Court of Appeal of Brussels - 2022/AR/556: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 86: Line 86:
}}
}}


The Belgian Court of appeal of Brussels largely upheld a decision by the Belgian DPA to fine South Charleroi airport for several GDPR violations. In [https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-47-2022.pdf Decision 47/2022,] The DPA had fined the airport for using temperature scanners on the airport to discovering potential COVID-19 infections. However, the Court reduced the original fine because the DPA had insufficiently considered the factors of [[Article 83 GDPR]].   
The Belgian Court of appeal of Brussels upheld a decision by the Belgian DPA to fine South Charleroi airport for using temperature scanners on the airport to detect potential COVID-19 infections. However, the Court reduced the original fine.   


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In its [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 decision 47/2022], the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provisions, which resulted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras between June and March 2021. All passengers with a temperature over 38°C were requested to have their temperature measured again by a medical service. Passengers who were suspected to be infected with COVID-19 after this second check, were asked to leave the airport and were not allowed to board their plane. For more information on this decision, see the original decision and the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 GDPRhub summary]. In short, among other violations, the DPA determined that the controller processed health data without a legal basis. The DPA held that the protocol, which the controller used as its legal basis, was not legally binding.     
In its [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 decision 47/2022], the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provisions, which resulted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras in order to detect COVID 19 infections. For more information, see the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 GDPRhub summary]. In short, among other violations, the DPA determined that the controller processed health data without a legal basis. The DPA held that the protocol, which the controller used as its legal basis, was not legally binding.     


The controller appealed the decision on several grounds at the Brussels Court of Appeal in this case, the first instance court. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial. The controller based these arguments on several national news reports. According to the controller, these reports showed that the DPA had not been impartial from the very beginning of the investigation. The controllers critisism was not targeted towards the DPA as a whole, but towards the legality of the appointment of certain external members of the knowledge centre. '''(21)'''   
The controller appealed the decision on several grounds at the Brussels Court of Appeal in this case. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial. The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated continiously in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given propper guidance and if the DPA had taken a clear position. The controller had also requested the anonymisation of the decision. Despite this, the decision was published without redactions alongside a press release. According to the controller, the choice to publish an not anonymised decision and to do a press report constituted a misue of power by the DPA.  


The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated continiously in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given propper guidance and if the DPA had taken a clear position. The controller had also requested the anonymization of the decision, which was not accepted by the DPA. The decision was published without redactions and the DPA also published a press release. According to the controller, the choice not to anonymise the decision constituted a misue of power by the DPA. '''(22)'''   
The controller also argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] for determining the fine and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]].    
 
The controller also argued that the fine in the original decision was not adequately reasoned, nor was the fine proportionate. The controller had argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]] in order to determine the amount of the fine.    


The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing.     
The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing.     
=== Holding ===
=== Holding ===
The Court first confirmed that it had the jurisdiction to annul or to reform the contested decision by the DPA. '''(19)''' '''(paragraph 14.3.1)''' Contrary to what the controller had argued, there was also no lack of independence or impartiality at the side of the DPA. The court stated that the specific external members, who were criticised by the controller, were not at any point involved in the litigation chain of the Belgian DPA.  The Court also stated that it did not have jurisdiction regarding the appointment of members of the DPA. The court determined that the impartiality-argument of the controller was unfounded since no specific complaint had been raised. The controller also did not provide any concrete evidence to support its argument. '''(21-22)'''   
The court considered that it had full jurisdiction to review the decision of the DPA. Under the full review as per Article 47 of the Charter and [[Article 78 GDPR]], the Court could substitute its views to the one of the DPA, to the extent that all elements and arguments were raised and discussed before the Court. The court determined that the impartiality-argument of the controller was unfounded since no specific complaint had been raised. The controller also did not provide any concrete evidence to support its argument.  
 
The DPA did not commit an abuse its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further.  


The court also determined that the DPA did not abuse its powers. According to the controller, the misue of powers was apparent from the DPA's choice to publish the decision in a non-anonymous manner. The controller also provided other indications of the DPA's misue of powers, but the Court deemed the controllers arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. '''(24-25)'''  
The court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the choice to carry out temperature checks. The DPA also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis.   


The court also confirmed that the protocol invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the ''<u>choice</u>'' to carry out temperature checks. The DPA also emphasised that the European centre for disease Prevention and control (ECDC) and the European Aviation Safety Authority (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Therefore, this protocol could not have been used as a legal basis by the controller. '''(31)'''
The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors:


'''LAST TWO PARAGRAPHS OF 18.3.3. ??'''
* The controller had introduced the temperature checks in exceptional circumstances and had also announced its plans to the relevant authorities.
* The controller had fully cooperated with the DPAs during the procedure
* The controller had not profited economically from these temperature checks. The sole purpose of the temperature checks was to support public health.


'''18.3.4. LEFT OUT''' 
Therefore, the Court stated that it had to reform the original DPA decision and reduce the original fine to €25,000, which was the only change the Court ended up making to the original decision.


Despite all the rejected grounds of appeal, the court agreed with the controller that the DPA should have paid more attention to the aspects of [[Article 83 GDPR]] in order to determine the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors: The controller had introduced the temperature checks in <u>good faith</u> and had also announced its plans to the relevant authorities. The controller had not in any way conducted these checks for <u>commercial reasons</u>. The court also considered that the controller had <u>fully cooperated</u> with the DPA during the procedure and also stated  that the controller <u>had not profited economically</u> from these temperature checks. Lastly, the court considered the sole purpose of the temperature checks, <u>which was to support public health</u>. Given the <u>exceptional circumstances of the pandemic</u>, the Court stated that it had to reform the original DPA decision and reduce the original fine to €25,000, which was the only change the Court ended up making to the original decision. '''(32 - 33)''' 
== Comment ==
== Comment ==
Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA ([https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_48/2022 48/2022)], also issued on 4 April 2022 and appealed at the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_2022/AR/560_%26_2022/AR/564 Market Court (2022/AR/560 & 2022/AR/564)]. Both the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_48/2022 decision of the DPA] and the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_2022/AR/560_%26_2022/AR/564 decision of the Market Court] are summarised on the GDPRhub.
Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA ([https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_48/2022 48/2022)], also issued on 4 April 2022 and appealed at the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_2022/AR/560_%26_2022/AR/564 Market Court (2022/AR/560 & 2022/AR/564)]. Both the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_48/2022 decision of the DPA] and the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_2022/AR/560_%26_2022/AR/564 decision of the Market Court] are summarised on the GDPRhub.

Revision as of 10:57, 24 January 2023

Court of Appeal of Brussels (Belgium) - 2022/AR/556
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(3) GDPR
Article 9(2)(i) GDPR
Article 12(1) GDPR
Article 13(1)(c) GDPR
Article 13(2)(a) GDPR
Article 13(2)(d) GDPR
Article 13(2)(e) GDPR
Article 30(1) GDPR
Article 30(1)(d) GDPR
Article 35(1) GDPR
Article 35(7) GDPR
Decided: 07.12.2022
Published: 09.01.2023
Parties:
National Case Number/Name: 2022/AR/556
European Case Law Identifier:
Appeal from: APD/GBA (Belgium)
47/2022
Appeal to:
Original Language(s): French
Original Source: GBA (in French)
Initial Contributor: n/a

The Belgian Court of appeal of Brussels upheld a decision by the Belgian DPA to fine South Charleroi airport for using temperature scanners on the airport to detect potential COVID-19 infections. However, the Court reduced the original fine.

English Summary

Facts

In its decision 47/2022, the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provisions, which resulted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras in order to detect COVID 19 infections. For more information, see the GDPRhub summary. In short, among other violations, the DPA determined that the controller processed health data without a legal basis. The DPA held that the protocol, which the controller used as its legal basis, was not legally binding.

The controller appealed the decision on several grounds at the Brussels Court of Appeal in this case. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial. The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated continiously in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given propper guidance and if the DPA had taken a clear position. The controller had also requested the anonymisation of the decision. Despite this, the decision was published without redactions alongside a press release. According to the controller, the choice to publish an not anonymised decision and to do a press report constituted a misue of power by the DPA.

The controller also argued that the DPA did not properly apply the criteria described in Article 83 GDPR for determining the fine and had not consulted the EDPB Guidelines regarding Article 83 GDPR.

The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing.

Holding

The court considered that it had full jurisdiction to review the decision of the DPA. Under the full review as per Article 47 of the Charter and Article 78 GDPR, the Court could substitute its views to the one of the DPA, to the extent that all elements and arguments were raised and discussed before the Court. The court determined that the impartiality-argument of the controller was unfounded since no specific complaint had been raised. The controller also did not provide any concrete evidence to support its argument.

The DPA did not commit an abuse its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further.

The court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the choice to carry out temperature checks. The DPA also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis.

The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors:

  • The controller had introduced the temperature checks in exceptional circumstances and had also announced its plans to the relevant authorities.
  • The controller had fully cooperated with the DPAs during the procedure
  • The controller had not profited economically from these temperature checks. The sole purpose of the temperature checks was to support public health.

Therefore, the Court stated that it had to reform the original DPA decision and reduce the original fine to €25,000, which was the only change the Court ended up making to the original decision.

Comment

Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA (48/2022), also issued on 4 April 2022 and appealed at the Market Court (2022/AR/560 & 2022/AR/564). Both the decision of the DPA and the decision of the Market Court are summarised on the GDPRhub.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Brussels Court of Appeal -2022/AR/556 p. 2





IN REASON OF:


The SOCIÉTÉ ANONYME BRUSSELS SOUTH CHARLEROI AIRPORT (ei-after “CHARLEROI
AIRPORT"), whose registered office is located at rue des Frères Wright 8, 6041 Charleroi, registered with the
Crossroads Bank for Enterprises at number 0444.556.344,


Applicant port,

Having as counsel, Me Frédéric DECHAMPS, Lawyer at the Brussels Bar, whose Iecabine is located
[...] .


AGAINST:

THE DATA PROTECTION AUTHORITY, whose registered office is located at rue de la presse 35, at 1000
Brussels, registered with the Banque Carrefour des Entreprises at number 0694.67 9.950, represented by
Chairman of its Management Committee,


Portie opposite,

Having as counsel My Evrard de Lophem, Grégoire Ryelandt and Clara Delbruyère, lawyers, including
office is located [...]..




Having regard to the pleadings and in particular:

           decision 47/2022 of April 4, 2022 of the Litigation Chamber of the Authority of
           Data Protection (hereafter "the Impugned Decision");


           the motion filed by the court registry on May 3, 2022;



           The timetable for the exchange of submissions recorded by the Court at the introductory hearing of 18
           May 2022;

           the conclusions of CHARLEROI AIRPORT of September 28, 2022;


           the summary conclusions of the DPA of October 26, 2022;


           the records of exhibits filed by the parties;




              r PAGE 01- □0□□ 3026574- □□□ 2-□□ 34-□6- □1- ;i



              L_J