Court of Appeal of Brussels - 2022/AR/556: Difference between revisions
(Rewriten Facts and added parts to the holding - also changed layout) |
No edit summary |
||
Line 101: | Line 101: | ||
The controller also argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] for determining the fine and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]] ([https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf Guidelines 04/2022]). | The controller also argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] for determining the fine and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]] ([https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf Guidelines 04/2022]). | ||
The controller also stated that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing. | The controller also stated that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing. The controller also cited several Royal decrees, which referred to the content of this protocol. | ||
=== Holding === | === Holding === | ||
The court considered that it had full jurisdiction to review the contested decision of the DPA. Under the full review pursuant of Article 47 CFR and [[Article 78 GDPR]], the Court could substitute its views to the ones of the DPA, to the extent that all elements and arguments were raised and discussed before the Court. | The court considered that it had full jurisdiction to review the contested decision of the DPA. Under the full review pursuant of Article 47 CFR and [[Article 78 GDPR]], the Court could substitute its views to the ones of the DPA, to the extent that all elements and arguments were raised and discussed before the Court. | ||
Line 115: | Line 115: | ||
The Court also determined that the DPA had not misused its powers with regard to the determination of the fine. The Court reminded that this can only be the case when a public authority used its power, meant to serve the public interest, for another purpose. The unauthorised purpose must moreover be the sole purpose of the contested act. Since the controller didn’t demonstrate that the DPA pursued an objective other than the enforcement of the right to data protection, this plea was also unfounded. | The Court also determined that the DPA had not misused its powers with regard to the determination of the fine. The Court reminded that this can only be the case when a public authority used its power, meant to serve the public interest, for another purpose. The unauthorised purpose must moreover be the sole purpose of the contested act. Since the controller didn’t demonstrate that the DPA pursued an objective other than the enforcement of the right to data protection, this plea was also unfounded. | ||
Third, the Court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. The DPA had come to the same conclusion in the contested decision. This protocol only stated that Airports had the choice to carry out temperature checks. The Court also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a | Third, the Court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. The DPA had come to the same conclusion in the contested decision. This protocol only stated that Airports had the choice to carry out temperature checks. The Court also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis. | ||
The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors: | The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors: |
Revision as of 11:08, 25 January 2023
Court of Appeal of Brussels (Belgium) - 2022/AR/556 | |
---|---|
Court: | Court of Appeal of Brussels (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(3) GDPR Article 9(2)(i) GDPR Article 12(1) GDPR Article 13(1)(c) GDPR Article 13(2)(a) GDPR Article 13(2)(d) GDPR Article 13(2)(e) GDPR Article 30(1) GDPR Article 30(1)(d) GDPR Article 35(1) GDPR Article 35(7) GDPR |
Decided: | 07.12.2022 |
Published: | 09.01.2023 |
Parties: | |
National Case Number/Name: | 2022/AR/556 |
European Case Law Identifier: | |
Appeal from: | APD/GBA (Belgium) 47/2022 |
Appeal to: | |
Original Language(s): | French |
Original Source: | GBA (in French) |
Initial Contributor: | n/a |
The Belgian Court of appeal of Brussels upheld a decision by the Belgian DPA to fine Charleroi airport for using temperature scanners at the airport to detect potential COVID-19 infections without a legal basis. However, the Court reduced the original fine.
English Summary
Facts
On 4 April 2022, the Belgian DPA issued decision 47/2022, in which it fined Charleroi Airport €100,000 for the use of thermal cameras and temperature checks for COVID-19 detection purposes. The DPA held that the controller lacked a lawful ground for processing these special category data, see the GDPRhub summary.
The controller appealed this decision with the Market Court. The controller questioned the impartiality of the DPA by referring to several reports in the national press. These reports showed an appearance of partiality according to the controller, which was enough to call the decisions of the DPA into question. The nature of these news reports were not specified in the ruling.
The controller further argued that the DPA had misued its powers. According to the controller, the DPA had stated multiple times in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if the DPA had taken a clear position regarding the legality of the controller's processing. The controller had also requested the anonymization of the decision. Despite this, the decision was published alongside a press report. According to the controller, the choice to publish a non-anonymised decision and to publish press report alongside it constituted a misuse of power by the DPA.
The controller also stated that the controller had misued its powers with regard to the determination of the fine imposed on the controller.
The controller also argued that the DPA did not properly apply the criteria described in Article 83 GDPR for determining the fine and had not consulted the EDPB Guidelines regarding Article 83 GDPR (Guidelines 04/2022).
The controller also stated that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing. The controller also cited several Royal decrees, which referred to the content of this protocol.
Holding
The court considered that it had full jurisdiction to review the contested decision of the DPA. Under the full review pursuant of Article 47 CFR and Article 78 GDPR, the Court could substitute its views to the ones of the DPA, to the extent that all elements and arguments were raised and discussed before the Court.
The Court then went on to consider the grounds op appeal of the controller.
First, with regard to the impartiality, the Court noted that the controller's criticism was primarily pointed to the legality of the appointment of certain external members. It was for the Parliament to decide on the appointment of external members. The Court determined that the impartiality-argument of the controller was unfounded since no specific argument had been raised that could affect the regularity of the decision and could lead to annulment.
The controller also did not provide any concrete evidence to support its argument.
Second, the DPA did not commit an abuse of its powers when deciding to publish the decision in a non-anonymous manner. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. The Court deemed the other controllers' arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further.
The Court also determined that the DPA had not misused its powers with regard to the determination of the fine. The Court reminded that this can only be the case when a public authority used its power, meant to serve the public interest, for another purpose. The unauthorised purpose must moreover be the sole purpose of the contested act. Since the controller didn’t demonstrate that the DPA pursued an objective other than the enforcement of the right to data protection, this plea was also unfounded.
Third, the Court also confirmed that the 'protocol' signed between the airport and the minister in charge invoked by the controller as a legal basis was not legally binding. The DPA had come to the same conclusion in the contested decision. This protocol only stated that Airports had the choice to carry out temperature checks. The Court also emphasised that the 'European centre for disease Prevention and control' (ECDC) and the 'European Aviation Safety Authority' (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Besides, the mere fact that a Royal Decree was referring to such a protocol did not make it binding and an appropriate legal basis.
The Court reduced the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors:
- The controller had introduced the temperature checks in exceptional circumstances (the pandemic) and had also announced its plans to the relevant authorities.
- The controller had fully cooperated with the DPA during the procedure
- The controller had not profited economically from these temperature checks. The sole purpose of the temperature checks was to support public health.
Therefore, the Court stated that it had to reform the original DPA decision and reduce the original fine to €25,000, which was the only change the Court ended up making to the original decision.
Comment
Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA (48/2022), also issued on 4 April 2022 and appealed at the Market Court (2022/AR/560 & 2022/AR/564). Both the decision of the DPA and the decision of the Market Court are summarised on the GDPRhub.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Brussels Court of Appeal -2022/AR/556 p. 2 IN REASON OF: The SOCIÉTÉ ANONYME BRUSSELS SOUTH CHARLEROI AIRPORT (ei-after “CHARLEROI AIRPORT"), whose registered office is located at rue des Frères Wright 8, 6041 Charleroi, registered with the Crossroads Bank for Enterprises at number 0444.556.344, Applicant port, Having as counsel, Me Frédéric DECHAMPS, Lawyer at the Brussels Bar, whose Iecabine is located [...] . AGAINST: THE DATA PROTECTION AUTHORITY, whose registered office is located at rue de la presse 35, at 1000 Brussels, registered with the Banque Carrefour des Entreprises at number 0694.67 9.950, represented by Chairman of its Management Committee, Portie opposite, Having as counsel My Evrard de Lophem, Grégoire Ryelandt and Clara Delbruyère, lawyers, including office is located [...].. Having regard to the pleadings and in particular: decision 47/2022 of April 4, 2022 of the Litigation Chamber of the Authority of Data Protection (hereafter "the Impugned Decision"); the motion filed by the court registry on May 3, 2022; The timetable for the exchange of submissions recorded by the Court at the introductory hearing of 18 May 2022; the conclusions of CHARLEROI AIRPORT of September 28, 2022; the summary conclusions of the DPA of October 26, 2022; the records of exhibits filed by the parties; r PAGE 01- □0□□ 3026574- □□□ 2-□□ 34-□6- □1- ;i L_J
- Court of Appeal of Brussels (Belgium)
- Belgium
- Article 5(1)(b) GDPR
- Article 5(1)(a) GDPR
- Article 6(1)(c) GDPR
- Article 6(3) GDPR
- Article 9(2)(i) GDPR
- Article 12(1) GDPR
- Article 13(1)(c) GDPR
- Article 13(2)(a) GDPR
- Article 13(2)(d) GDPR
- Article 13(2)(e) GDPR
- Article 30(1) GDPR
- Article 30(1)(d) GDPR
- Article 35(1) GDPR
- Article 35(7) GDPR
- 2022
- French