Belgium: new data protection decisions on complaints by opponents – next, competitors?

The Belgian Data Protection Authority (BDPA) has just published two new decisions by its Litigation Chamber, in widely different cases: 

  • one relating to a dispute between ex-spouses;
  • another imposing a 5000 EUR fine for misuse of a list of personnel of a municipality for electoral purposes (i.e. the third fine related to the misuse of personal data for electoral purposes).

Both illustrate the manner in which data protection is increasingly becoming an additional argument in separate disputes, where the plaintiff is an adversary or even a competitor of the defendant; in the electoral case, the plaintiff was even a legal entity rather than a data subject as is usually the case. 

Interestingly, both contain significant considerations in relation to the Litigation Chamber's jurisdiction and the procedure before the BDPA. While the Litigation Chamber has attempted to create a body of case law that is consistent, the ideas it sets out in particular in the spousal dispute decision will likely require further clarification to avoid contradictions or even discrimination between defendants (controllers or processors). As it stands, it seems as though the scope of a complaint or investigation depends on (i) the manner in which a complaint was initially handled and (ii) whether the defendant is a natural person or a legal entity.

1. In which circumstances can a legal entity file a complaint and can this be against a competitor?

Complaints before the BDPA cannot be a substitute for the management of disputes in their proper forum, such as commercial, labour or family courts. This was already made clear in an earlier decision in relation to a labour law dispute and it was repeated in both of the new decisions.

However, nothing prevents one party from filing a complaint against the other if there is a legitimate and existing interest in doing so.

In the electoral case, the defendant (a politician) claimed that the plaintiff (a municipality) did not have any such interest and that the complaint was filed for political motives, as the defendant was a political adversary.

The Litigation Chamber found that the municipality had a legitimate and existing interest in filing a complaint against the defendant, based on the following considerations:

  • the complaint alleged that the defendant had committed a personal data breach by using for electoral purposes a list of the municipality's personnel;
  • the municipality was the controller of the personal data in question (the personnel list);
  • as controller, the municipality had an obligation to protect the personal data and therefore had an interest in complaining in relation to any breach of such personal data;
  • as employer, the municipality had an interest in protecting its employees;
  • finally, two of the affected data subjects were among those involved in the internal process within the municipality that led to the filing of a complaint.

This creates an interesting precedent for organisations in the context of theft of personal data (e.g. corporate espionage or copying over of customer lists), as it suggests that in such a case, it may be worthwhile examining whether to also file a complaint (in addition to a data breach notification).

It remains to be seen, however, to what extent the Litigation Chamber will set limits regarding such an approach.

2. How soon can a complaint be filed and is mediation required beforehand?

According to the spousal dispute decision, the BDPA has to facilitate the exercise of the right to complain, but not to encourage the "precipitated" filing of complaints "without leaving space for mediation and prior reflexion". This comment came from the fact that the complaint in question was filed mere hours after the plaintiff requested the defendant not to use a particular e-mail address for communication.

Based on other decisions and ongoing cases before the Litigation Chamber, we cannot help but wonder whether this focus on mediation is related to the nature of this particular dispute and parties involved: in cases against legal entities, the Litigation Chamber's approach has been less conciliatory and more accusatory.

In practice, our clients have often discovered the existence of a complaint by way of a letter by the Litigation Chamber giving them one month to submit their arguments; mediation has not yet been an option.

It will therefore be interesting to see whether this decision has any bearing on the Litigation Chamber's approach. 

3. Is the Litigation Chamber allowed to go beyond the scope of the initial complaint?

According to the spousal dispute decision, the Litigation Chamber is allowed to examine the complaint itself as well as any facts or legal arguments raised during the proceedings that relate to the alleged data protection violation mentioned in the complaint. However, it is not permitted to examine any facts or legal arguments raised after the complaint that are not related to the facts and allegations included in the initial complaint.

That sounds fairly simple. However, previous case law suggests that the scope of the Litigation Chamber's jurisdiction is a little more complex.

In a case relating to a bank in which the complaint mentioned an erroneous legal basis for the alleged violation, the Litigation Chamber held that it was allowed to change the legal qualification of the alleged violation. To literally translate the Litigation Chamber, "the Litigation Chamber can on its own initiative modify the subject-matter of the complaint in factual or legal terms" (French: "la Chambre contentieuse peut d’initiative modifier l’objet de la plainte en fait ou en droit").

In two cases in which the Inspection Service of the BDPA was involved, the Litigation Chamber gave the Inspection Service wide-ranging powers of investigation:

  • In one case, the trigger for an investigation had been a data breach notification; no GDPR violation was found in relation to the data breach or its management, but the Litigation Chamber ended up fining the organisation in question for something that was unrelated to the data breach itself, namely the role and position of the Data Protection Officer within the organisation. 
  • In another case, the trigger for an investigation had been a complaint by a data subject. The Inspection Service examined the complaint itself (related to transparency) but went on to also examine (as in the case above) the role and position of the Data Protection Officer within the organisation.

Here, it is important to stress that the Litigation Chamber itself is entitled to decide whether to involve the Inspection Service after it has received a complaint. This therefore creates two potentially dangerous alternatives in cases based on a complaint by a data subject:

  • if the Litigation Chamber decides not to involve the Inspection Service, the Litigation Chamber's jurisdiction can be adapted to take into account any facts or legal qualifications that the Litigation Chamber itself (sovereignly) considers to be related to the alleged violation;
  • if the Litigation Chamber decides on its own initiative (and sovereignly) to involve the Inspection Service, all bets are off and the Litigation Chamber's jurisdiction appears to be almost limitless.

In our view, it will be imperative for the Litigation Chamber to clarify the exact scope of its jurisdiction and to set clear limits on what is or is not permitted in terms of broadening the scope of complaints.

4. What about separate but linked complaints?

The Litigation Chamber indicated in the spousal dispute case that if a second but related complaint is filed separately, the Litigation Chamber has the right to join the complaints and handle them together, "so as to avoid contradictory solutions". Through this reference, the Litigation Chamber is introducing in its own procedural rules a mechanism that exists in judicial proceedings.

Other pending or future cases may lead to a further examination of the scope of this possibility – in particular whether the plaintiff has to be identical or whether two related complaints from two separate data subjects can be combined. 

 5. Where to find the decisions

Both decisions are available in French at this time on the website of the BDPA:

  • spousal dispute case;
  • electoral case.

Do read them carefully or get in touch for more strategic advice; as indicated previously, the cases provide good illustrations of the way in which data protection can be an additional angle in a dispute and you should be wary of being on the receiving end of a complaint.

Voir aussi : NautaDutilh ( Mr. Peter Craddock ,  Ms. Eline Van Bogget )


Click here to see the ad(s)
Tous les articles Droit de la concurrence

Derniers articles Droit de la concurrence

Beperking van persvrijheid – Laster van concurrerend persorgaan kan oneerlijke marktpraktijk ui...

Rechtbank van Koophandel te Luik1 oordeelt dat het opzetten van een lastercampagne een oneerlijke marktpraktijk uitma...

Read more

Submission of a proposal for decision against Caudalie for imposing a minimum resale price on its...

On 20 November 2020, the Investigation and Prosecution Service of the Belgian Competition Authority announced that it had ...

Submission of a proposal for decision against Caudalie for imposing a minimum resale price on its selective distributors Read more

First Belgian ruling on abuse of economic dependence

First Belgian ruling on abuse of economic dependence: much looked forward too, little precedential value?

Read more

Afwerving van cliënteel – Communicatie ter actualisering van klantenbestanden

Het Hof van Beroep te Brussel oordeelde dat communicatie gericht aan klanten van een concurrent ter actualisering van klan...

Read more

Derniers articles de Mr. Peter Craddock

(Alleged) data protection infringement? Say bye-bye to your .be domain name

The Belgian Data Protection Authority (BDPA) published on 30 November 2020 a cooperation agreement with DNS Belgium, the r...

Read more

New Belgian DPA decision: employee consent sometimes works

Yes, employee consent is possible in certain circumstances – but do not assume old processing activities fully compl...

Read more

Finally some practical EDPB guidance on how to make international data transfers lawful

After a long, four-month wait, we finally have recommendations from the European Data Protection Board (EDPB) on “su...

Read more

Data protection litigation: preparing to defend yourself – or attack

If people were to look, they would probably conclude that you do not fully comply with data protection rules. Top of the l...

Read more

Derniers articles de Ms. Eline Van Bogget

New Belgian DPA decision: broader "controller" concept & extensive access rights?

In a decision of 29 July that it published today, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) e...

Read more

Surveys, transparency and DPIAs: tips from the Belgian DPA

Are you planning to conduct a survey within your organisation? And do you sometimes wonder when you should or&nb...

Read more

Belgium: what has GDPR year 2 taught us, and what will come next?

Today is GDPR Day – two years ago, the GDPR became applicable. When 25 May 2018 came about, the world did not end, n...

Read more

Belgium: two new EUR fines for tell-a-friend and health-related GDPR violations

On 19 May 2020, the Belgian Data Protection Authority published two new decisions of the BDPA's Litigation Chamber,&nb...

Read more

LexGO Network