Earlier this week, on 25 May 2020, the General Data Protection Regulation (GDPR) celebrated its second anniversary: on 25 May 2018, the privacy flagship of the European Union came into force. Last year, in April 2019, the Belgian Data Protection Authority (BDPA) also became fully operational. In this contribution we look back at these anniversaries and look ahead to the evolution of data protection law in Belgium.
One year of the Belgian Data Protection Authority
Since its establishment in April 2019, the BDPA has not been sitting idle. In addition to issuing various recommendations and guidelines, the Authority handled 937 notifications of data breaches, 4,438 requests for information and 351 mediation requests or complaints and issued 128 opinions on draft laws, decrees and decisions. The Inspectorate ("inspectiedienst"/"service d'inspection") carried out more than 100 inspections and the Dispute Settlement Chamber ("geschillenkamer"/"la chambre contentieuse") issued 59 sanctions, including nine fines.
The BDPA started cautiously, but quickly evolved into a supervisory body that acts decisively and is imposing increasingly large fines. It usually does so following a complaint against a company, but it has also undertaken proactive investigations on its own initiative. Here is a brief catalogue of the fines imposed by the BDPA in its first year of operation:
On 28 May 2019, the BDPA imposed its first fine of EUR 2,000 on a mayor who unlawfully made further use for electoral purposes of personal data that he had initially obtained in the performance of his mandate. Later, on 25 November 2019, another mayor and an alderman received fines of EUR 5,000 for similar offences.
On 17 September 2019, a retailer was fined (EUR 10,000) for obliging customers to let it read their electronic identity card in order to create a loyalty card, thus processing more data than was strictly necessary, including national registration numbers. The BDPA also ruled that the consent of the customer was not freely given in the absence of an alternative loyalty card where the reading of the eID was not required. In 2020, the Market Court ("Marktenhof"/"Cour des marchés") overruled the decision due to a lack of justification.
The BDPA imposed a fine of EUR 15,000 on a legal news website on 17 December 2019, inter alia for violating its information obligation and for the lack of valid consent for data processing through cookies. Following this decision, the BDPA published further guidelines on cookies in its long-awaited recommendation on direct marketing and on the "cookies" theme page on its website.
On 17 December 2019, the BDPA imposed a second fine of EUR 2,000 on a non-profit organisation for violation of the right of access, the right to transparency and the right to erasure.
The BDPA imposed a fine of EUR 50,000 on a telecom operator on 28 April 2020 because of a conflict of interest on the part of its Data Protection Officer (DPO). The DPO was also the head of the audit, risk and compliance departments, where his responsibilities included privacy decisions.
On 14 May 2020, the BDPA fined an insurance company EUR 50,000 for missing and deficient information in its privacy statement.
- The last fine so far (EUR 50,000), also issued on 14 May 2020, was imposed on a social network. The fine sanctioned the non-legitimate collection of users' consent (via pre-ticked boxes) and the lack of consent of non-users who were invited to join the network.
Two years of GDPR
Many important developments also took place at the European level in the second year of the GDPR. The European Court of Justice delivered a number of important judgments, such as Google v CNIL on the right to be forgotten, Fashion ID on the use of social plugins and Planet49 on the lawful installation of cookies and provision of information about cookies.
In addition, the European Data Protection Board (EDPB) also endeavoured to provide guidelines inter alia on the territorial scope of the GDPR, consent, the processing of personal data through video devices and the processing of location and health data in the context of the COVID-19 outbreak.
The third year of the new privacy era has kicked off – what can we expect?
In its strategic plan, the BDPA provides insight into the areas its activities can be expected to focus on in the coming year. The BDPA will pay particular attention to certain sectors (telecommunications and media, government, direct marketing, education and SMEs) and specific themes (the role of the DPO, legitimacy of processing, citizens' rights, photos and cameras, online data protection and sensitive data).
At the European level, we also expect many new guidelines from the EDPB and some interesting rulings from the European Court of Justice. High on the list is, inter alia, the so-called "Schrems II" judgment, currently scheduled to be rendered on 16 July 2020, which is likely to determine whether standard contractual clauses remain a valid instrument for transferring personal data outside the European Economic Area.
An interesting third year for data protection law lies ahead.