Skip to main content

The Belgian data protection authority bans the use of private sector logins as an access condition to public sector websites

|

The Belgian tax authorities maintain an online repository called FisconetPlus, on which tax payers can find key information and guidance on taxation questions. However, the information was only available after loggin on to the portal with a Microsoft user account. Unacceptable and in violation of the GDPR, says the Belgian data protection authority.

As is the case in many other countries, navigating your way through Belgian tax laws and rulings can be challenging. To make life a bit easier, the Federal Public Service of Finance maintains FisconetPlus, an online repository of Belgian tax laws, rulings and guidelines. As a tool to ease fiscal compliance, it is invaluable, especially for tax professionals.

As a part of a revamp in 2018, an update to FisconetPlus was made: the repository was moved to a Sharepoint website, hosted in the Belgian federal government’s G-Cloud infrastructure. Thereafter, access to the repository required a log-in, using a Microsoft account, in order to enable personalised services (storing favourite sources, automated warnings, etc.). This approach inevitably implied that citizens who wanted to access this repository of public sector information needed to entrust their personal data to a private sector company. As a part of their registration process for a Microsoft account, users needed to accept Microsoft’s privacy policy, which by default enabled certain tracking and advertising features.

This change within FisconetPlus was examined by the Belgian data protection authority, following a series of complaints. The DPA found in February 2019 that the update constituted a breach of the GDPR. Even assuming that it would be lawful for such information to be available only after logging on to the repository, the DPA considered that there was no legal basis that would allow the Federal Public Service of Finance to force Belgian citizens to entrust their personal data to a private undertaking as a precondition for accessing public sector information. Moreover, it ruled that as a matter of principle, no authentication mechanism or identification obligation of any kind – government controlled or otherwise – should be necessary to access information that should be publicly available; and that personalised services should not require systematic unique identification of the users.

The ruling is somewhat reminiscent of the 2014 Breyer case before the European Court of Justice (case number C-582/14), in which M. Breyer visited German public sector websites. Observing that the websites logged his IP address, M. Breyer asked for the relevant logs to be deleted under data protection law. The Court affirmed that the logs containing his IP address could be qualified as personal data. While it did not hold that logging access to public sector websites was unlawful, nor that the logs should be deleted, it did acknowledge that data protection law was relevant when securing public sector websites. The Belgian DPA has taken this one step further: even in cases where logging and authentication to public sector websites would be legitimate, this does not imply that private sector companies can be used as a mandatory gate keeper to public sector information. 

 

External references:

 

Article provided by: Hans Graux (Time.lex, Belgium)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}