The Belgian data protection authority bans the use of private sector logins as an access condition to public sector websites
As is the case in many other countries, navigating your way through Belgian tax laws and rulings can be challenging. To make life a bit easier, the Federal Public Service of Finance maintains FisconetPlus, an online repository of Belgian tax laws, rulings and guidelines. As a tool to ease fiscal compliance, it is invaluable, especially for tax professionals.
As a part of a revamp in 2018, an update to FisconetPlus was made: the repository was moved to a Sharepoint website, hosted in the Belgian federal government’s G-Cloud infrastructure. Thereafter, access to the repository required a log-in, using a Microsoft account, in order to enable personalised services (storing favourite sources, automated warnings, etc.). This approach inevitably implied that citizens who wanted to access this repository of public sector information needed to entrust their personal data to a private sector company. As a part of their registration process for a Microsoft account, users needed to accept Microsoft’s privacy policy, which by default enabled certain tracking and advertising features.
This change within FisconetPlus was examined by the Belgian data protection authority, following a series of complaints. The DPA found in February 2019 that the update constituted a breach of the GDPR. Even assuming that it would be lawful for such information to be available only after logging on to the repository, the DPA considered that there was no legal basis that would allow the Federal Public Service of Finance to force Belgian citizens to entrust their personal data to a private undertaking as a precondition for accessing public sector information. Moreover, it ruled that as a matter of principle, no authentication mechanism or identification obligation of any kind – government controlled or otherwise – should be necessary to access information that should be publicly available; and that personalised services should not require systematic unique identification of the users.
The ruling is somewhat reminiscent of the 2014 Breyer case before the European Court of Justice (case number C-582/14), in which M. Breyer visited German public sector websites. Observing that the websites logged his IP address, M. Breyer asked for the relevant logs to be deleted under data protection law. The Court affirmed that the logs containing his IP address could be qualified as personal data. While it did not hold that logging access to public sector websites was unlawful, nor that the logs should be deleted, it did acknowledge that data protection law was relevant when securing public sector websites. The Belgian DPA has taken this one step further: even in cases where logging and authentication to public sector websites would be legitimate, this does not imply that private sector companies can be used as a mandatory gate keeper to public sector information.
External references:
Article provided by: Hans Graux (Time.lex, Belgium)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org