The General Data Protection Regulation (GDPR) continues to develop at a rapid pace after its entry into force on 25 May 2018. Here we outline the most important developments in the past quarter.

Data protection authority imposes first administrative fine

On 28 May 2019, the Disputes Chamber of the Data Protection Authority (DPA) issued its first administrative fine since the GDPR came into force. The case concerned a mayor who had used email addresses obtained in the context of a land subdivision file to send an election message the day before the municipal elections. The DPA ruled that a mayor has an exemplary role in terms of compliance with the GDPR and decided to impose an administrative fine of EUR 2,000 on the mayor in question.

You can find the complete decision of the Disputes Chamber here (in Dutch).

European Commission publishes guidelines on the interaction between the Regulation on the free movement of non-personal data and the GDPR

Since 28 May 2019, the Regulation on a framework for the free flow of non-personal data in the European Union is applicable. The Regulation aims at the free flow of non-personal data (e.g. aggregated and anonymised data sets used for big data set analysis) within the European Union and prohibits, inter alia, national rules requiring that data may only be stored on the national territory. Together with the GDPR, this Regulation provides a comprehensive framework for a common European data area and the free flow of all data within the EU.

On 29 May 2019, the European Commission published guidelines on the interaction between the Regulation and the GDPR. These guidelines indicate, among other things, how companies can comply with both regulations when processing mixed data sets that contain both personal and non-personal data.

Court of Appeal of Brussels refers the case between the DPA and Facebook to the Court of Justice

On 8 May 2019, the Brussels Court of Appeal ruled on a case that has been pending since 2015 between the former Privacy Commission and Facebook. The case concerns the information that Facebook collects about both users and non-users of Facebook by means of cookies, social plug-ins (e.g. the "like" button) and (invisible) pixels. These technologies would enable Facebook to follow the surfing behaviour of data subjects without their being aware of it.

Earlier, the DPA defended the jurisdiction of the Belgian courts and demanded that Facebook comply with the Belgian and European privacy rules. However, Facebook refuses to acknowledge the jurisdiction of the Belgian courts in this case. The Court of Appeal has now decided to ask the Court of Justice for a ruling on preliminary questions regarding this matter of competence.

You can find the preliminary questions here.

European Data Protection Board publishes (draft) guidelines on contractual obligations as a legal basis for the processing of personal data in online services

On 9 April 2019, the European Data Protection Board (EDPB) published (draft) guidelines on contractual obligations as a legal basis for data processing in online services (Article 6(1)(b) GDPR).

The Guidelines provide, inter alia, that this legal basis can only be validly invoked if the controller can prove that (i) there is a contract with the data subject, (ii) the contract is legally valid, and (iii) the data processing is objectively necessary for a purpose that forms an essential part of the provision of the contractual online service to the data subject. The third condition is particularly relevant. For instance, the data processing by an online retailer that involves the online payment and the offline delivery of a product may well take place on the basis of Article 6(1)(b) GDPR. On the other hand, the drawing up of a profile of the customer would no longer be regarded as objectively necessary and would therefore require a different legal basis.

The EDPB also states that the processing of personal data for the purpose of improving service provision, fraud prevention and advertising based on browsing behaviour cannot usually be done on the basis of Article 6(1)(b) GDPR. Personalisation of content can, subject to certain conditions.

More information can be found in the (draft) guidelines of the EDPB: Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.

DPA approves final data protection impact assessment list

Each supervisory authority must draw up a list of the processing operations for which a data protection impact assessment (DPIA) is mandatory. The official list of the DPA was published in the Belgian Official Gazette on 22 March 2019 and entered into force on 1 April 2019. You can find the complete list here (in French).

Court of Justice Advocate General and Dutch Data Protection Authority shed light on consent requirements for cookies

Advocate General (AG) Szpunar delivered his opinion on 21 March 2019 on the consent requirements regarding cookies. Among other things, the AG is of the opinion that pre-ticked boxes for the use of cookies do not constitute legally valid consent. He emphasises that the consent must be actively expressed. The opinion of the AG is not in itself a surprise. This is because the GDPR clearly states that silence, the use of pre-ticked boxes or inactivity do not count as consent (Recital 32 GDPR).

Connected with this is the use of so-called "cookie walls". These only give visitors access to a website after they have been forced to give consent for the placing of (advertisement) cookies (e.g. because they have no other choice and cannot visit the website without giving such consent). The Dutch Data Protection authority recently ruled (in Dutch) that these methods are not permitted.

The State Archives provide an explanation of the application of the GDPR in the context of archives management

According to the State Archives, pursuant to the Archives Act of 24 June 1955 (in French), the documents must be kept in their entirety and transferred to the State Archives even if they contain personal data. This is confirmed in a circular letter of 14 March 2019 (in French) from the State Archives. The State Archives refer in particular to the exception regime of the GDPR for archiving purposes in the public interest and to (Title 4 of) the Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data (in French).

For more information about the storage and transfer of documents, please visit the website of the State Archives.

EDPB issues a new opinion on the interaction between the ePrivacy Directive and the GDPR

On 12 March 2019, the EDPB adopted an opinion on the interaction between the ePrivacy Directive and the GDPR, in particular as regards the competence, tasks and powers of data protection authorities in cases where both the ePrivacy Directive and the GDPR apply to a single set of processing operations. The EDPB also stresses in its opinion that the ePrivacy Directive further specifies and complements the GDPR, so that the most specific rule takes precedence when both of these legislative texts apply. For example, where one specific data processing operation requires consent under the ePrivacy Directive (e.g. for the use of certain cookies), the ePrivacy Directive will take precedence over the possible principles provided for in Article 6 of the GDPR.

You can find the opinion here.

DPA publishes its 2018 annual report

The DPA recently published its 2018 annual report (in French), which highlights the main developments in 2018. The report shows that in the fourth quarter of 2018 70 files had already been submitted to the inspection service, mainly relating to the local elections of 2018 and the use of cameras in the light of the new legislation on surveillance cameras.