In February 2020, the Markets Court (a division of Brussels’ Court of Appeal) annulled the decision by which the Belgian Data Protection Authority (BDPA) had imposed an administrative fine of EUR 10,000 on a retailer for the use of electronic identity cards as ‘loyalty cards’ without valid consent. Out of the four judgements of the Markets Court published up to now in appeals against BDPA decisions, two have annulled the latter’s decision. In the other two judgements the Markets Court dismissed the appeals, but remained very critical of the BDPA’s enforcement practices.
Lessons learned from the 2019 case law of the Markets Court
In June 2019, the Brussels Markets Court rendered its very first judgement on an appeal against a BDPA decision. The appeal was dismissed as the BDPA had not yet taken a decision on the merits which could be appealed. The Markets Court did however express clear concerns regarding the independence of the BDPA’s litigation chamber and the procedural compliance with the fundamental right of defence.
In October 2019, the Markets Court again dismissed an appeal against a BDPA decision, but reiterated that the latter should pay particular attention to the formal reasoning of decisions imposing administrative sanctions. The court referred to the case law of the Belgian State Council and noted that it did not consider the BDPA’s decision to be properly reasoned. However, as this argument had not been raised by the applicant, the court could not annul the BDPA’s decision on this basis.
In October 2019, this same argument was formally raised by an applicant in another case, and the Markets Court annulled the BDPA’s decision. It held that the latter had not properly justified its decision as it had (i) relied on assumptions instead of facts, and (ii) based its decision on a value judgement instead of objective parameters.
As a result of this case law, the BDPA made considerable efforts to improve the reasoning of its decisions. As exemplified by the judgement of the Markets Court of February 2020 (see below), some concerns do however remain.
Background to the judgement of 19 February 2020
A retailer had developed a loyalty program based on the registration of the electronic ID (eID) cards of its participating clients. One client wanted to participate in the loyalty program, but refused the processing of her personal data by reading her eID card. The retailer refused to issue a loyalty card, stating that it only offered loyalty cards based on the reading of eID cards.
The client filed a complaint with the Belgian Data Protection Authority, which decided that the retailer had infringed the GDPR on three different counts: (i) the principle of data minimisation (as the data included in the eID – in particular the national registration number, gender and date of birth – were not relevant for the loyalty program); (ii) the lawfulness of data processing (as no valid consent can be obtained if consent cannot be 'freely' given and therefore refused without losing the benefit of participating in the loyalty program); and (iii) the information and transparency obligations (as the retailer’s privacy notice did not contain all elements required by the GDPR).
Findings of the Brussels Markets Court
The Markets Court first of all confirmed that its powers are not limited to confirming or annulling a BDPA decision, but also include the possibility for it to impose an alternative administrative sanction provided that it complies with the rights of defence.
It went on to state (i) that the use of the national registry number by the retailer was only based on speculation by the BDPA (its inspection service had never reported any actual use of such information by the retailer); (ii) that Article 6§4 of the Act of 19 July 1991 to which the BDPA refers (restricting the use of the national registration number and requiring free consent, including an alternative to the use of the eID) was adopted only in November 2018 and was therefore not applicable at the time of the complaint (August 2018); and (iii) that no actual infringement took place in the present case, as the client had refused to provide her eID card to the retailer and her data was therefore not (unlawfully) processed.
Interestingly, the Markets Court also found that the BDPA had incorrectly assumed that the refusal of the potential extra benefit of the loyalty card automatically constituted a 'detriment' for the customer, invalidating the given consent (cf. recital 42 GDPR). The loss of a small extra benefit should indeed be distinguished from the possible loss of a legal or contractual right (e.g. no right to additional warranty period if the eID is not provided).
Finally, regarding the administrative fine that had been imposed by the BDPA, the Markets Court considered that the BDPA had not sufficiently justified the amount of the fine. In the absence of a clear qualification and quantification of the potential sanctions in an official fining policy, the BDPA must indeed provide proper justification for every fine it imposes, and explain why a less severe sanction could not have led to the same result. Infringers should in principle also be informed beforehand of the intention to impose a fine and have the opportunity to contest the (amount of the) fine before it is imposed.
For these reasons, the BDPA’s decision was annulled.
Key takeaways
Since the first decisions of the Brussels Markets Court in 2019, we have seen a significant change in the level of detail (and the length) of the reasoning of GDPR enforcement decisions published by the BDPA. The Brussels Markets Court remains however very critical of the BDPA’s enforcement practices, taking into account the importance of the fundamental rights of defense and proper administration of justice, the principle of legal certainty and the necessity in a democratic society to properly reason any type of judicial or administrative sanction.
It remains to be seen how the BDPA’s decision-making practice will further evolve in 2020, and whether it will consider adopting a formal fining policy to provide more clarity on fine calculation in GDPR infringement cases. Both the Dutch and the German Data Protection Authorities have already published a fining policy. Their divergent approaches do however raise important concerns and a coordinated policy at EU level (adopted by the European Data Protection Board) is therefore arguably the preferred option.
