Till now, fines by the Belgian Information Safety Authority (BDPA) had, in comparison with its neighbouring international locations (France, Luxembourg, and the Netherlands), appeared on the low aspect in absolute numbers.
Final 12 months we carried out an evaluation of over 300 fines associated to (alleged) infringements of the Normal Information Safety Regulation (GDPR), together with the highest 250 fines imposed on firms with an recognized or identifiable turnover, and Belgium appeared in 18th place amongst EU information safety authorities when evaluating the typical of the fines examined.
A judgment of 14 June 2023 of the Belgian Market Court docket (the division of the Court docket of Enchantment of Brussels) might have the oblique impact of considerably altering this.
That judgment adopted an attraction by a controller (on this case, bpost, the biggest Belgian postal providers firm) towards a ten.000 EUR high quality. The Market Court docket has usually overruled choices by the Belgian Information Safety Authority on procedural grounds, in addition to on the deserves, i.e., the precise evaluation of allegations of infringements, however on this explicit case, it confirmed the Belgian Information Safety Authority’s choice in these respects.
It however determined to observe the controller’s arguments that the high quality itself was not correctly justified and decreased the high quality to a symbolic Euro.
Preliminary level: do GDPR fines need to be paid even pending an attraction?
In Belgium, the tax authorities are those who ship a request for fee to a controller or processor fined by the Belgian Information Safety Authority, and the process they observe is wholly separate from the appeals course of.
As well as, the legislation instituting the Belgian Information Safety Authority doesn’t foresee an automated keep of enforcement in case of an attraction. Since a Market Court docket judgment that we obtained in September 2020, it’s however potential to acquire a keep of enforcement, together with the fee of fines, whereas an attraction towards a Belgian Information Safety Authority is pending, however the Market Court docket has refined its strategy over time and imposes strict circumstances.
On this explicit case, the textual content of the Market Court docket judgment exhibits that the high quality was paid, and reimbursement was requested.
Why was the high quality decreased, and what was the Market Court docket’s reasoning?
The Market Court docket explains its reasoning as follows in its judgment (tough translation from the unique Dutch):
“The Market Court docket tries to detect which methodology the Litigation Chamber [of the BDPA] applies that permits it to render goal the selection of sanction, together with the variety of potential fines.
The Market Court docket agrees with [the relevant controller] that the Litigation Chamber has in a manifestly inadequate method taken into consideration, within the dedication of the quantity of the high quality, the particular scenario and context […] and the next mitigating circumstances.”
The Market Court docket goes on to listing a spread of circumstances that ought to have been taken into consideration when assessing the high quality, together with the truth that the Information Safety Officer’s recommendation had been sought and the truth that no damages have been claimed by information topics.
Primarily based on that, the Market Court docket says that the information safety high quality isn’t “correctly” justified, from a factual perspective or from a authorized perspective.
What does this imply for the longer term – a brand new methodology for GDPR fines?
The Litigation Chamber of the Belgian Information Safety Authority has, over time, improved its decision-making course of to bear in mind all the criticisms from the Market Court docket, with extra detailed choices and a extra balanced course of consequently.
On this case, as a result of the Market Court docket stated that it was “[trying] to detect” which methodology was used and that the high quality itself was not “correctly” justified, it’s probably that the Belgian Information Safety Authority will mirror on the way to enhance the readability of its methodology for figuring out which sanction to use and for figuring out the quantity of a high quality.
This might simply be achieved in two methods: by publishing its present methodology or by adopting one that’s already public. One just like the one finalised on 24 Could 2023 by the European Information Safety Board (EDPB), the group of all supervisory authorities throughout the European Union.
What’s the EDPB fining methodology?
The EDPB points suggestions and pointers, in addition to binding choices in cross-border circumstances the place there’s a disagreement among the many supervisory authorities concerned in a case.
In its Pointers 04/2022 on the calculation of administrative fines beneath the GDPR, as finalised in Could 2023, the EDPB proposed the next methodology for calculating GDPR fines:
- Identification of the processing operations within the case and analysis of the applying of Article 83(3) GDPR
- Identification of the start line for additional calculation of the quantity of the high quality (by evaluating the classification of the infringement within the GDPR, evaluating the seriousness of the infringement in gentle of the circumstances of the case, and evaluating the turnover of the enterprise)
- Analysis of aggravating and mitigating circumstances associated to previous or current behaviour of the controller/processor, and growing or lowering the high quality accordingly
- Identification of the related authorized maximums for the totally different infringements (will increase utilized in earlier or subsequent steps can’t exceed this most quantity)
- Evaluation of whether or not the calculated ultimate quantity meets the necessities of effectiveness, dissuasiveness, and proportionality, and adjusting the high quality accordingly (with out exceeding the related authorized most)
Step 2, particularly, takes the type of a mathematical method – we revealed DeFine, a device to assist use the 2022 model of the method (when the rules have been nonetheless merely topic to public session and never but finalised). We might be updating it within the coming weeks to bear in mind some will increase that the finalisation in 2023 has introduced with it.
Primarily based on our aforementioned evaluation of GDPR fines, use of this system would probably lead, all through the European Union, to larger GDPR fines, purely as a result of the odds for the “start line” of the calculation are already larger than these utilized in observe by supervisory authorities.
In observe, due to this fact, adoption of the EDPB methodology would probably set off (a lot) larger GDPR fines in Belgium.
Would this not occur anyway?
Because the adoption of the finalised EDPB pointers, the Belgian Information Safety Authority has already referenced them in a current choice (obtainable in French) when assessing which mitigating and aggravating circumstances have to be taken into consideration. It’s, due to this fact, already potential that in future fining choices, the Belgian Information Safety Authority would, in any occasion, have utilized the EDPB fining methodology.
In that context, the Market Court docket judgment of 14 June 2023 might find yourself being a further set off that accelerates adoption by the Belgian Information Safety Authority of the EDPB fining methodology.
What ought to I do if my firm or organisation is beneath investigation?
In observe, organisations dealing with regulatory investigations concerning alleged GDPR infringements – in Belgium or elsewhere – all the time have to arrange their authorized defence effectively, and the adoption of a brand new methodology (or publication of an present one) merely reinforces the necessity to make sure that you’ve a crew to help you, each internally (in-house authorized crew, information safety specialists, product groups, communication crew) and externally (exterior authorized counsel) in dealing with such an investigation.
And just be sure you are ready to problem the newly adopted methodology, too!
In that context, in the event you require any help in that respect or for any information governance, AI governance, or know-how legislation points, attain out to Peter Craddock or our Information & Tech crew.
The place can I discover the brand new judgment of the Market Court docket?
The Market Court docket judgment of 14 June 2023 is obtainable on-line in Dutch.
