On May 25, 2020, the second anniversary of the GDPR, the Belgian Supervisory Authority (“SA”) released an overview of its first full year of activity (available in French here, and in Dutch here). To be clear, this was not a delay in reporting, but rather shows that the Belgian legislature was late in creating its oversight and enforcement authority for data protection.
According to the activity overview, the SA has received over 900 security breach notifications and around 350 complaints. It has performed over 100 inspections and imposed 59 sanctions, 9 of which resulted in fines for a total of €189,000. In fact, the SA has imposed the bulk of these fine amounts only in the last two months.
In April, the SA imposed a €50,000 fine on a telecom operator for violating rules on the appointment of a Data Protection Officer (“DPO”). According to the SA, the company’s head of compliance, risk management and audit could not perform the DPO function independently, at least not for the (limited) processing operations that he/she supervised in this case. Unfortunately, decisions like this may make it difficult for companies to appoint senior managers to the DPO position (which is supposed to report to the highest levels of management), since such personnel are apparently prohibited from holding any other significant role in the company. Such a decision may be especially problematic for companies that are not primarily “data companies,” in which the DPO position is therefore not usually a full-time role.
In May, the SA imposed a €50,000 fine on a social network for uploading the contact books of new members onto its servers and then processing this data without a valid legal basis. The SA emphasized in its decision that such contact lists may only be used at the outset to identify existing members of the network (“compare and forget”). New members must give opt-in consent before the network can then send invitations on their behalf to existing members, requesting them to connect with the new member. The SA said in its decision that the personal data of non-members uploaded from contact books could not be used to send invitations to them.
Finally, also in May, the SA imposed a €50,000 fine (apparently the SA’s favorite number) on an insurance company. In this decision, the SA came to some puzzling conclusions:
- Legal basis. The SA stated that legitimate interest was not a valid legal basis for the company to process non-sensitive personal data for purposes related to training, quality assurance, monitoring and reporting, or for statistical analysis drawn from coded data (including big data). Instead, according to the SA, the company was required to seek separate consent for each of these purposes. If this decision is upheld in court, it begs the question of how the EU will ever manage to implement an AI strategy worthy of that name, if even non-sensitive coded data cannot be used without consent. In contrast, the SA found that legitimate interest was a valid legal basis to process personal data for marketing purposes, as well as for anti-fraud purposes.
- Sharing personal data with third parties. Here, the SA’s decision breaks new ground:
- First, it takes the position that it was not demonstrated that legitimate interest was a valid legal basis for sharing non-sensitive personal data with the company’s headquarters (in the EU) for reporting purposes. Again, according to the SA, the company should have obtained a separate consent. It is difficult to understand how such data sharing does not qualify as a legitimate interest, so long as it is implemented judiciously. Moreover, the GDPR itself refers to this scenario in its Recital 48 (to which the SA did not refer): “Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data”.
- Second, and even more puzzling, the SA appears to indicate that the sharing of personal data with service providers (presumably “processors”) cannot be based on the company’s legitimate interest and must also be based on consent. The mere suggestion that a company requires a legal basis for sharing personal data with its own processor is innovative, to say the least. The assertion that such sharing is lawful only on the basis of consent, is extraordinary.
The Belgian SA’s activity overview did not make any mention of the judicial review of its decisions. So far, the SA’s website lists four final decisions by the Market Court, unrelated to any of those mentioned above.