Court of Appeal of Brussels - 2022/AR/723: Difference between revisions

From GDPRhub
No edit summary
 
(11 intermediate revisions by 4 users not shown)
Line 7: Line 7:
|Court_Original_Name=Hof van Beroep Brussel
|Court_Original_Name=Hof van Beroep Brussel
|Court_English_Name=Market Court of the Brussels appeal court
|Court_English_Name=Market Court of the Brussels appeal court
|Court_With_Country=Hof van Beroep Brussel
|Court_With_Country=Court of Appeal of Brussels (Belgium)


|Case_Number_Name=2022/AR/723
|Case_Number_Name=2022/AR/723
|ECLI=
|ECLI=


|Original_Source_Name_1=GBA
|Original_Source_Name_1=APD/GBA (Belgium)
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/arret-du-14-juin-2023-de-la-cour-des-marches-ar-723-disponible-en-neerlandais.pdf
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/arret-du-14-juin-2023-de-la-cour-des-marches-ar-723-disponible-en-neerlandais.pdf
|Original_Source_Language_1=Dutch
|Original_Source_Language_1=Dutch
Line 63: Line 63:
|Party_Link_3=
|Party_Link_3=


|Appeal_From_Body=GBA
|Appeal_From_Body=APD/GBA (Belgium)
|Appeal_From_Case_Number_Name=71/2022
|Appeal_From_Case_Number_Name=71/2022
|Appeal_From_Status=
|Appeal_From_Status=
Line 76: Line 76:
}}
}}


TO BE UPDATED
The Belgian Court of Appeal reduced a €10,000 fine imposed by the DPA to the national railway company to a symbolic €1 due to lacking motivation concerning the amount of the fine.
 
The Belgian Marktenhof ruled in an appeal of the Belgian Railway Company NMBS against a prior decision of the Belgian DPA. In the prior decision, the company was fined €10,000 for sending an e-mail with promotional material to owners of a travel pass. All the grounds of appeal were dismissed by the court, but the fine was reduced to a symbolic €1 due to lacking motivation regarding the amount of the fine


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
This ruling of the Belgian court of appeal (Marktenhof) concerns the Belgian Railway company NMBS (controller), a company with the Belgian state as its only shareholder. During the COVID-19 Pandemic, the controller was ordered by the Belgian government to start an initiative to promote train travel. By royal decree on 28 July 2020, the controller was ordered to issue a travel pass for Belgian citizens with 12 free train tickets to domestic destinations in order to promote travelling by train. '''( paragraph 3).'''
This ruling of the Belgian court of appeal (Marktenhof) concerns the Belgian Railway company SNCB/NMBS (controller), a company with the Belgian state as its only shareholder. During the COVID-19 Pandemic, the controller was ordered by the Belgian government to start an initiative to promote train travel. On 13 October 2020, the controller emailed railway pass holders to inform them about the use cases of this travel pass and also provided COVID-19 related information. This e-mail resulted in GDPR related discussions on Twitter, specifically regarding the lack of the possibility to object. The Belgian DPA started an investigation on that matter and found that by not providing the possibility to opt-out of receiving similar emails, the controller violated [[Article 12 GDPR|Articles 12(2)]], [[Article 21 GDPR#2|21(2)]] and [[Article 21 GDPR#4|21(4) GDPR]]. Moreover, the DPA held that the controller violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1c|5(1)(c)]], [[Article 5 GDPR#2|5(2)]], [[Article 6 GDPR#1|6(1)]], [[Article 12 GDPR#2|12(2)]], [[Article 21 GDPR#2|21(2)]] and [[Article 21 GDPR#4|21(4) GDPR]].  
 
On 13 October 2020, the controller emailed railway pass holders to inform them about the use cases of this travel pass and also provided COVID-19 related information, such as sanitary requirements (…) This e-mail also contained a hyperlink, linking to travel blogs on the website of the controller. '''(page 19)'''
 
This e-mail resulted in GDPR related discussions on Twitter, specifically regarding the lack of the possibility to exercise the right to objection with regard to the promotional material in the e-mail. ('''Paragraph 5-6-7''') On 19 October 2020, the investigation service of the Belgian DPA informed the controller that it would start an investigation because of these Twitter discussions. '''(paragraph 7)'''
 
On 9 November 2020, the investigation service found several GDPR violations. Among the other violations, the DPA determined that the controller had no legal basis for sending the e-mail. It also held that the e-mail in question qualified as direct marketing ((Article 21(2) GDPR). (8) On 4 May 2022, the violations were confirmed by the DPA. By not providing the possibility to opt-out of receiving similar emails, the controller violated Articles 12(2), 21(2) and 21(4) GDPR. Consequently, the DPA held that the controller violated Article 5(1)(a), 5(1)(c), 5(2), 6(1), 12(2) and 21(2) and 21(4) GDPR. The controller was fined €10,000. 
 
On 2 June 2022, the controller appealed the decision of the DPA, resulting in this ruling of the Marktenhof. ([https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-71-2022.pdf Click here] for the full text of the decision of the DPA. [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_71/2022 Click here] for the GDPRHub summary of this decision). ('''page 11-12''')
 
The controller presented several grounds of appeal before the Marktenhof.
 
''First'', the controller stated that the GDPR was not applicable in this case. Not the GPDR, but the e-privacy directive, was applicable here as a Lex Specialis of the GDPR. Because the DPA did not acknowledge this in the disputed decision, the violations were not properly motivated.                                                                                                                                     
Also, pursuant to Belgian Law (XV.2, Paragraph 1 WER), the DPA was not authorized to impose a fine on the controller, since competence regarding e-privacy related issues was reserved for the ‘FOD Economie’ another public institution. ('''page 14''').
 
''Second,'' the controller stated Article 6 ECFR had been breached. The controller claimed that screenshots of the e-mail were used as evidence in the decision. However, this screenshot of the e-mail was not included in the investigation file. Therefore, the controller had not been able to comment on this piece of evidence, resulting in a breach of Article 6 ECFR. '''(page 18)'''
 
''Third'', the controller stated that the decision of the DPA was based on an inaccurate and incomplete representation of the facts. Among the others, the controller disputed the DPA’s definition of ‘direct Marketing’ (20).                                                                                                                                                            The controller also stated that it had sent the e-mail in the first place because it was obligated to do so pursuant to the royal decree (25) It had to provide information to travellers regarding recommendations and obligations concerning the COVID-19 pandemic because this was part of its public service obligation. It stated that it had to promote its full service as part of its public service obligation '''(page 25-26).''' 
 
''Fourth'', the controller stated that the DPA violated several principles of good governance, namely the principles of justification, reasonableness, due diligence, equality, impartiality and confidence. Among other arguments, the controller argued that the DPA did not properly motivate the GDPR violations in the original decision. '''(page 31''').
 
''Fifth,'' the controller stated that the DPA did not properly motivate its reasoning in the original decision why the controller provided commercial services, and was therefore not able to rely on Article 221, paragraph 2 GBW. This Belgian law is a national implementation of article 83(7) GDPR. The controller stated that supplying the railway pass was part of its public service obligation as an autonomous publicly owned company. '''(page 32).''' The controller also stated that the DPA was not even allowed to fine the controller because of Article 221, paragraph 2 GBW, since the controller stated that it did not offer commercial services. Providing public transport should not count as be considered as providing these services on the open market.  The controller repeated that it had sent the e-mail because it was obligated to do so by royal decree of 28 July 2020. '''(pagina 32 -33)'''


''Sixth,'' the controller stated that the DPA did not properly motivate its fine of €10,000 and violated the principle of proportionality. The controller outlined several circumstances that should have been considered by the DPA. '''(page 36)'''
The controller was fined €10,000 (a summary of this decision is available on the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_71/2022 hub]) and decided to appeal the decision with the Appeal Court on the following grounds: ''First'', the controller contested the applicability of the GDPR, considering that the e-privacy directive was applicable as ''lex specialis.'' ''Second,'' the controller stated Article 6 ECFR had been breached because it had not been able to comment on a piece of evidence. ''Third'', the controller stated that the decision of the DPA was based on an inaccurate and incomplete representation of the facts. Among the others, the controller disputed the DPA’s definition of ‘Direct marketing’. It added that it had sent the e-mail in the first place because it was obligated to do so pursuant to the government's instruction. It had to provide COVID-19 related information and promote its full service as part of its public service obligation. ''Fourth'', the controller argued that the DPA did not properly motivate the GDPR violations in the disputed decision. ''Fifth,'' the controller disputed the DPA's application of the national implementation of [[Article 83 GDPR#7|article 83(7) GDPR]] which enables the DPA to fine a public entity controller under certain conditions. ''Sixth,'' the controller stated that the DPA did not properly motivate its fine. 


=== Holding ===
=== Holding ===
''First'', the court determined that the Belgian DPA was authorized to impose the fine. It held that both the GDPR and the e-privacy directive were applicable in this case. The court stated that Article 13(2) of the e-privacy directive, which covers the conditions for direct marketing, explicitly mentions that the GDPR should also be respected. '''(Page 15 – 16).'''
''First'', the court held that both the GDPR and the e-privacy directive were applicable in this case. The court stated that Article 13(2) of the e-privacy directive, which covers the conditions for direct marketing, explicitly mentions that the GDPR should also be respected.
The court also assessed the authority of the Belgian DPA described in national law. Pursuant to Article 4 WOG, the court concluded that the DPA was not only authorized to assess the controller’s compliance with the GDPR, but also with more specific regulations, such as the e-privacy directive. '''(Page 17)'''


''Second'', the court determined that the controller did not violate Article 6 ECFR by not including a screenshot of the e-mail in the investigation file. The court stated that the screenshot had not been the main piece of evidence on which the DPA’s decision was based. The main evidence was the wording of the controller itself in the e-mail, including the hyperlink in this e-mail which linked to travel blogs on the controllers' website. The controller had been the author of both the email and these travel blogs. The court held that the controller had been provided with ample opportunity to defend itself since the e-mail and hyperlink had been part of the investigation file. '''(page 17 – 18 - 19)'''
''Second'', the court determined that there was indeed a piece of evidence on which the controller was not able to comment but it was not the main piece of evidence on which the DPA’s decision was based.  


''Third,'' the court assessed several claims of the controller regarding inaccurate and incomplete facts in the DPA’s decision.
''Third,'' the court held that since the e-mail also included a hyperlink linking to promotional content, it was a form of direct marketing. The court also agreed with the DPA that promotional material for a government service can constitute direct marketing.  
The court began with reiterating the definition of direct marketing and its cumulative elements. First, there needs to be a form of communication, which is information shared between a limited amount of parties using a publicly accessible communication-service. Secondly, the communication needs to serve a commercial purpose and needs to be directed individually to a consumer. The controller and the DPA disagreed about this second point. The controller was of the opinion that it had provided information to travellers regarding the COVID-19 pandemic. However, the court agreed with the DPA that not all the information in the e-mail was related to sanitary information related to the pandemic, since the e-mail included a hyperlink linking to promotional content. Therefore, the court rejected this argument of the controller and held that the e-mail was a form of ‘direct marketing’. '''(page 22 – 23 – 24 – 25).'''


The court also agreed with the DPA that promotional material for a government service can constitute ‘direct marketing’. The controller also did not provide any arguments that were sufficient to convince the court that the e-mail was not ‘direct marketing’. '''(Page 25)'''
''Fourth'', the court held that the DPA properly motivated the violations in the original decision.


''Fourth'', the court held that the DPA did not violate any principles of good governance. Among other arguments, the court held that the DPA properly motivated the violations in the original decision. '''(page 30 - 32)'''
''Fifth,'' the court rejected the controller’s argument regarding [[Article 83 GDPR#7|Article 83(7) GDPR]], considering that the controller did not limit itself to its legal obligation by only providing the railway pass and sanitary information regarding COVID-19. Therefore, [[Article 83 GDPR#7|Article 83(7) GDPR]] was not applicable for the controller.  


''Fifth,'' the court rejected the controller’s argument regarding [[Article 83 GDPR#7|Article 83(7) GDPR]]. The court held that the controller did not limit itself to its legal obligation by only providing the railway pass and sanitary information regarding COVID-19. Therefore, article 83(7) was not applicable. '''(page 35)'''
''Sixth,'' the court held that the DPA did not adequately consider the circumstances brought forward by the controller that could impact the amount of the fine. The court also considered several circumstances on its own initiative, namely that the communication had the main goal of providing safety from COVID-19 infections and the fact that the controller had been obligated by law to issue the travel pass.


''Sixth,'' the court remarked that the DPA did not adequately consider the circumstances brought forward by the controller that could impact the amount of the fine. The court also considered several circumstances on its own initiative, namely that the communication had the main goal of providing safety from COVID-19 infections and the fact that the controller had been obligated by law to issue the travel pass. Therefore, the court reduced the fine to a symbolic €1,00.  
In conclusion, following point 6 of the appeal above, the court concluded that the fine was improperly motivated, not proportional and reduced it to a symbolic €1,00. It rejected all the other grounds for the appeal and therefore confirmed the original decision on the other grounds.  


== Comment ==
== Comment ==
''Share your comments here!''
''The court did not refer to the [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en EDPB guidelines on the calculation of administrative fines].''


== Further Resources ==
== Further Resources ==

Latest revision as of 09:54, 14 December 2023

Hof van Beroep - 2022/AR/723
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 12(2) GDPR
Article 21(2) GDPR
Article 21(4) GDPR
XV.2, Paragraph 1 WER
Decided: 14.06.2023
Published:
Parties: Nationale Maatschappij der Belgische Sporen (NMBS)
National Case Number/Name: 2022/AR/723
European Case Law Identifier:
Appeal from: APD/GBA (Belgium)
71/2022
Appeal to:
Original Language(s): Dutch
Original Source: APD/GBA (Belgium) (in Dutch)
Initial Contributor: Kv33

The Belgian Court of Appeal reduced a €10,000 fine imposed by the DPA to the national railway company to a symbolic €1 due to lacking motivation concerning the amount of the fine.

English Summary

Facts

This ruling of the Belgian court of appeal (Marktenhof) concerns the Belgian Railway company SNCB/NMBS (controller), a company with the Belgian state as its only shareholder. During the COVID-19 Pandemic, the controller was ordered by the Belgian government to start an initiative to promote train travel. On 13 October 2020, the controller emailed railway pass holders to inform them about the use cases of this travel pass and also provided COVID-19 related information. This e-mail resulted in GDPR related discussions on Twitter, specifically regarding the lack of the possibility to object. The Belgian DPA started an investigation on that matter and found that by not providing the possibility to opt-out of receiving similar emails, the controller violated Articles 12(2), 21(2) and 21(4) GDPR. Moreover, the DPA held that the controller violated Article 5(1)(a), 5(1)(c), 5(2), 6(1), 12(2), 21(2) and 21(4) GDPR.

The controller was fined €10,000 (a summary of this decision is available on the hub) and decided to appeal the decision with the Appeal Court on the following grounds: First, the controller contested the applicability of the GDPR, considering that the e-privacy directive was applicable as lex specialis. Second, the controller stated Article 6 ECFR had been breached because it had not been able to comment on a piece of evidence. Third, the controller stated that the decision of the DPA was based on an inaccurate and incomplete representation of the facts. Among the others, the controller disputed the DPA’s definition of ‘Direct marketing’. It added that it had sent the e-mail in the first place because it was obligated to do so pursuant to the government's instruction. It had to provide COVID-19 related information and promote its full service as part of its public service obligation. Fourth, the controller argued that the DPA did not properly motivate the GDPR violations in the disputed decision. Fifth, the controller disputed the DPA's application of the national implementation of article 83(7) GDPR which enables the DPA to fine a public entity controller under certain conditions. Sixth, the controller stated that the DPA did not properly motivate its fine.

Holding

First, the court held that both the GDPR and the e-privacy directive were applicable in this case. The court stated that Article 13(2) of the e-privacy directive, which covers the conditions for direct marketing, explicitly mentions that the GDPR should also be respected.

Second, the court determined that there was indeed a piece of evidence on which the controller was not able to comment but it was not the main piece of evidence on which the DPA’s decision was based.

Third, the court held that since the e-mail also included a hyperlink linking to promotional content, it was a form of direct marketing. The court also agreed with the DPA that promotional material for a government service can constitute direct marketing.

Fourth, the court held that the DPA properly motivated the violations in the original decision.

Fifth, the court rejected the controller’s argument regarding Article 83(7) GDPR, considering that the controller did not limit itself to its legal obligation by only providing the railway pass and sanitary information regarding COVID-19. Therefore, Article 83(7) GDPR was not applicable for the controller.

Sixth, the court held that the DPA did not adequately consider the circumstances brought forward by the controller that could impact the amount of the fine. The court also considered several circumstances on its own initiative, namely that the communication had the main goal of providing safety from COVID-19 infections and the fact that the controller had been obligated by law to issue the travel pass.

In conclusion, following point 6 of the appeal above, the court concluded that the fine was improperly motivated, not proportional and reduced it to a symbolic €1,00. It rejected all the other grounds for the appeal and therefore confirmed the original decision on the other grounds.

Comment

The court did not refer to the EDPB guidelines on the calculation of administrative fines.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. 

Brussels Court of Appeal - 2022/AR/723 - p. 2




The SA under public law NATIONALE MAATSCHAPPIJ DERBELGISCHE RAILWAYS ("NMBS"), with

company number 0203.430.576, with registered office at 1060 Brussels, Rue de France
56,


applicant,


represented by mr. WAEM Heidi and mr VERSCHAEVE Simon, lawyers with office in [...]






in return for

DATA PROTECTION AUTHORITY ("GBA"), with company number 0694.679.950, with

registered office at Drukpersstraat 35, 1000 BRUSSELS,


defendant,


represented by mr. ROETS Joos, mr. CLOOTS Elke and mr. ROES Timothy, lawyers with
office in [...]




                                               ***





Considering the procedural documents




        the decision no. 71/2022 of the Disputes Chamber of the Data Protection Authority
        from May 4, 2022;
        the petition for appeal as filed with the clerk of the Brussels Court of Appeal by

        NMBS on June 2, 2022;
        the introductory session of 15 June 2022 of the Marktenhof;

        the request of NMBS pursuant to Article 748 GerW filed on November 28, 2022;
        the decision of the Market Court of 5 December 2022;
        the (synthesis) conclusions of both parties;

        the bundles of documents filed by both parties;
Retrieved from "https://gdprhub.eu/index.php?title=Court_of_Appeal_of_Brussels_-_2022/AR/723&oldid=38672"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki