consider that the processing in this particular case was excessive.
Surely that consent is not freely given!
The BDPA's litigation chamber devoted considerable attention to the conditions for consent to be valid under the GDPR. Some of its arguments are useful to see how the BDPA applies the rules on consent:
"[…] if a data subject does not have any actual choice, feels forced to give consent or it will have negative consequences for him/her if he/she does not give consent, the consent in question is not valid. If consent is added as a non-negotiable part of conditions, it will be presumed not to have been freely given. As a result, consent is not deemed to be freely given if the data subject cannot refuse or withdraw his/her consent without detrimental consequences. As in the present case the plaintiff, and by extension all customers, could only benefit from discounts by way of their electronic identity card, and because the [liquor store owner] does not offer any alternative whatsoever for the creation of a loyalty card in order to enjoy this benefit, it is clear that one cannot speak of free consent in this case." (rough translation)
However, the Market Court rejected this argument, simply considering that:
Conclusion of the Market Court: no infringement proven, and fine insufficiently justified
The Market Court concluded that the BDPA's litigation chamber does not sufficiently justify its decision, notably because the arguments made by the BDPA are sometimes in contradiction with the facts and the then applicable legislation.
For this reason, it quashed (cancelled) the decision of the litigation chamber.
The Market Court also criticised the BDPA's litigation chamber for not justifying the amount of the fine it had imposed, considering that "in the absence of a clear qualification and quantification of the potential sanctions in a publicly available document [made public by the BDPA] before any specific complaint" (emphasis ours), the BDPA had to provide clear justifications as to why (in this particular case) a sanction other than a fine of 10.000 EUR would have been insufficient to stop the infringement. This element will likely be very useful to organisations currently facing proceedings before the BDPA's litigation chamber, and may force the BDPA to adopt transparent guidelines on fines.
Does this mean organisations can force the use of eID cards to obtain a loyalty card?
No, this decision does not state that. Instead, the Market Court's decision contains many elements that suggest that as from 23 December 2018, the rules were clearer and the case would have led to another conclusion.