On Feb. 19, the Brussels Court of Appeal overruled one of the first decisions of the Belgian Data Protection Authority in a case involving the use of an electronic ID to get a loyalty card.
Background
The Belgian Privacy Commission was replaced by the DPA May 15, 2018. The DPA litigation chamber is the administrative litigation body. After investigation, the inspection service may refer the case to the litigation chamber. An appeal may be lodged against the decision before the Market Court, part of the Brussels Court of Appeal. Up until now, the DPA has published 13 decisions on the merits and four Court of Appeal decisions on its website.
DPA decision
A customer was asked her identity card to get a loyalty card in a liquor store. She did not want to give it but replied she was ready to provide the same information through filing a paper form. The store refused her the loyalty card on that ground. The customer filed a complaint before the DPA Aug. 28, 2018. Based on the report of the inspection service, the litigation chamber issued its first fine against a private company for the infringement of Provisions 5.1. c), 6.1., 13.1 e) and 13.2 a) of the EU General Data Protection Regulation. The amount of the fine was 10,000 euros.
Court of Appeal decision
The Brussels Court of Appeal held that the customer did not give her identity card and, consequently, there was no processing of her data. Therefore, according to the court, the DPA did not demonstrate an actual personal data breach.
Data minimization
According to Article 5.1.c) of the GDPR, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization). The court considered that there was not one single piece of evidence demonstrating the use of a customer national register number to get a loyalty card. Therefore, one could not conclude a violation of the minimization principle neither from the use of such number nor from the use of the customer birthdate or gender. The liquor store might have needed such information to check the age of the customer. The store was not obliged to provide the customer with a substitute for the use of their electronic identity card. Such a requirement was not mandatory at the time of the alleged infringement. The court still underlined there was no prejudice for a customer because they could not get a loyalty card and therefore get a discount. There is no prejudice when one possible extra benefit is lost. It would have been different if the reading of the electronic ID was required to exercise a legal or contractual right.
Administrative fine
When deciding whether to impose an administrative fine and deciding on its amount, Article 83 of the GDPR requires the DPA to take several factors into account. These factors are, among others, the nature, gravity and duration of the infringement, as well as the number of data subjects affected and the level of damage suffered by them and the intentional or negligent character of the infringement.
The court held that the mere indication by the litigation chamber that the infringement involved a fundamental principle of data protection was not enough. The DPA should have assessed the nature and gravity of the infringements and the amount of the fine considering "all" elements of the case, including whether it was a one-off infringement and whether the infringement was intentional. In the absence of clear and public guidelines from the DPA on the scale of penalties, the court argued that the choice of a financial fine of 10,000 euros instead of a smaller penalty was not sufficiently motivated. For these reasons, the criteria of effectiveness and proportionality were not met under Article 83 of the GDPR.
The new power of the DPA to impose administrative fines might explain the very strict approach of the Court of Appeal. New administrative and old judicial bodies are not exempt from competitive rivalry about new areas of jurisdiction. One might be surprised that the court stressed the lack of motivation and called for clear and public DPA guidelines on the scale of penalties considering the reasonable amount of the fine in our case. Indeed, infringements of the basic principles of data protection, including Article 5 and 6 of the GDPR, can be subject to administrative fines up to 20,000,000 euros or up to 4% of the total worldwide annual turnover. The strict level of judicial review will certainly encourage private companies to systematically lodge an appeal against DPA fines.