iUntil now, fines by the Belgian Data Protection Authority (BDPA) had, compared to its neighbouring countries (France, Luxembourg, and the Netherlands), appeared on the low side in absolute numbers. Last year we carried out an analysis of over 300 fines related to (alleged) infringements of the General Data Protection Regulation (GDPR), including the top 250 fines imposed on companies with an identified or identifiable turnover, and Belgium appeared in 18th position among EU data protection authorities when comparing the average of the fines examined.
A judgment of 14 June 2023 of the Belgian Market Court (the division of the Court of Appeal of Brussels) may have the indirect effect of significantly changing this.
That judgment followed an appeal by a controller (in this case, bpost, the largest Belgian postal services company) against a 10.000 EUR fine. The Market Court has often overruled decisions by the Belgian Data Protection Authority on procedural grounds, as well as on the merits, i.e., the actual assessment of allegations of infringements, but in this particular case, it confirmed the Belgian Data Protection Authority’s decision in those respects.
It nevertheless decided to follow the controller’s arguments that the fine itself was not properly justified and reduced the fine to a symbolic Euro.
Preliminary point: do GDPR fines have to be paid even pending an appeal?
In Belgium, the tax authorities are the ones who send a request for payment to a controller or processor fined by the Belgian Data Protection Authority, and the procedure they follow is wholly separate from the appeals process.
In addition, the law instituting the Belgian Data Protection Authority does not foresee an automatic stay of enforcement in case of an appeal. Since a Market Court judgment that we obtained in September 2020, it is nevertheless possible to obtain a stay of enforcement, including the payment of fines, while an appeal against a Belgian Data Protection Authority is pending, but the Market Court has refined its approach over the years and imposes strict conditions.
In this particular case, the text of the Market Court judgment shows that the fine was paid, and reimbursement was requested.
Why was the fine reduced, and what was the Market Court’s reasoning?
The Market Court explains its reasoning as follows in its judgment (rough translation from the original Dutch):
"The Market Court tries to detect which methodology the Litigation Chamber [of the BDPA] applies that allows it to render objective the choice of sanction, including the amount of possible fines.
The Market Court agrees with [the relevant controller] that the Litigation Chamber has in a manifestly insufficient manner taken into account, in the determination of the amount of the fine, the specific situation and context [...] and the following mitigating circumstances."
The Market Court goes on to list a range of circumstances that should have been taken into account when assessing the fine, including the fact that the Data Protection Officer’s advice had been sought and the fact that no damages were claimed by data subjects.
Based on that, the Market Court says that the data protection fine is not "properly" justified, from a factual perspective or from a legal perspective.
What does this mean for the future – a new methodology for GDPR fines?
The Litigation Chamber of the Belgian Data Protection Authority has, over time, improved its decision-making process to take into account all of the criticisms from the Market Court, with more detailed decisions and a more balanced process as a result.
In this case, because the Market Court said that it was “[trying] to detect” which methodology was used and that the fine itself was not “properly” justified, it is likely that the Belgian Data Protection Authority will reflect on how to improve the clarity of its methodology for determining which sanction to apply and for determining the amount of a fine.
This could easily be achieved in two ways: by publishing its current methodology or by adopting one that is already public. One like the one finalised on 24 May 2023 by the European Data Protection Board (EDPB), the group of all supervisory authorities within the European Union.
What is the EDPB fining methodology?
The EDPB issues recommendations and guidelines, as well as binding decisions in cross-border cases where there is a disagreement among the supervisory authorities involved in a case.
In its Guidelines 04/2022 on the calculation of administrative fines under the GDPR, as finalised in May 2023, the EDPB proposed the following methodology for calculating GDPR fines:
Identification of the processing operations in the case and evaluation of the application of Article 83(3) GDPR
Identification of the starting point for further calculation of the amount of the fine (by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringement in light of the circumstances of the case, and evaluating the turnover of the undertaking)
Evaluation of aggravating and mitigating circumstances related to past or present behaviour of the controller/processor, and increasing or decreasing the fine accordingly
Identification of the relevant legal maximums for the different infringements (increases applied in previous or next steps cannot exceed this maximum amount)
Analysis of whether the calculated final amount meets the requirements of effectiveness, dissuasiveness, and proportionality, and adjusting the fine accordingly (without exceeding the relevant legal maximum)
Step 2, in particular, takes the form of a mathematical formula – we published DeFine, a tool to help use the 2022 version of the formula (when the guidelines were still merely subject to public consultation and not yet finalised). We will be updating it in the coming weeks to take into account some increases that the finalisation in 2023 has brought with it.
Based on our aforementioned assessment of GDPR fines, use of this methodology would likely lead, throughout the European Union, to higher GDPR fines, purely because the percentages for the “starting point” of the calculation are already higher than those applied in practice by supervisory authorities.
In practice, therefore, adoption of the EDPB methodology would likely trigger (much) higher GDPR fines in Belgium.
Would this not happen anyway?
Since the adoption of the finalised EDPB guidelines, the Belgian Data Protection Authority had already referenced them in a recent decision (available in French) when assessing which mitigating and aggravating circumstances must be taken into account. It is therefore already possible that in future fining decisions, the Belgian Data Protection Authority would in any event have applied the EDPB fining methodology.
In that context, the Market Court judgment of 14 June 2023 may end up being an additional trigger that accelerates adoption by the Belgian Data Protection Authority of the EDPB fining methodology.
What should I do if my company or organisation is under investigation?
In practice, organisations facing regulatory investigations regarding alleged GDPR infringements – in Belgium or elsewhere – always have to prepare their legal defence well, and the adoption of a new methodology (or publication of an existing one) merely reinforces the need to ensure that you have a team to support you, both internally (in-house legal team, data protection specialists, product teams, communication team) and externally (external legal counsel) in handling such an investigation.
And make sure that you are prepared to challenge the newly adopted methodology, too!
