Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

The Belgian data protection authority bans the use of private sector logins as an access condition to public sector websites

09.05.2019

The Belgian tax authorities maintain an online repository called FisconetPlus, on which tax payers can find key information and guidance on taxation questions. However, the information was only available after loggin on to the portal with a Microsoft user account. Unacceptable and in violation of the GDPR, says the Belgian data protection authority.

As is the case in many other countries, navigating your way through Belgian tax laws and rulings can be challenging. To make life a bit easier, the Federal Public Service of Finance maintains FisconetPlus, an online repository of Belgian tax laws, rulings and guidelines. As a tool to ease fiscal compliance, it is invaluable, especially for tax professionals.

As a part of a revamp in 2018, an update to FisconetPlus was made: the repository was moved to a Sharepoint website, hosted in the Belgian federal government’s G-Cloud infrastructure. Thereafter, access to the repository required a log-in, using a Microsoft account, in order to enable personalised services (storing favourite sources, automated warnings, etc.). This approach inevitably implied that citizens who wanted to access this repository of public sector information needed to entrust their personal data to a private sector company. As a part of their registration process for a Microsoft account, users needed to accept Microsoft’s privacy policy, which by default enabled certain tracking and advertising features.

This change within FisconetPlus was examined by the Belgian data protection authority, following a series of complaints. The DPA found in February 2019 that the update constituted a breach of the GDPR. Even assuming that it would be lawful for such information to be available only after logging on to the repository, the DPA considered that there was no legal basis that would allow the Federal Public Service of Finance to force Belgian citizens to entrust their personal data to a private undertaking as a precondition for accessing public sector information. Moreover, it ruled that as a matter of principle, no authentication mechanism or identification obligation of any kind – government controlled or otherwise – should be necessary to access information that should be publicly available; and that personalised services should not require systematic unique identification of the users.

The ruling is somewhat reminiscent of the 2014 Breyer case before the European Court of Justice (case number C-582/14), in which M. Breyer visited German public sector websites. Observing that the websites logged his IP address, M. Breyer asked for the relevant logs to be deleted under data protection law. The Court affirmed that the logs containing his IP address could be qualified as personal data. While it did not hold that logging access to public sector websites was unlawful, nor that the logs should be deleted, it did acknowledge that data protection law was relevant when securing public sector websites. The Belgian DPA has taken this one step further: even in cases where logging and authentication to public sector websites would be legitimate, this does not imply that private sector companies can be used as a mandatory gate keeper to public sector information. 

 

External references:

 

Article provided by: Hans Graux (Time.lex, Belgium)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.