Court of Appeal of Brussels - 2022/AR/556: Difference between revisions
No edit summary |
No edit summary |
||
| Line 86: | Line 86: | ||
}} | }} | ||
The Belgian Court of appeal of Brussels largely upheld a decision by the Belgian DPA to fine South Charleroi airport for several GDPR violations. In [https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-47-2022.pdf Decision 47/2022,] The DPA had | The Belgian Court of appeal of Brussels largely upheld a decision by the Belgian DPA to fine South Charleroi airport for several GDPR violations. In [https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-47-2022.pdf Decision 47/2022,] The DPA had fined the airport for using temperature scanners on the airport to discovering potential COVID-19 infections. However, the Court reduced the original fine because the DPA had insufficiently considered the factors of [[Article 83 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In its [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 decision 47/2022], the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR | In its [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 decision 47/2022], the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provisions, which resulted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras between June and March 2021. All passengers with a temperature over 38°C were requested to have their temperature measured again by a medical service. Passengers who were suspected to be infected with COVID-19 after this second check, were asked to leave the airport and were not allowed to board their plane. For more information on this decision, see the original decision and the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 GDPRhub summary]. In short, among other violations, the DPA determined that the controller processed health data without a legal basis. The DPA held that the protocol, which the controller used as its legal basis, was not legally binding. | ||
The controller appealed the decision on several grounds at the Brussels Court of Appeal. Among other grounds, the controller held that the DPA was not independent in its decision making and | The controller appealed the decision on several grounds at the Brussels Court of Appeal in this case, the first instance court. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial. The controller based these arguments on several national news reports. According to the controller, these reports showed that the DPA had not been impartial from the very beginning of the investigation. The controllers critisism was not targeted towards the DPA as a whole, but towards the legality of the appointment of certain external members of the knowledge centre. '''(21)''' | ||
The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated | The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated continiously in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given propper guidance and if the DPA had taken a clear position. The controller had also requested the anonymization of the decision, which was not accepted by the DPA. The decision was published without redactions and the DPA also published a press release. According to the controller, the choice not to anonymise the decision constituted a misue of power by the DPA. '''(22)''' | ||
The controller also argued that the fine in the original decision was not | The controller also argued that the fine in the original decision was not adequately reasoned, nor was the fine proportionate. The controller had argued that the DPA did not properly apply the criteria described in [[Article 83 GDPR]] and had not consulted the EDPB Guidelines regarding [[Article 83 GDPR]] in order to determine the amount of the fine. | ||
The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a | The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing. | ||
=== Holding === | === Holding === | ||
The | The Court first confirmed that it had the jurisdiction to annul or to reform the contested decision by the DPA. '''(19)''' '''(paragraph 14.3.1)''' Contrary to what the controller had argued, there was also no lack of independence or impartiality at the side of the DPA. The court stated that the specific external members, who were criticised by the controller, were not at any point involved in the litigation chain of the Belgian DPA. The Court also stated that it did not have jurisdiction regarding the appointment of members of the DPA. The court determined that the impartiality-argument of the controller was unfounded since no specific complaint had been raised. The controller also did not provide any concrete evidence to support its argument. '''(21-22)''' | ||
The court also determined that the DPA did not abuse its powers. According to the controller, the | The court also determined that the DPA did not abuse its powers. According to the controller, the misue of powers was apparent from the DPA's choice to publish the decision in a non-anonymous manner. The controller also provided other indications of the DPA's misue of powers, but the Court deemed the controllers arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. '''(24-25)''' | ||
The court also confirmed | The court also confirmed that the protocol invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the ''<u>choice</u>'' to carry out temperature checks. The DPA also emphasised that the European centre for disease Prevention and control (ECDC) and the European Aviation Safety Authority (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Therefore, this protocol could not have been used as a legal basis by the controller. '''(31)''' | ||
Despite all the rejected grounds of appeal, the court agreed with the controller that the DPA should have paid more attention to the aspects of [[Article 83 GDPR]] in order to determine the amount of the fine. In | '''LAST TWO PARAGRAPHS OF 18.3.3. ??''' | ||
'''18.3.4. LEFT OUT''' | |||
Despite all the rejected grounds of appeal, the court agreed with the controller that the DPA should have paid more attention to the aspects of [[Article 83 GDPR]] in order to determine the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors: The controller had introduced the temperature checks in <u>good faith</u> and had also announced its plans to the relevant authorities. The controller had not in any way conducted these checks for <u>commercial reasons</u>. The court also considered that the controller had <u>fully cooperated</u> with the DPA during the procedure and also stated that the controller <u>had not profited economically</u> from these temperature checks. Lastly, the court considered the sole purpose of the temperature checks, <u>which was to support public health</u>. Given the <u>exceptional circumstances of the pandemic</u>, the Court stated that it had to reform the original DPA decision and reduce the original fine to €25,000, which was the only change the Court ended up making to the original decision. '''(32 - 33)''' | |||
== Comment == | == Comment == | ||
Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA ([https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_48/2022 48/2022)], also issued on 4 April 2022 and appealed at the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_2022/AR/560_%26_2022/AR/564 Market Court (2022/AR/560 & 2022/AR/564)]. Both the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_48/2022 decision of the DPA] and the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_2022/AR/560_%26_2022/AR/564 decision of the Market Court] are summarised on the GDPRhub. | Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA ([https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_48/2022 48/2022)], also issued on 4 April 2022 and appealed at the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_2022/AR/560_%26_2022/AR/564 Market Court (2022/AR/560 & 2022/AR/564)]. Both the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_48/2022 decision of the DPA] and the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_2022/AR/560_%26_2022/AR/564 decision of the Market Court] are summarised on the GDPRhub. | ||
Revision as of 09:12, 24 January 2023
| Court of Appeal of Brussels (Belgium) - 2022/AR/556 | |
|---|---|
 | |
| Court: | Court of Appeal of Brussels (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(3) GDPR Article 9(2)(i) GDPR Article 12(1) GDPR Article 13(1)(c) GDPR Article 13(2)(a) GDPR Article 13(2)(d) GDPR Article 13(2)(e) GDPR Article 30(1) GDPR Article 30(1)(d) GDPR Article 35(1) GDPR Article 35(7) GDPR |
| Decided: | 07.12.2022 |
| Published: | 09.01.2023 |
| Parties: | |
| National Case Number/Name: | 2022/AR/556 |
| European Case Law Identifier: | |
| Appeal from: | APD/GBA (Belgium) 47/2022 |
| Appeal to: | |
| Original Language(s): | French |
| Original Source: | GBA (in French) |
| Initial Contributor: | n/a |
The Belgian Court of appeal of Brussels largely upheld a decision by the Belgian DPA to fine South Charleroi airport for several GDPR violations. In Decision 47/2022, The DPA had fined the airport for using temperature scanners on the airport to discovering potential COVID-19 infections. However, the Court reduced the original fine because the DPA had insufficiently considered the factors of Article 83 GDPR.
English Summary
Facts
In its decision 47/2022, the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provisions, which resulted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras between June and March 2021. All passengers with a temperature over 38°C were requested to have their temperature measured again by a medical service. Passengers who were suspected to be infected with COVID-19 after this second check, were asked to leave the airport and were not allowed to board their plane. For more information on this decision, see the original decision and the GDPRhub summary. In short, among other violations, the DPA determined that the controller processed health data without a legal basis. The DPA held that the protocol, which the controller used as its legal basis, was not legally binding.
The controller appealed the decision on several grounds at the Brussels Court of Appeal in this case, the first instance court. Among other grounds, the controller held that the DPA was not independent in its decision making and had not been impartial. The controller based these arguments on several national news reports. According to the controller, these reports showed that the DPA had not been impartial from the very beginning of the investigation. The controllers critisism was not targeted towards the DPA as a whole, but towards the legality of the appointment of certain external members of the knowledge centre. (21)
The controller also claimed that the DPA had abused its powers. According to the controller, the DPA had stated continiously in the press that the controller did not have a legal basis for its use of thermal cameras. However, the DPA did not issue any opinion of give recommendations to the controller so that it could improve its processing. The controller stated that it would have followed the instructions of the DPA if it had been given propper guidance and if the DPA had taken a clear position. The controller had also requested the anonymization of the decision, which was not accepted by the DPA. The decision was published without redactions and the DPA also published a press release. According to the controller, the choice not to anonymise the decision constituted a misue of power by the DPA. (22)
The controller also argued that the fine in the original decision was not adequately reasoned, nor was the fine proportionate. The controller had argued that the DPA did not properly apply the criteria described in Article 83 GDPR and had not consulted the EDPB Guidelines regarding Article 83 GDPR in order to determine the amount of the fine.
The controller also claimed, contrary to the original decision by the DPA, that it did have a legal basis for its processing of health data. In its submissions, the controller cited several national ministerial orders, which all contained a reference to specific legal protocol that, according to the controller, was legally binding. Therefore, it could use this protocol as a legal basis for its processing.
Holding
The Court first confirmed that it had the jurisdiction to annul or to reform the contested decision by the DPA. (19) (paragraph 14.3.1) Contrary to what the controller had argued, there was also no lack of independence or impartiality at the side of the DPA. The court stated that the specific external members, who were criticised by the controller, were not at any point involved in the litigation chain of the Belgian DPA. The Court also stated that it did not have jurisdiction regarding the appointment of members of the DPA. The court determined that the impartiality-argument of the controller was unfounded since no specific complaint had been raised. The controller also did not provide any concrete evidence to support its argument. (21-22)
The court also determined that the DPA did not abuse its powers. According to the controller, the misue of powers was apparent from the DPA's choice to publish the decision in a non-anonymous manner. The controller also provided other indications of the DPA's misue of powers, but the Court deemed the controllers arguments to be 'obscure' and decided not to examine the other arguments relating to this issue any further. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA, which had the discretionary power to decide on this issue. (24-25)
The court also confirmed that the protocol invoked by the controller as a legal basis was not legally binding. This protocol only stated that Airports had the choice to carry out temperature checks. The DPA also emphasised that the European centre for disease Prevention and control (ECDC) and the European Aviation Safety Authority (EASA) were not recommending these temperature checks at airports due to the lack of scientific justification for this measure. Therefore, this protocol could not have been used as a legal basis by the controller. (31)
LAST TWO PARAGRAPHS OF 18.3.3. ??
18.3.4. LEFT OUT
Despite all the rejected grounds of appeal, the court agreed with the controller that the DPA should have paid more attention to the aspects of Article 83 GDPR in order to determine the amount of the fine. In particular, the court stated that the DPA should have paid more attention to the following factors: The controller had introduced the temperature checks in good faith and had also announced its plans to the relevant authorities. The controller had not in any way conducted these checks for commercial reasons. The court also considered that the controller had fully cooperated with the DPA during the procedure and also stated that the controller had not profited economically from these temperature checks. Lastly, the court considered the sole purpose of the temperature checks, which was to support public health. Given the exceptional circumstances of the pandemic, the Court stated that it had to reform the original DPA decision and reduce the original fine to €25,000, which was the only change the Court ended up making to the original decision. (32 - 33)
Comment
Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA (48/2022), also issued on 4 April 2022 and appealed at the Market Court (2022/AR/560 & 2022/AR/564). Both the decision of the DPA and the decision of the Market Court are summarised on the GDPRhub.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Brussels Court of Appeal -2022/AR/556 p. 2
IN REASON OF:
The SOCIÉTÉ ANONYME BRUSSELS SOUTH CHARLEROI AIRPORT (ei-after “CHARLEROI
AIRPORT"), whose registered office is located at rue des Frères Wright 8, 6041 Charleroi, registered with the
Crossroads Bank for Enterprises at number 0444.556.344,
Applicant port,
Having as counsel, Me Frédéric DECHAMPS, Lawyer at the Brussels Bar, whose Iecabine is located
[...] .
AGAINST:
THE DATA PROTECTION AUTHORITY, whose registered office is located at rue de la presse 35, at 1000
Brussels, registered with the Banque Carrefour des Entreprises at number 0694.67 9.950, represented by
Chairman of its Management Committee,
Portie opposite,
Having as counsel My Evrard de Lophem, Grégoire Ryelandt and Clara Delbruyère, lawyers, including
office is located [...]..
Having regard to the pleadings and in particular:
decision 47/2022 of April 4, 2022 of the Litigation Chamber of the Authority of
Data Protection (hereafter "the Impugned Decision");
the motion filed by the court registry on May 3, 2022;
The timetable for the exchange of submissions recorded by the Court at the introductory hearing of 18
May 2022;
the conclusions of CHARLEROI AIRPORT of September 28, 2022;
the summary conclusions of the DPA of October 26, 2022;
the records of exhibits filed by the parties;
r PAGE 01- □0□□ 3026574- □□□ 2-□□ 34-□6- □1- ;i
L_J
- Court of Appeal of Brussels (Belgium)
- Belgium
- Article 5(1)(b) GDPR
- Article 5(1)(a) GDPR
- Article 6(1)(c) GDPR
- Article 6(3) GDPR
- Article 9(2)(i) GDPR
- Article 12(1) GDPR
- Article 13(1)(c) GDPR
- Article 13(2)(a) GDPR
- Article 13(2)(d) GDPR
- Article 13(2)(e) GDPR
- Article 30(1) GDPR
- Article 30(1)(d) GDPR
- Article 35(1) GDPR
- Article 35(7) GDPR
- 2022
- French
