Court of Appeal of Brussels - 2022/AR/953: Difference between revisions

From GDPRhub
m (Kv33 moved page Hof van Beroep - 2022/1527 to Hof van Beroep - 2023/1527: Wrong year: 2022 ---> 2023)
No edit summary
Line 76: Line 76:
}}
}}


TBU
The Belgian Market Court annulled a previous decision of the Belgian DPA, which had fined a large media company €50,000 for multiple GDPR violations regarding cookies. This DPA decision was annulled by the court because the DPA's managment comittee had provided sufficient evidence in the referral to the DPA's investiagtion service.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
TBU
This ruling is the result by an appeal of a large media company (controller), which was fined €50.000 by the Belgian DPA. For the detailed summary of the facts of this DPA decision, s[https://www.gegevensbeschermingsautoriteit.be/publications/arrest-van-22-februari-2023-van-het-marktenhof-ar-953-beschikbaar-in-het-frans.pdf ee this link to the full decision](in French) and the link to a [[APD/GBA (Belgium) - 103/2022|detailed summary on GDPRHub]].
 
This decision of the Belgian DPA was the result of a larger investigation regarding the placement of cookies on Belgian media websites. The DPA’s management committee had instructed the DPA’s investigation service to start an investigation into the controller, pursuant to the procedure described in Article 63(1) LCA (Law establishing the Belgian DPA). This article allowed the management committee to ask the investigation service to start an investigation when there were "''serious indications''" of a practice that may give rise to an infringement of the fundamental principles of personal data protection
 
On 16 January 2019, the managment committee took the decision to instruct the investigation service to start an investigation into the controller. This decision was communicated to the investigation service on 8 February 2019. However, this decision itself did not containany specific arguments for the existence of "''serious evidence''". The term "''serious evidence''" did not even appear in the decision of the management committee.
 
The administrative file also contained an internal handwritten memo, which was drawn up on 7 March 2019.
 
DIFFERENCE BETWEEEN DECISION AND INTERNAL MEMO
 
In a response to allegations of the controller, the DPA stated that 'the high number of visitors to the website' was chosen as the first serious indication of a potential breach of data protection principles. The DPA also referred to a complaint it had received regarding the use of cookies on the RTBF website. The DPA also referred to the sites of of the 'mediahuis group' and their use of cookies.
 
After the investigation was concluded, the DPA issued a decision in which it determined the following violations:
 
''First,'' the controller violated [[Article 6 GDPR|Article 6(1)(a) GDPR]] by placing unnecessary cookies on its website without asking for consent first. These were in particular cookies placed by third party domains which were not proven to be strictly necessary.
 
''Second,'' the controller violated [[Article 4 GDPR|Articles 4(11)]], [[Article 6 GDPR|6(1)(a)]] and [[Article 7 GDPR|7(1) GDPR]] for the collection of consent using the so called "further browsing" technique. This means that data subjects would consent to receive cookies if they chose to further browse the controller’s website.
 
''Third'', the controller violated [[Article 6 GDPR|article 6(1)(a) GDPR]] again because of the deposit of unnecessary cookies, in this case, social networking and audience measurement cookies, before consent was obtained from data subjects;
 
''Fourth'', the controller violated articles [[Article 4 GDPR|4(11)]], [[Article 6 GDPR|6(1)(a)]] and [[Article 7 GDPR|7(1) GDPR]] because of the way the controller allowed data subjects to select third party “partners” to whom personal data was sent. The controller had set a selection screen to allow sharing with these partners by default.  
 
''Fifth'', the controller violated a[[Article 4 GDPR|rticles 4(11)]], [[Article 12 GDPR|12(1),]] [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]] because the controller only mentioned 13 partners in the cookie policy with whom it would sent personal data , whereas the partner selection screen accessible on the cookie banner only referred to some 500 such partners.
 
''Sixth'', the controller violated articles [[Article 12 GDPR|12(1)]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]], because the controller failed to prove that the mandatory information was provided in a sufficiently accessible manner and/or in the language of the data subjects at the time of the DPA’s inspection.
 
''Lastly'', the controller violated Article [[Article 7 GDPR|7(3) GDPR]] because the controller added new cookies on its website after data subjects had withdrawn their consent consent without a relevant justification. '''(8)'''
 
The controller appealed this decision because, according to the controller, the DPA did not present serious evidence in order to justify the violations and also stated that the initial referral of the DPA’s management committee to its inspection service was irregular. The controller stated that the subsequent procedure was therefore also invalid.
 
The controller appealed this decision at the Market Court in Brussels. It stated that -----> STATE REASONS FOR APPEAL


=== Holding ===
=== Holding ===
TBU
The court determined that it had full jurisdiction to annul and potentially adjust the annulled decision. '''(36)''' The court also determined that the subject matter of the appeal was the reversal of the entire DPA decision, and not the annulment of any procedural act by either the management committee or the inspection service.
 
The court investigated the documents in the administrative file and determined that the managment had take the decision to investigate the controller on 16 January 2019. This decision was the only refference to the investigation service which could fall under Article 63(1) LCA. This decision by the managment committee was therefore the assessed by the court.
 
<<STATE REASONS PART>>
 
The court stated that it was normally not within its power to assess the precence of "serious indications" of a potential infringement under Article 63(1) LCA, except in the case of a blatant disregard for the principles of good administration in this area, or a manifest error of assessment. The court was only allowed to a control of 'regularity and legallity'. This included a review to assess compliance with the requirement to state reasons.
 
The court concluded that this decision itself did in contain any specific arguments for the existence of "''serious evidence''". The term "''serious evidence''" did not even appear in the decision. The Court stated that any other documentation in the administrative file could not mitigate this fact since it was not part of the referral. This reulsted in a failure to state reasons for the decision to start an investigation.
 
The court stated that this failure to state reasons had consequences for the contested decision by the Belgian DPA.
 
 
 
In this case,


== Comment ==
== Comment ==

Revision as of 15:16, 28 March 2023

Hof van Beroep - 2022/1527
Courts logo1.png
Court: Hof van Beroep Brussel (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(11) GDPR
Article 6(1)(a) GDPR
Article 7(1) GDPR
Article 7(3) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 14 GDPR
Article 63(1) LCA
Decided: 22.02.2023
Published:
Parties: SA Rossel et Cie
National Case Number/Name: 2022/1527
European Case Law Identifier:
Appeal from: GBA
103/2022
Appeal to:
Original Language(s): French
Original Source: GBA (in French)
Initial Contributor: kv33

The Belgian Market Court annulled a previous decision of the Belgian DPA, which had fined a large media company €50,000 for multiple GDPR violations regarding cookies. This DPA decision was annulled by the court because the DPA's managment comittee had provided sufficient evidence in the referral to the DPA's investiagtion service.

English Summary

Facts

This ruling is the result by an appeal of a large media company (controller), which was fined €50.000 by the Belgian DPA. For the detailed summary of the facts of this DPA decision, see this link to the full decision(in French) and the link to a detailed summary on GDPRHub.

This decision of the Belgian DPA was the result of a larger investigation regarding the placement of cookies on Belgian media websites. The DPA’s management committee had instructed the DPA’s investigation service to start an investigation into the controller, pursuant to the procedure described in Article 63(1) LCA (Law establishing the Belgian DPA). This article allowed the management committee to ask the investigation service to start an investigation when there were "serious indications" of a practice that may give rise to an infringement of the fundamental principles of personal data protection

On 16 January 2019, the managment committee took the decision to instruct the investigation service to start an investigation into the controller. This decision was communicated to the investigation service on 8 February 2019. However, this decision itself did not containany specific arguments for the existence of "serious evidence". The term "serious evidence" did not even appear in the decision of the management committee.

The administrative file also contained an internal handwritten memo, which was drawn up on 7 March 2019.

DIFFERENCE BETWEEEN DECISION AND INTERNAL MEMO

In a response to allegations of the controller, the DPA stated that 'the high number of visitors to the website' was chosen as the first serious indication of a potential breach of data protection principles. The DPA also referred to a complaint it had received regarding the use of cookies on the RTBF website. The DPA also referred to the sites of of the 'mediahuis group' and their use of cookies.

After the investigation was concluded, the DPA issued a decision in which it determined the following violations:

First, the controller violated Article 6(1)(a) GDPR by placing unnecessary cookies on its website without asking for consent first. These were in particular cookies placed by third party domains which were not proven to be strictly necessary.

Second, the controller violated Articles 4(11), 6(1)(a) and 7(1) GDPR for the collection of consent using the so called "further browsing" technique. This means that data subjects would consent to receive cookies if they chose to further browse the controller’s website.

Third, the controller violated article 6(1)(a) GDPR again because of the deposit of unnecessary cookies, in this case, social networking and audience measurement cookies, before consent was obtained from data subjects;

Fourth, the controller violated articles 4(11), 6(1)(a) and 7(1) GDPR because of the way the controller allowed data subjects to select third party “partners” to whom personal data was sent. The controller had set a selection screen to allow sharing with these partners by default.  

Fifth, the controller violated articles 4(11), 12(1), 13 and 14 GDPR because the controller only mentioned 13 partners in the cookie policy with whom it would sent personal data , whereas the partner selection screen accessible on the cookie banner only referred to some 500 such partners.

Sixth, the controller violated articles 12(1), 13 and 14 GDPR, because the controller failed to prove that the mandatory information was provided in a sufficiently accessible manner and/or in the language of the data subjects at the time of the DPA’s inspection.

Lastly, the controller violated Article 7(3) GDPR because the controller added new cookies on its website after data subjects had withdrawn their consent consent without a relevant justification. (8)

The controller appealed this decision because, according to the controller, the DPA did not present serious evidence in order to justify the violations and also stated that the initial referral of the DPA’s management committee to its inspection service was irregular. The controller stated that the subsequent procedure was therefore also invalid.

The controller appealed this decision at the Market Court in Brussels. It stated that -----> STATE REASONS FOR APPEAL

Holding

The court determined that it had full jurisdiction to annul and potentially adjust the annulled decision. (36) The court also determined that the subject matter of the appeal was the reversal of the entire DPA decision, and not the annulment of any procedural act by either the management committee or the inspection service.

The court investigated the documents in the administrative file and determined that the managment had take the decision to investigate the controller on 16 January 2019. This decision was the only refference to the investigation service which could fall under Article 63(1) LCA. This decision by the managment committee was therefore the assessed by the court.

<<STATE REASONS PART>>

The court stated that it was normally not within its power to assess the precence of "serious indications" of a potential infringement under Article 63(1) LCA, except in the case of a blatant disregard for the principles of good administration in this area, or a manifest error of assessment. The court was only allowed to a control of 'regularity and legallity'. This included a review to assess compliance with the requirement to state reasons.

The court concluded that this decision itself did in contain any specific arguments for the existence of "serious evidence". The term "serious evidence" did not even appear in the decision. The Court stated that any other documentation in the administrative file could not mitigate this fact since it was not part of the referral. This reulsted in a failure to state reasons for the decision to start an investigation.

The court stated that this failure to state reasons had consequences for the contested decision by the Belgian DPA.


In this case,

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Brussels Court of Appeal -2022/AR/953 -p. 2





IN QUESTION:

SA Rossel et Cie (hereafter “Rosse!”), BCE 0403.537.816, whose registered office is located at
1000 Brussels, rue Royale 100,

Requesting Party,


Having as counsel Me Etienne Wéry, lawyer, whose firm is established in [...].

AGAINST:

The Data Protection Authority (hereinafter the "DPA"), BCE0694.679.950, located at 1000
Brussels, rue de laPresse35,


Opposing party

With the advice of My Evrard de Lophem, Grégoire Ryelandt and Clara Delbruyère,
lawyers, whose practice is established [...].

Having regard to the procedural documents and in particular





           the decision rendered by the Litigation Chamber of the Authority for the Protection of
           Data, June 16, 2022 (decision number: 103/2022, file number:
           DOS-2020-02998);


           Rosse's request! filed on July 13, 2022;

       -
           The schedule recorded at the introductory hearing of July 27, 2022;

                           °
           the conclusions n l of Rosse! filed November 30, 2022;


           the summary conclusions of the APD submitted on January 16, 2023;


              the records of exhibits filed by the parties;


Heard the advice of the parties Rossel and APD at the public hearing of January 25, 2023.




             rPAGE 01-00003160840-0 □□2- □□42- □1- □1-� 


                                                                ..J
             I