Authors: Heidi Waem, Nicolas Becker
On 21 October 2022, the Belgian Data Protection Authority issued its first settlement decisions (Cases 150/2022 and 151/2022 of 21 October 2022 ) whereby the cases against a controller for alleged cookie infringements were settled by means of payment of 10.000 EUR per case. It is also the first decision of this type in the EU. To our knowledge, Supervisory Authorities in other EU Member-States have not yet taken this particular type of settlement decision.
Proposing a settlement is one of the powers conferred upon the Litigation Chamber (i.e., the administrative dispute resolution body within the Belgian Data Protection Authority) and is included in the list of measures in article 100 of the Belgian Act on the Establishment of the Data Protection Authority.
In the cases at hand, it appears that the proceedings before the Litigation Chamber had already started, and the controller had already filed submissions. Compared to criminal proceedings, where settlements are also possible, it is quite unusual that a settlement is proposed at a point in time where the Litigation Chamber already has all the elements of the file at its disposal, to then propose a settlement instead of taking a decision on the merits of the case.
The settlement was proposed under the following conditions:
- The controller pays the sum of EUR 10,000 (per case) and waives any civil or other action with regard to the settlement.
- The Litigation Chamber finds no violation of the GDPR by the controller and formally closes the case with the settlement decision.
- For the Litigation Chamber, the acceptance of a settlement proposal does not constitute an admission on the part of the controller. In particular, such acceptance of the settlement proposal cannot be used as an aggravating circumstance when establishing sanctions in possible future proceedings before the Litigation Chamber.
- In the event of explicit acceptance, or in the absence of a response from the party to whom the settlement proposal is addressed within the specified time period, such settlement proposal shall take the form of a formal decision which is published on the website of the Data Protection Authority.
The last condition may raise certain eyebrows. Under Belgian procedural law, a settlement would usually only be put in place with acceptance of the parties. Also, publishing a settlement decision, including the name of the controller, is all but common.
These settlements differ from the amicable settlements discussed in the EDPB guidelines issued in May 2022. These EDPB guidelines apply to settlements between a data subject and a controller in a procedure initiated on the basis of a complaint, in particular in relation to the exercise of data subject rights.
While this type of settlement decision in Belgium is still at an early stage – and may benefit from certain enhancements – it is certainly an interesting avenue for controllers to consider when confronted with proceedings before the Belgian Data Protection Authority.