Data Protection in Belgium: the 2023 focus of the BDPA

In 2022, the Belgian Data Protection Authority ("BDPA") rendered a large number of decisions and identified priorities for the following year that point to the following topics marking the Belgian data protection landscape of 2023. Of course, the BDPA will have to further sort out its priorities as it works with limited resources (despite its specific request for additional funding):

  1. Cookies & digital advertising remain important with many more cookie enforcement cases to come, the IAB case being decided upon by the CJEU and a continued focus on data brokers;
  2. 2022 was the first year in which the BDPA had frequent recourse to a settlement procedure, a trend which, in the light of the BDPA’s limited resources, will certainly continue;
  3. The BDPA will consequently investigate the role of the DPO in all investigations that are opened on other aspects;
  4. The deployment of the cloud by the public sector with a potential overspill effect towards the deployment of the cloud by any type of organization.

1. Cookies & digital advertising (incl. the iab transparency & consent framework and data brokers) still need attention

On 2 February 2022, the BDPA issued its long-awaited decision against the Interactive Advertising Bureau Europe (“IAB Europe”) in relation to its Transparency & Consent Framework (“TCF”). The TCF has been widely used by many key actors in the advertising industry in the EU as a mechanism to collect and manage consent for targeted advertising cookies in a way that is allegedly compliant with the GDPR. The BDPA however ruled that the TCF does not comply with several GDPR provisions, and therefore, firstly, fined IAB Europe €250,000 and, secondly, required IAB Europe to submit a remediation plan for approval and subsequent implementation.

The Litigation Chamber found that IAB Europe was acting as a data controller where it registered user consent indications, choices and preferences through a coded character string, which could be linked to identifiable users ("TC String"). It concluded that IAB Europe had failed to establish adequate grounds of lawfulness for the processing of these TC Strings and that the information provided to the users was too generic and vague, making it difficult for them to maintain control over their personal data and exercise their rights as data subjects. The Litigation Chamber also found that there were insufficient technical and organizational measures in place under the TCF to guarantee the security and integrity of the processing. Moreover, IAB Europe failed to (1) keep a record of the relevant processing activities, (2) appoint a data protection officer, and (3) perform a data protection impact assessment.

IAB Europe appealed this decision before the Market Court who decided to stay the proceedings and refer some questions to the Court of Justice of the European Union ("CJEU") for preliminary ruling on 7 September 2022. The questions concern whether IAB Europe should be considered a (joint) “data controller” for the TCF, and whether the TC String should be considered “personal data”. In the meantime, on 11 January 2023, the BDPA approved IAB Europe's action plan. IAB Europe now has six months to implement the changes and align the TCF with the GDPR. However, if the CJEU finds that IAB Europe is a joint data controller and/or that the TC String qualifies as personal data, the action plan may have to be updated or rejected altogether.

Organisations relying on the IAB TCF, of which there are many, will therefore need to carefully monitor the situation to establish whether continued reliance on the framework is possible and whether the updates to and rulings on the framework require any steps from their end to ensure GDPR compliance. It is certain that the BDPA will be sensitive to the compliance of the ad tech industry with its ruling.

On 25 May 2022, the BDPA announced that it had put 20 different websites under scrutiny as part of a thematic investigation into the management of cookies on Belgium's most popular press websites. In its first decision of 25 May 2022, the BDPA imposed an administrative fine of €50,000 on press group Roularta for cookie infringements on the websites Knack and Le Vif. A second decision followed on 16 June 2022, in which the BDPA imposed another administrative fine of €50,000 on press group Rossel for cookie infringements on the websites lesoir.be, sudinfo.be and sudpressedigital.be. In those first two decisions, the Litigation Chamber pointed out that "statistical" cookies (whose purpose, among other things, is to find out how many people visit a website) cannot, in principle, be considered as "strictly necessary", and therefore require user consent before placement. Furthermore, for the consent to be valid, it must be informed, unambiguous, free and specific. In that respect, the Litigation Chamber found that the press groups had failed to (1) adequately inform their website users about the cookies and (2) obtain unambiguous consent because of the consent boxes being pre-ticked.

In subsequent decisions in October and November of 2022 relating to 14 other popular press websites such as La Libre, HLN, VRT and RTL, the Litigation Chamber took another approach and the press groups in question were able to reach a settlement agreement regarding the alleged infringing use of cookies on their websites (more on that below).

The latest EDPB report of the latter’s "Cookie Banner Taskforce" of January 2023 lists practices that are commonly considered to be illegal and will further strengthen the BDPA in its enforcement efforts in this field. The imminent adoption of the future ePrivacy Regulation, which will revamp the rules concerning the deployment of cookies (and would most probably allow cookies for statistical reasons without consent), will be another important evolution to watch. In the meantime, the BDPA also has indicated that it will continue its enforcement actions against data brokers which also play an important role in the field of digital advertising.

2. First settlement decisions

In October 2022, the BDPA issued its first settlement decisions whereby it settled cases against press groups for alleged infringements in relation to the deployment of cookies on their websites through payments of €10,000 per case. In November 2022 several other settlement decisions followed, again in relation to cookies. Settlement proposals are made by the BDPA after the proceedings before the Litigation Chamber have already begun and the controller has already filed submissions. The settlement proposals are either explicitly accepted or deemed accepted in the event of failure to respond within a specified period, and then lead to a formal decision. The settlement does not lead to the admission of a GDPR violation. Therefore, the Litigation Chamber will not establish any violation of the GDPR by the controller or processor in question and will formally close the case with the settlement decision. 

Considering the BDPA’s limited resources, it can be expected that many more cases may be closed by way of a settlement.

3. Importance of the role of DPOs

After the EDPB announced that 22 data protection authorities in the EU/EEA would undertake a Coordinated Enforcement Action on the designation and role DPOs, the BDPA announced in November 2022 that prevention and investigation around the role of DPOs would be one of its priorities for 2023 as DPOs play a pivotal function in the GDPR compliance of organisations.

More particularly and we already have experienced that in several cases, the BDPA’s inspection unit would, in any investigation (thus also those that do not deal with the GDPR provisions on the DPO), look into the question whether the investigated organisation has to appoint a DPO and, if it did appoint one, whether all GDPR requirements in relation to the role of a DPO are met in practice.

To check their compliance, investigated organisations can rely on previous decisional practice of the BDPA, for example on the instructive explanations of the BDPA in its decision 18/2020 of 28 April 2020, as well as on the findings of the CNPD, the Luxembourg data protection authority, which already has carried out a thematic review of the DPO function resulting in more than 20 decisions.

4. The cloud in the public sector and beyond

In January 2023 the EDPB has issued an interim report on the state of play of the 2022 Coordinated Enforcement Action that most data protection authorities in the EU are carrying out on the use of cloud-based services by the public sector. It stems from this report that the BDPA actively contributed to it and investigated the cloud deployment practices by several important Belgian public actors. The BDPA’s investigation has revealed several GDPR violations, and it can be expected that the BDPA will take some corrective actions in this respect.

The BDPA and EDPB findings are also important in relation to essential topics, such as the compliance with the Schrems II judgment of the CJEU and the GDPR provisions on international transfers in the context of cloud services.

These findings and actions must be watched closely as they are not only relevant for the public sector but also for entities in the private sector that choose the cloud.

 Vincent Wellens | Brussels & Luxembourg  

 Carmen Schellekens | Brussels & Luxembourg  

 Jill Van Overbeke | Brussels