Court of Appeal of Brussels - 2022/AR/556: Difference between revisions

From GDPRhub
No edit summary
(Rewriten Facts and added parts to the holding - also changed layout)
Line 91: Line 91:


=== Facts ===
=== Facts ===
In its [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 decision 47/2022], the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provisions, which resulted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras in order to detect COVID 19 infections. For more information, see the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 GDPRhub summary]. In short, among other violations, the DPA determined that the controller processed health data without a legal basis.   
On 4 April 2022, the Belgian DPA issued [https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-47-2022.pdf decision 47/2022], in which it fined Charleroi Airport €100,000 for the use of thermal cameras and temperature checks for COVID-19 detection purposes. The DPA held that the controller lacked a lawful ground for processing these special category data, see the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 GDPRhub summary].    


The controller appealed the decision on several grounds at the Brussels Court of Appeal. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial.
The controller appealed this decision with the Market Court. The controller questioned the impartiality of the DPA by referring to several reports in the national press. These reports showed an appearance of partiality according to the controller, which was enough to call the decisions of the DPA into question. The nature of these news reports were not specified in the ruling.  


The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated multiple times in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given proper guidance and if the DPA had taken a clear position. The controller had also requested the anonymization of the decision. Despite this, the decision was published alongside a press release. According to the controller, the choice to publish a not anonymised decision and to do a press report constituted a misuse of power by the DPA.
The controller further argued that the DPA had misued its powers. According to the controller, the DPA had stated multiple times in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if the DPA had taken a clear position regarding the legality of the controller's processing. The controller had also requested the anonymization of the decision. Despite this, the decision was published alongside a press report. According to the controller, the choice to publish a non-anonymised decision and to publish press report alongside it constituted a misuse of power by the DPA.  


The controller also argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] for determining the fine and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]].
The controller also stated that the controller had misued its powers with regard to the determination of the fine imposed on the controller.  


The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing.  
The controller also argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] for determining the fine and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]] ([https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf Guidelines 04/2022]). 
 
The controller also stated that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing.  
=== Holding ===
=== Holding ===
The court considered that it had full jurisdiction to review the decision of the DPA. Under the full review as per Article 47 of the Charter and [[Article 78 GDPR]], the Court could substitute its views to the one of the DPA, to the extent that all elements and arguments were raised and discussed before the Court.     
The court considered that it had full jurisdiction to review the contested decision of the DPA. Under the full review pursuant of Article 47 CFR and [[Article 78 GDPR]], the Court could substitute its views to the ones of the DPA, to the extent that all elements and arguments were raised and discussed before the Court.     


The Court noted that it was for the Parliament to decide on the appointment of external members. The court determined that the impartiality-argument of the controller was unfounded since no specific argument had been raised that could affect the regularity of the decision and could lead to annulment.     
The Court then went on to consider the grounds op appeal of the controller.     
 
First, with regard to the impartiality, the Court noted that the controller's criticism was primarily pointed to the legality of the appointment of certain external members. It was for the Parliament to decide on the appointment of external members. The Court determined that the impartiality-argument of the controller was unfounded since no specific argument had been raised that could affect the regularity of the decision and could lead to annulment.     


The controller also did not provide any concrete evidence to support its argument.   
The controller also did not provide any concrete evidence to support its argument.   


The DPA did not commit an abuse of its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further.   
Second, the DPA did not commit an abuse of its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further
 
The Court also determined that the DPA had not misused its powers with regard to the determination of the fine. The Court reminded that this can only be the case when a public authority used its power, meant to serve the public interest, for another purpose. The unauthorised purpose must moreover be the sole purpose of the contested act. Since the controller didn’t demonstrate that the DPA pursued an objective other than the enforcement of the right to data protection, this plea was also unfounded.   


The court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the choice to carry out temperature checks. The DPA also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis.   
Third, the Court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. The DPA had come to the same conclusion in the contested decision. This protocol only stated that Airports had the choice to carry out temperature checks. The Court also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Ministerial order/Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis.   


The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors:
The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors:


* The controller had introduced the temperature checks in exceptional circumstances and had also announced its plans to the relevant authorities.
* The controller had introduced the temperature checks in exceptional circumstances (the pandemic) and had also announced its plans to the relevant authorities.
* The controller had fully cooperated with the DPA during the procedure
* The controller had fully cooperated with the DPA during the procedure
* The controller had not profited economically from these temperature checks.  The sole purpose of the temperature checks was to support public health.
* The controller had not profited economically from these temperature checks.  The sole purpose of the temperature checks was to support public health.

Revision as of 10:47, 25 January 2023

Court of Appeal of Brussels (Belgium) - 2022/AR/556
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(3) GDPR
Article 9(2)(i) GDPR
Article 12(1) GDPR
Article 13(1)(c) GDPR
Article 13(2)(a) GDPR
Article 13(2)(d) GDPR
Article 13(2)(e) GDPR
Article 30(1) GDPR
Article 30(1)(d) GDPR
Article 35(1) GDPR
Article 35(7) GDPR
Decided: 07.12.2022
Published: 09.01.2023
Parties:
National Case Number/Name: 2022/AR/556
European Case Law Identifier:
Appeal from: APD/GBA (Belgium)
47/2022
Appeal to:
Original Language(s): French
Original Source: GBA (in French)
Initial Contributor: n/a

The Belgian Court of appeal of Brussels upheld a decision by the Belgian DPA to fine Charleroi airport for using temperature scanners at the airport to detect potential COVID-19 infections without a legal basis. However, the Court reduced the original fine.

English Summary

Facts

On 4 April 2022, the Belgian DPA issued decision 47/2022, in which it fined Charleroi Airport €100,000 for the use of thermal cameras and temperature checks for COVID-19 detection purposes. The DPA held that the controller lacked a lawful ground for processing these special category data, see the GDPRhub summary.

The controller appealed this decision with the Market Court. The controller questioned the impartiality of the DPA by referring to several reports in the national press. These reports showed an appearance of partiality according to the controller, which was enough to call the decisions of the DPA into question. The nature of these news reports were not specified in the ruling.

The controller further argued that the DPA had misued its powers. According to the controller, the DPA had stated multiple times in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if the DPA had taken a clear position regarding the legality of the controller's processing. The controller had also requested the anonymization of the decision. Despite this, the decision was published alongside a press report. According to the controller, the choice to publish a non-anonymised decision and to publish press report alongside it constituted a misuse of power by the DPA.

The controller also stated that the controller had misued its powers with regard to the determination of the fine imposed on the controller.

The controller also argued that the DPA did not properly apply the criteria described in Article 83 GDPR for determining the fine and had not consulted the EDPB Guidelines regarding Article 83 GDPR (Guidelines 04/2022).

The controller also stated that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing.

Holding

The court considered that it had full jurisdiction to review the contested decision of the DPA. Under the full review pursuant of Article 47 CFR and Article 78 GDPR, the Court could substitute its views to the ones of the DPA, to the extent that all elements and arguments were raised and discussed before the Court.

The Court then went on to consider the grounds op appeal of the controller.

First, with regard to the impartiality, the Court noted that the controller's criticism was primarily pointed to the legality of the appointment of certain external members. It was for the Parliament to decide on the appointment of external members. The Court determined that the impartiality-argument of the controller was unfounded since no specific argument had been raised that could affect the regularity of the decision and could lead to annulment.

The controller also did not provide any concrete evidence to support its argument.

Second, the DPA did not commit an abuse of its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further.

The Court also determined that the DPA had not misused its powers with regard to the determination of the fine. The Court reminded that this can only be the case when a public authority used its power, meant to serve the public interest, for another purpose. The unauthorised purpose must moreover be the sole purpose of the contested act. Since the controller didn’t demonstrate that the DPA pursued an objective other than the enforcement of the right to data protection, this plea was also unfounded.

Third, the Court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. The DPA had come to the same conclusion in the contested decision. This protocol only stated that Airports had the choice to carry out temperature checks. The Court also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Ministerial order/Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis.

The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors:

  • The controller had introduced the temperature checks in exceptional circumstances (the pandemic) and had also announced its plans to the relevant authorities.
  • The controller had fully cooperated with the DPA during the procedure
  • The controller had not profited economically from these temperature checks. The sole purpose of the temperature checks was to support public health.

Therefore, the Court stated that it had to reform the original DPA decision and reduce the original fine to €25,000, which was the only change the Court ended up making to the original decision.

Comment

Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA (48/2022), also issued on 4 April 2022 and appealed at the Market Court (2022/AR/560 & 2022/AR/564). Both the decision of the DPA and the decision of the Market Court are summarised on the GDPRhub.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Brussels Court of Appeal -2022/AR/556 p. 2





IN REASON OF:


The SOCIÉTÉ ANONYME BRUSSELS SOUTH CHARLEROI AIRPORT (ei-after “CHARLEROI
AIRPORT"), whose registered office is located at rue des Frères Wright 8, 6041 Charleroi, registered with the
Crossroads Bank for Enterprises at number 0444.556.344,


Applicant port,

Having as counsel, Me Frédéric DECHAMPS, Lawyer at the Brussels Bar, whose Iecabine is located
[...] .


AGAINST:

THE DATA PROTECTION AUTHORITY, whose registered office is located at rue de la presse 35, at 1000
Brussels, registered with the Banque Carrefour des Entreprises at number 0694.67 9.950, represented by
Chairman of its Management Committee,


Portie opposite,

Having as counsel My Evrard de Lophem, Grégoire Ryelandt and Clara Delbruyère, lawyers, including
office is located [...]..




Having regard to the pleadings and in particular:

           decision 47/2022 of April 4, 2022 of the Litigation Chamber of the Authority of
           Data Protection (hereafter "the Impugned Decision");


           the motion filed by the court registry on May 3, 2022;



           The timetable for the exchange of submissions recorded by the Court at the introductory hearing of 18
           May 2022;

           the conclusions of CHARLEROI AIRPORT of September 28, 2022;


           the summary conclusions of the DPA of October 26, 2022;


           the records of exhibits filed by the parties;




              r PAGE 01- □0□□ 3026574- □□□ 2-□□ 34-□6- □1- ;i



              L_J