Data protection “case law” suffers from a lack of appeals, which emboldens authorities to reuse a questionable position and make it seem like the law. Case in point?
Today the Belgian DPA published yet another decision with a warning about keeping a mailbox active after a person has left a company, this time for just 4 (!) months. While this is becoming a recurrent mantra for the Belgian DPA, the key issue is that none of these decisions seem to have been appealed, possibly because there were no significant fines attached to them. As a result, there may have been no financial incentive to appeal. [Lawyers – even less specialised ones – cost money, so if you don’t get fined, you will only want to appeal a decision if abiding by it is really going to cost you more money and if your lawyers can show you that you have decent chances of winning on appeal, or if the matter is one of principle that is fundamental to e.g. your business model or your sector.]
I have written in the past about some flaws in the Belgian DPA’s approach, and my latest in-depth article looked at how the freedom to conduct a business (a fundamental right under the EU Charter) should be given equal weight as the right to the protection of personal data, in accordance with the text of the GDPR itself and of the EU Charter. If any of my clients were to be ordered to change their e-mail practices, I sincerely hope they would consider an appeal for that reason. [If any other organisation is looking at a negative decision, we will also be happy to help.]
So where does that leave us?
My advice to clients is always to take into account those decisions, but to seize the opportunity to document the reasons for which a particular reasoning is not applicable or should be disregarded. Compliance with broad principles can be achieved several ways – and just because an authority has a particular interpretation of that, doesn’t mean that it is the only valid one. (It doesn’t mean that their own interpretation is valid, either. That’s what appeals are for, normally.)
Dare to challenge. Dare to appeal. And if you aren’t involved in a case but think there are factual similarities with your situation, dare to question.
Op-ed on the freedom to conduct a business vs the right to the protection of personal data, and how the two can be combined: https://lnkd.in/dCSN2PsX
Belgian DPA decision (in Dutch): https://lnkd.in/dhvmtemu
data protection privacy GDPR
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗