Court of Appeal of Brussels - 2022/AR/556: Difference between revisions
(shortened the summary) |
No edit summary |
||
Line 95: | Line 95: | ||
The controller appealed the decision on several grounds at the Brussels Court of Appeal in this case. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial. The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated continiously in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given propper guidance and if the DPA had taken a clear position. The controller had also requested the anonymisation of the decision. Despite this, the decision was published alongside a press release. According to the controller, the choice to publish an not anonymised decision and to do a press report constituted a misue of power by the DPA. The controller also argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] for determining the fine and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]].The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing. | The controller appealed the decision on several grounds at the Brussels Court of Appeal in this case. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial. The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated continiously in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given propper guidance and if the DPA had taken a clear position. The controller had also requested the anonymisation of the decision. Despite this, the decision was published alongside a press release. According to the controller, the choice to publish an not anonymised decision and to do a press report constituted a misue of power by the DPA. The controller also argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] for determining the fine and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]].The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing. | ||
=== Holding === | === Holding === | ||
The court considered that it had full jurisdiction to review the decision of the DPA. Under the full review as per Article 47 of the Charter and [[Article 78 GDPR]], the Court could substitute its views to the one of the DPA, to the extent that all elements and arguments were raised and discussed before the Court. The court determined that the impartiality-argument of the controller was unfounded | The court considered that it had full jurisdiction to review the decision of the DPA. Under the full review as per Article 47 of the Charter and [[Article 78 GDPR]], the Court could substitute its views to the one of the DPA, to the extent that all elements and arguments were raised and discussed before the Court. The court determined that the impartiality-argument of the controller was unfounded. | ||
The DPA did not commit an abuse its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further. | The controller also did not provide any concrete evidence to support its argument. | ||
The DPA did not commit an abuse of its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further. | |||
The court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the choice to carry out temperature checks. The DPA also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis. | The court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the choice to carry out temperature checks. The DPA also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis. |
Revision as of 11:09, 24 January 2023
Court of Appeal of Brussels (Belgium) - 2022/AR/556 | |
---|---|
Court: | Court of Appeal of Brussels (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(3) GDPR Article 9(2)(i) GDPR Article 12(1) GDPR Article 13(1)(c) GDPR Article 13(2)(a) GDPR Article 13(2)(d) GDPR Article 13(2)(e) GDPR Article 30(1) GDPR Article 30(1)(d) GDPR Article 35(1) GDPR Article 35(7) GDPR |
Decided: | 07.12.2022 |
Published: | 09.01.2023 |
Parties: | |
National Case Number/Name: | 2022/AR/556 |
European Case Law Identifier: | |
Appeal from: | APD/GBA (Belgium) 47/2022 |
Appeal to: | |
Original Language(s): | French |
Original Source: | GBA (in French) |
Initial Contributor: | n/a |
The Belgian Court of appeal of Brussels upheld a decision by the Belgian DPA to fine South Charleroi airport for using temperature scanners on the airport to detect potential COVID-19 infections. However, the Court reduced the original fine.
English Summary
Facts
In its decision 47/2022, the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provisions, which resulted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras in order to detect COVID 19 infections. For more information, see the GDPRhub summary. In short, among other violations, the DPA determined that the controller processed health data without a legal basis. The DPA held that the protocol, which the controller used as its legal basis, was not legally binding.
The controller appealed the decision on several grounds at the Brussels Court of Appeal in this case. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial. The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated continiously in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given propper guidance and if the DPA had taken a clear position. The controller had also requested the anonymisation of the decision. Despite this, the decision was published alongside a press release. According to the controller, the choice to publish an not anonymised decision and to do a press report constituted a misue of power by the DPA. The controller also argued that the DPA did not properly apply the criteria described in Article 83 GDPR for determining the fine and had not consulted the EDPB Guidelines regarding Article 83 GDPR.The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing.
Holding
The court considered that it had full jurisdiction to review the decision of the DPA. Under the full review as per Article 47 of the Charter and Article 78 GDPR, the Court could substitute its views to the one of the DPA, to the extent that all elements and arguments were raised and discussed before the Court. The court determined that the impartiality-argument of the controller was unfounded.
The controller also did not provide any concrete evidence to support its argument.
The DPA did not commit an abuse of its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further.
The court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the choice to carry out temperature checks. The DPA also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis.
The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors:
- The controller had introduced the temperature checks in exceptional circumstances and had also announced its plans to the relevant authorities.
- The controller had fully cooperated with the DPAs during the procedure
- The controller had not profited economically from these temperature checks. The sole purpose of the temperature checks was to support public health.
Therefore, the Court stated that it had to reform the original DPA decision and reduce the original fine to €25,000, which was the only change the Court ended up making to the original decision.
Comment
Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA (48/2022), also issued on 4 April 2022 and appealed at the Market Court (2022/AR/560 & 2022/AR/564). Both the decision of the DPA and the decision of the Market Court are summarised on the GDPRhub.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Brussels Court of Appeal -2022/AR/556 p. 2 IN REASON OF: The SOCIÉTÉ ANONYME BRUSSELS SOUTH CHARLEROI AIRPORT (ei-after “CHARLEROI AIRPORT"), whose registered office is located at rue des Frères Wright 8, 6041 Charleroi, registered with the Crossroads Bank for Enterprises at number 0444.556.344, Applicant port, Having as counsel, Me Frédéric DECHAMPS, Lawyer at the Brussels Bar, whose Iecabine is located [...] . AGAINST: THE DATA PROTECTION AUTHORITY, whose registered office is located at rue de la presse 35, at 1000 Brussels, registered with the Banque Carrefour des Entreprises at number 0694.67 9.950, represented by Chairman of its Management Committee, Portie opposite, Having as counsel My Evrard de Lophem, Grégoire Ryelandt and Clara Delbruyère, lawyers, including office is located [...].. Having regard to the pleadings and in particular: decision 47/2022 of April 4, 2022 of the Litigation Chamber of the Authority of Data Protection (hereafter "the Impugned Decision"); the motion filed by the court registry on May 3, 2022; The timetable for the exchange of submissions recorded by the Court at the introductory hearing of 18 May 2022; the conclusions of CHARLEROI AIRPORT of September 28, 2022; the summary conclusions of the DPA of October 26, 2022; the records of exhibits filed by the parties; r PAGE 01- □0□□ 3026574- □□□ 2-□□ 34-□6- □1- ;i L_J
- Court of Appeal of Brussels (Belgium)
- Belgium
- Article 5(1)(b) GDPR
- Article 5(1)(a) GDPR
- Article 6(1)(c) GDPR
- Article 6(3) GDPR
- Article 9(2)(i) GDPR
- Article 12(1) GDPR
- Article 13(1)(c) GDPR
- Article 13(2)(a) GDPR
- Article 13(2)(d) GDPR
- Article 13(2)(e) GDPR
- Article 30(1) GDPR
- Article 30(1)(d) GDPR
- Article 35(1) GDPR
- Article 35(7) GDPR
- 2022
- French