The Belgian data protection authority bans the use of private sector logins as an access condition to public sector websites
As is the case in many other countries, navigating your way through Belgian tax laws and rulings can be challenging. To make life a bit easier, the Federal Public Service of Finance maintains FisconetPlus, an online repository of Belgian tax laws, rulings and guidelines. As a tool to ease fiscal compliance, it is invaluable, especially for tax professionals.
This change within FisconetPlus was examined by the Belgian data protection authority, following a series of complaints. The DPA found in February 2019 that the update constituted a breach of the GDPR. Even assuming that it would be lawful for such information to be available only after logging on to the repository, the DPA considered that there was no legal basis that would allow the Federal Public Service of Finance to force Belgian citizens to entrust their personal data to a private undertaking as a precondition for accessing public sector information. Moreover, it ruled that as a matter of principle, no authentication mechanism or identification obligation of any kind – government controlled or otherwise – should be necessary to access information that should be publicly available; and that personalised services should not require systematic unique identification of the users.
The ruling is somewhat reminiscent of the 2014 Breyer case before the European Court of Justice (case number C-582/14), in which M. Breyer visited German public sector websites. Observing that the websites logged his IP address, M. Breyer asked for the relevant logs to be deleted under data protection law. The Court affirmed that the logs containing his IP address could be qualified as personal data. While it did not hold that logging access to public sector websites was unlawful, nor that the logs should be deleted, it did acknowledge that data protection law was relevant when securing public sector websites. The Belgian DPA has taken this one step further: even in cases where logging and authentication to public sector websites would be legitimate, this does not imply that private sector companies can be used as a mandatory gate keeper to public sector information.
Article provided by: Hans Graux (Time.lex, Belgium)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, firstname.lastname@example.org