GDPR Enforcement in Belgium: Trends & Risks

GDPR Enforcement in Belgium: Trends & Risks 4 January 2022 Introduction 3 Enforcement by the BDPA 4 • Who are the defendants before the BDPA? 4 • Which GDPR provisions did the BDPA enforce? 5 • Which sanctions did the BDPA impose? 6 • How high are the fines? 7 Court of Appeal 8 • Competences 8 • What is the rate of and grounds for annulment? 9 Conclusion: Trends & Risks 10 Contents Introduction & 03 Since the commencement of its duties, the BDPA has been increasingly active in the exercise of its supervisory powers.1 In doing so, it has relied on Article 58 of the GDPR, which offers supervisory authorities a broad range of sanctions to enforce GDPR violations, with the intention to address violations of varying severity. The lightest sanctions which may be incurred by defendants are warnings or reprimands, while the GDPR also provides for more severe sanctions which present a greater risk for the defendant, such as: • the suspension of data processing; • the temporary or permanent limitation or prohibition of processing; or • administrative fines which, for some violations, may be as high as 20 million EUR or up to 4 % of the total worldwide annual turnover in the case of an undertaking. 1 In 2018, the BDPA did not publish any decisions. In 2019, 2020 and 2021, the BDPA published a total of 37, 83 and 140 decisions respectively. These include decisions on the merits (and interlocutory decisions) as well as preliminary decisions (i.e., warnings, orders, and dismissals) and appeals of provisional measures taken by the Inspection Service. 2 This document does not cover claims by data subjects for However, beyond sanctions imposed by supervisory authorities, defendants should also bear in mind that GDPR enforcement procedures present a significant risk of reputational damage, including associated financial costs, e.g., due to a loss of consumer trust. With regard to these stakes, the purpose of this document is therefore to analyse how the BDPA has enforced the GDPR since its entry into force and to identify initial risks and trends in relation to enforcement of the GDPR in Belgium.2 We will do so based on our analysis of all decisions on the merits taken and published by the BDPA on its website between 2018 and 2021. The number of examined decisions currently stands at 86.3 The results are presented below and will be supported visually by graphs. We hope you will find the results insightful, and we wish you a compelling reading. compensation and liability pursuant to Article 82 of the GDPR. 3 The BDPA publishes almost all its decisions, albeit in an anonymised form - unless it imposes the sanction of publishing the non-anonymised decision on its website pursuant to the BDPA Act of 3 December 2017 (hereinafter “BDPA Act”), Article 100, §1, 16°. Introduction Three years into the GDPR, we see that the number of decisions and sanctions from the Belgian Data Protection Authority (BDPA) is significantly on the rise. The same goes for the number of appeals lodged against those decisions. As a consequence, we are now able to identify some initial GDPR enforcement-related risks and trends. 04 & Enforcement by the BDPA Who are the defendants before the BDPA? The pie chart below shows that in almost 30% of the published decisions on the merits, the defendants were companies. By adding SMEs4 to this total, the number rises to 45%. What may be more surprising is that, in quite an important number of decisions totalling 42% of decisions altogether, defendants were either (i) individuals; (ii) governments; or (iii) non-profit organisations. 4 The criteria used to distinguish between companies and SMEs are (i) staff headcount (maximum 250); and (ii) presumed turnover. Due to the anonymisation of decisions, some extrapolations were made to determine which category the defendants most likely fit into. 5 Examples of defendants in the healthcare sector include hospitals, care homes, medical experts, healthcare NGOs, etc. Examples of defendants in the public sector include Federal Furthermore, looking at the sectors represented by defendants in decisions of the BDPA, Chart 1 (see page 11) shows that the defendants are most often active in the healthcare or the public sector, in 11 cases each.5 Financial institutions, such as banks and insurance companies, take the third place, with 10 decisions taken against them. Further down the list, we find a relatively high number of decisions taken against politicians, often in the framework of elections.6 The number of other categories on the chart highlights that defendants are active in a great diversity of sectors. Interestingly, we note that there is only a moderate number of defendants active in sectors related to the digital economy, such as the digital, IT, media and advertising, and telecom sectors.7 This is slightly lower than expected given that the BDPA has deemed data protection online and the media and telecom sectors to be enforcement priorities.8 Considering the above, we can see that: • the profile of defendants is quite diverse, both in terms of nature and sectors of activity; • enforcement is not limited to the private sector since a high number of defendants are individuals, governments, or non-profit organisations; and • in the private sector, the largest group of defendants are in the insurance and banking sector. Public Services, municipalities, organisations in charge of social housing or family allowances, etc. 6 One of the first decisions of the BDPA was taken against a mayor who, on the eve of an election, used email addresses of individuals obtained in the framework of a land parcelling change to send election propaganda to them (BDPA, Decision 4/2019). 7For a total of 13 defendants amongst the 86 decisions. 8BDPA, Strategic Plan 2020-2025, p. 23-24. Enforcement by the BDPA Enforcement by the BDPA & 05 Which GDPR provisions did the BDPA enforce? Going through all published decisions on the merits and counting all violations of GDPR provisions sanctioned by the BDPA, allowed us to identify which provisions were frequently enforced and which ones were less enforced. The provisions most frequently enforced by the BDPA are related to: • legal grounds9 ; • transparency and information10; • data subject rights11, such as the right of access, to rectification or to be forgotten; and • the following data protection principles: – purpose limitation12; – data minimisation13; and – accountability14 . It should be noted that some of the GDPR provisions enforced frequently by the BDPA – especially Article 5 on data protection principles and Article 6 on legal grounds - constitute the basis of the entire GDPR. It is therefore neither 9 GDPR Article 6(1) (sanctioned 33 times) and the lawfulness principle under GDPR Article 5(1)(a) (sanctioned 13 times). These provisions require that the processing of personal data always be based on a legal ground listed in GDPR Article 6(1) GDPR. 10 GDPR Articles 13 and 14 (sanctioned together or separately a total of 27 times), but also the transparency principle under GDPR Article 5(1)(a) (sanctioned 13 times). These provisions require controllers to be transparent about the processing of personal data and to provide certain information to data subjects. 11 GDPR Articles 15 to 18 and 21 (sanctioned 23 times). These provisions grant data subjects several rights in relation to the processing of their personal data. 12 GDPR Article 5(1)(b); sanctioned 18 times. This principle requires you to be clear about what your purposes for which you are processing personal data and don’t process any for illogical nor surprising that violations of these provisions are often sanctioned. However, what may be more surprising is to see that some provisions under Articles 5 and 6 GDPR were enforced significantly more than others (e.g., some data protection principles for example, see below). Whether it was a deliberate intention of the BDPA to focus on enforcing basic provisions of the GDPR first, or whether the cases brought before the BDPA simply called for enforcement of these provisions due to the maturity and GPDR compliance level of defendants, only the future will tell. Conversely, the provisions which the BPDA enforced less frequently are related to: • EU representatives15 and international transfers16, which were not yet sanctioned; • the following data protection principles: incompatible purposes. 13 GDPR Article 5(1)(c); sanctioned 16 times. This principle requires you to only process personal data for what is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 14 GDPR Article 5(2), but also GDPR Article 24 (sanctioned together or separately a total of 14 times). This principle requires you to be able to demonstrate compliance with the GDPR. 15 GDPR Article 27; sanctioned 0 times. This provision requires controllers to appoint a representative in the EU in case they are not established in the EU but the GDPR applies to them. 16 GDPR Chapter V; sanctioned 0 times. This chapter requires controllers to refrain from transferring personal data outside of the European Economic Area, unless the conditions laid down in this chapter are complied with. 06 & Enforcement by the BDPA – accuracy17; – storage limitation18; – integrity and confidentiality19; • several governance-related requirements, such as the ones relating to: – contractual relationships with processors and joint controllers20; – data protection impact assessments21; – data protection officers22; – records of processing activities23; – personal data breaches24; • provisions on the processing of special categories of personal data or personal data relating to criminal convictions and offences25; • security26 and privacy by design and by default27 . 28 Which sanctions did the BDPA impose? Once the BDPA establishes a violation, it is authorised to impose a wide variety of sanctions. Chart 2 (see page 11) illustrates the number of times each type of sanction was imposed by the BDPA, with the caveat that in 17 GDPR Article 5(1)(d); sanctioned 2 times. This principle requires personal data to be accurate and, where necessary, kept up to date. 18 GDPR Article 5(1)(e); sanctioned 3 times. This principle requires personal data to not be kept longer than necessary. 19 GDPR Article 5(1)(f); sanctioned 3 times. This principle requires personal data to be processed in a manner ensuring appropriate security of the personal data. 20 GDPR Articles 26 and 28(3); sanctioned 2 times. These provisions require the controller to determine respective responsibilities through processor or joint controller agreements. 21 GDPR Article 35; sanctioned 1 time. This provision requires controllers to conduct a data protection impact assessment before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope, or purposes. 22 GDPR Articles 37 to 39; sanctioned 5 times. These provisions require controllers to appoint a data protection officer in certain circumstances, to independently fulfil information and monitoring data protection-related tasks. 23 GDPR Article 30; sanctioned 5 times. This provision requires controllers to keep records of their processing activities. 24 GDPR Articles 33 to 34; sanctioned 2 times. These provisions require controllers to notify data breaches likely to result in a high risk to their rights and freedoms of data subject to both the supervisory authority and the data subject themselves. 25 GDPR Article 9 and 10 GDPR; sanctioned 3 times. These some cases, multiple sanctions were imposed at the same time. As you may notice, in the highest number of cases (46x), the BDPA only issued a warning or a reprimand.29 More impactful obviously is the sanction which was imposed the second most frequently (32x), namely an administrative fine.30 Another fairly frequent sanction was the order to bring the processing into compliance31 (26x), which may not seem very surprising, but can nonetheless have significant operational and business consequences for the defendant. This is followed by the sanction of publishing the non-anonymised decision on the BDPA’s website32 (14x). This sanction could be particularly damaging if the decision is subsequently picked up in the media since it could result in reputational damage. Sanctions which have been imposed relatively less frequently are: • the order to comply with data subject’s requests33 (8x); • the order to rectify, restrict or erase data34 (6x); or provisions foresee a limited number of cases in which the processing of special categories of personal data or personal data relating to criminal convictions and offences is not prohibited. 26 GDPR Article 32; sanctioned 6 times. This provision requires controllers to put in place technical and organisational measures ensuring a level of security appropriate to the risk. 27 GDPR Article 25; sanctioned 8 times. This provision requires controllers to integrate or ‘bake in’ data protection into their processing activities and business practices. 28 Although these provisions were not enforced very frequently, it is worth noting that on one occasion where they were indeed enforced, a €100,000 fine was imposed on a financial institution for a failure to implement sufficient security measures (see BDPA decision on the merits 56/2021 of 26 April 2021). 29 BDPA Act Article 100, §1, 5°. 30 BDPA Act Article 100, §1, 13° in conjunction with GDPR Article 83. 31 BDPA Act Article 100, §1, 9°. 32 BDPA Act Article 100, §1, 16°. In principle, the BDPA anonymises the decisions of the Litigation Chamber before publishing them. However, sometimes, if it believes it is important to do so (as a sanction) or if it believes that the defendant would be identifiable regardless through the facts of the case, it may also decide to publish the non-anonymised decisions. 33 BDPA Act Article 100, §1, 6°. 34 BDPA Act Article 100, §1, 10°. Enforcement by the BDPA & 07 • the order to freeze, limit or prohibit the processing35 (5x). Furthermore, complainants may regret the fact that in rather few cases (5x), no sanction was imposed at all despite violations being found. In addition, it should be pointed out that a few types of sanctions, which the BDPA is nonetheless allowed to impose, have not yet been imposed.36 How high are the fines? Regarding the height of administrative fines - potentially the most impactful sanction - defendants may be relieved to learn that until now, fines imposed by the BDPA have been rather low, at least when looking at it from an international perspective37 and considering the maximum fine amounts provided by the GDPR38. More precisely, as Chart 3 (see page 11) shows, the average of 31 administrative fines imposed is €20,161, the median €10,000, with two fines of €100,000 and €75,000 raising the average.39 Apart from the rather low amount of the average fines, another point of attention is the proportionality of the fine to the size and turnover of the defendant. 35 BDPA Act Article 100, §1, 8°. 36 For example, pursuant to BDPA Act Article 100, §1, 7°, 11°, 12° and 14°, respectively, (i) the order that the data subject be informed of the security problem; (ii) the withdrawal of the recognition of certification bodies; (iii) the imposition of periodic penalty payments; or (iv) the suspension of cross-border data flows to another State or to an international institution. 37 By comparison, on 16 July 2021, the Luxembourg supervisory authority imposed a fine of €746 million on Amazon Europe Core S.à r.l. for violation of the GDPR. Although the decision is not publicly available, it was confirmed by Amazon’s (see Amazon’s Quarterly Report before the U.S. Securities and Exchange Commission). Amazon indicated it would appeal the decision. Another example is the €225 million fine imposed by the Irish supervisory authority on WhatsApp Ireland Ltd. on 2 September 2021 for insufficient provision of information and the transparency of that information to both users and non-users of WhatsApp’s service (see the press release by the Irish supervisory Some organisations which were imposed a fine of €50,000 generate several billion euro in turnover.40 On the other hand, Chart 3 (see page 7) also clearly shows that five private individuals were imposed a €5,000 fine.41 Thus, the question can be raised as to whether administrative fines are still proportionate and dissuasive in such cases42, given that some organisations generating several billion euro in turnover were only fined €50,000 and have significantly greater resources at their disposal. authority). 38 Pursuant to GDPR Article 83, administrative fines may, for some violations, be as high as €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover. 39 Notably, this does not include one outlier, namely a €600,000 fine for Google for failure to comply with a right to be forgotten request (GDPR Article 17). This fine was not included in the chart since the decision in which it was imposed has been annulled by the Court of Appeal in the meantime (judgment of 30 June 2021, with case number 2020/AR/1111). 40 For example, the defendants in BDPA decisions 18/2020 of 28 April 2020 and 33/2020 of 19 June 2020, were companies generating a multiple billion euro turnover. 41 For example, defendants in BDPA decisions 10/2019 of 25 November 2019 and 36/2020 of 9 July 2020. 42 Which administrative fines must be pursuant to GDPR Article 83(1). 08 & Court of Appeal Competences Once the BDPA issues a decision, parties may naturally disagree with the findings and exercise their right to lodge an appeal with the Brussels Court of Appeal. In this respect, it is important to note that the appeal against decisions of the BDPA with the Court of Appeal is not a classic appeal. As such, the entire case will not be retried before the Court of Appeal, and the Court will not take an entirely new decision as to the law and facts of the case.43 The procedure before the Court of Appeal is rather a form of judicial review in the sense that the Court will assess whether the decision taken by the BDPA was lawful. More precisely, it will assess four elements, namely whether: • the BDPA was competent to take the decision; • the decision was based on accurate, relevant and legally admissible grounds of fact and law; • the essential forms have been respected; or • the decision does not contain a manifest error of assessment or the sanction is not manifestly disproportionate. 43 Although the Court of Appeal has already held that, in principle, it can substitute its own decision if the BDPA decision is irregular or illegal, and as long as it does not raise any disputes or points that have not been subject to contradiction / debated by the parties (see for example the judgment of the Court of Appeal of 19 February 2020, case number 2020/AR/1600), the Court will in practice be reluctant to do so. This is mainly because the Court of Appeal is part of the judicial power and the BDPA of the administrative power. Because of the separation of powers between the two of them, there is a limit to what the Court of Appeal can do. In case the answer to any of these assessments is “No”, the Court of Appeal will annul the decision of the BDPA. However, as mentioned above, the Court will in principle not take an entirely new decision, nor entirely substitute itself for the BDPA. The only exception where the Court of Appeal may nonetheless substitute itself to the BDPA is in relation to the sanction, in which case the Court of Appeal is fully competent to amend the sanction in case it believes it was manifestly disproportionate. The annulment of the BDPA decision by the Court of Appeal may mean the end of the procedure, but it does not always prohibit the BDPA from issuing a new decision, meaning that defendants may end up before the BDPA once again.44 In the latter case, the BDPA will obviously have to remedy what went wrong during the initial procedure or refrain from taking the same course of action.45 Moreover, in some cases the BDPA was ordered by the Court of Appeal to take a new decision.46 44 BDPA decisions 57/2021 of 6 May 2021 and 36/2021 of 15 March 2021 were taken following the initial decisions being annulled by the Court of Appeal (by judgments of the Court of Appeal of 18 November 2020 with case numbers 2020/AR/813 and 2020/AR/990 respectively). 45 This may for example be the case when the Court of Appeal annulled a decision because the BDPA did not sufficiently state reasons for its decision. In such case, it then suffices for the BDPA to issue a new, better motivated decision. 46 Judgment of the Court of Appeal of 18 November 2020 (with case number 2020/AR/990). Court of Appeal Court of Appeal & 09 What is the rate of and grounds for annulment? The above graph shows that a remarkable 77% of admissible appeals against final decisions on the merits of the BDPA47, led to the annulment of the decision of the BDPA. By far the most frequently cited reason that led the Court of Appeal to annul BDPA decisions is the failure to sufficiently motivate (state reasons for) the decision. This has been the reason for annulment in 8 judgments of the Court of Appeal.48 47 This excludes: (i) appeals of preliminary decisions of the DPA (7x); (ii) appeal of interlocutory decisions of the DPA (1x); and (iii) interlocutory decisions on appeal (2x). 48 Such as judgments of the Court of Appeal of 23 October 2019, 18 November 2020 and 30 June 2021 (with case numbers 2019/AR/1234, 2020/AR/813 and 2020/AR/1111 respectively). 49 Judgment of the Court of Appeal of 26 May 2021 (with case number 2020/AR/205). In some cases, the Court of Appeal may mention further reasons why it decides to annul BDPA decisions, such as: • a manifest error of assessment by the BDPA;49 • a violation of the principles of good administration by the BDPA, including the principle of precaution;50 • a lack of GDPR violations by the defendant;51 or • an abuse of power or lack of competence of the BDPA.52 The high rate or annulment may indicate that the BDPA has had some difficulties developing and implementing a procedure which sufficiently guarantees defendants’ right to a fair trial. Indeed, due to the Belgian Judicial Code not being applicable to the procedure before the BDPA and due to the BDPA Act being quite succinct on the matter, the BDPA must resort to the principles of good administration to fill the legislative void and shape the procedure before its Litigation Chamber. 50 Judgments of the Court of Appeal of 18 November 2020 and 1 December 2021 (with case numbers 2020/AR/813 and 2021/AR/1044 respectively). 51 Judgment of the Court of Appeal of 18 November 2020 (with case number 2020/AR/990). 52 Judgments of the Court of Appeal of 23 October 2019 and 24 February 2021 (with case numbers 2019/AR/1234 and 2020/AR/1159 respectively). 10 & Conclusion: Trends & Risks Based on the analysis detailed above, the following first GDPR enforcement-related trends and risks in Belgium can be identified. First, as regards the profile of the defendants, we can see that: • the profile of defendants is quite diverse, both in terms of nature and sectors of activity; • enforcement is not limited to the private sector since a high number of defendants are individuals, governments, or non-profit organisations; and • in the private sector, the largest group of defendants are in the insurance and banking sector. Second, we have found that some of the most frequently sanctioned GDPR articles are the ones relating to: • legal grounds; • transparency and information; • the data protection principles, notably the purpose limitation, data minimisation and accountability principles; and • data subject rights. Third, we have found that fines imposed by the BDPA are not very high on average, and that they are not always proportionate to the size and turnover of the organisation. For example, some organisations which were imposed a fine of about €50,000 , generate a multibillion-euro turnover. However, please be aware that a risk of outliers does exist, such as the (now annulled) €600,000 fine imposed on Google. Fourth, it is important to bear in mind that the appeal procedure against the decisions of the BDPA is only a judicial review, not a classic appeal. Although the chances of success for defendants are high and the Court of Appeal is annulling quite a lot of decisions of the BDPA, there are clear limits to what the Court of Appeal can do. As such, it in principle cannot substitute itself for the BDPA and issue a completely new decision. Finally, we would like to stress that, as a rule of thumb, it is difficult to get around the BDPA, since they are the only enforcement body in Belgium with full power of interpretation over the GDPR. In addition, even after lodging an appeal against a decision of the BDPA, you may once again find yourself before the BDPA. Conclusion: Trends & Risks Conclusion: Trends & Risks & 11 Chart 1 – Sectors of the defendants Chart 2 – Outcome of decisions and sanctions imposed Chart 3 – Amount of the administrative fines twobirds.com Abu Dhabi & Amsterdam & Beijing & Bratislava & Brussels & Budapest & Copenhagen & Dubai & Dusseldorf & Frankfurt & The Hague & Hamburg & Helsinki & Hong Kong & London & Luxembourg & Lyon & Madrid & Milan & Munich & Paris & Prague & Rome & San Francisco & Shanghai & Singapore & Stockholm & Sydney & Warsaw & Satellite Office: Casablanca The information given in this document concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter. Bird & Bird assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information. This document is confidential. Bird & Bird is, unless otherwise stated, the owner of copyright of this document and its contents. No part of this document may be published, distributed, extracted, re-utilised, or reproduced in any material form. Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority (SRA) with SRA ID497264. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. 51433734.3 Benoit Van Asbroeck Partner Tel: +32 2 282 6067 [email protected] Simon Mortier Associate Tel: +32 2 282 6082 [email protected] Lisa Gius Associate Tel: +32 2 282 6094 [email protected] Contacts