BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
GDPR violations related to dark patterns in cookie consent (Decision No 113/2024) The DPA fined Mediahuis EUR25,000 per day for using dark patterns and illicit cookie practices on its websites following a complaint. The com - plainant, represented by the European Center for Digital Rights (NOYB), highlighted the absence of an “accept all” button, deceptive button col - ours and difficulties in withdrawing consent. The DPA ordered Mediahuis to adjust the cookie ban - ners within 45 days to include a refusal button and avoid deceptive colours. If non-compliance persists beyond 45 days, a fine of EUR25,000 per day per website will be imposed. The DPA also reprimanded Mediahuis, stating that only strictly necessary cookies may be used based on legitimate interest. Delayed access request response leads to EUR100,000 fine (Decision No 207/2024) The DPA fined an unnamed telecommunica - tions company for failing to respond promptly to a client’s access request. The company made unsolicited changes to the individual’s subscrip - tions. When the individual submitted an access request under Article 15 of the GDPR, the com - pany took 14 months to respond, thereby violat - ing Articles 12(2), 12(3), and 15 of the GDPR. EUR172,431 EUR fine for failing to honour data subject rights (Decision No 87/2024) The DPA fined a company for failing to erase a data subject’s personal data used in direct marketing, and for having an overloaded, part- time data protection officer (DPO) unable to perform their tasks effectively. The initial fine of EUR245,000 was reduced to EUR172,431 due to the company’s financial situation.
Non-compliant cookie banner (Decision No 156/2024) The Belgian DPA imposed a fine of EUR40,000 per day on RTL Belgium for GDPR violations related to non-compliant cookie banners, fol - lowing a complaint by NOYB. The complaint highlighted the absence of a “reject all” button and the use of misleading colours in the cookie banner. The DPA required RTL Belgium to: • add a button to its cookie banner allowing the refusal of all cookies via a single click on every layer where the “accept all” button appears; and • use colours in its cookie banner that are not manifestly misleading, ensuring that the “accept all” and “refuse all” buttons are dis - played equivalently. After RTL Belgium complied with these cor - rective measures, the DPA acknowledged their compliance, resulting in the dismissal of the case and the waiving of the imposed fines. 1.5 AI Regulation To date, Belgium has not adopted any national legislation on AI or machine learning. However, the AI Act has entered into force and will have direct effect in Belgium as it becomes progres - sively applicable. However, it is worth noting that: • the DPA has issued advice on draft laws covering the use of AI – this advice generally considers the rules applicable to automated decision-making (Article 22 of the GDPR) or the proportionality of using AI systems; and • the DPA has issued guidelines on AI and data protection – on 19 September 2024, it released guidelines on AI, detailing the rela -
15
CHAMBERS.COM
Powered by FlippingBook