The Amsterdam court has slapped the Personal Data Authority on its wrist. The AP fined publisher DPG Media EUR 525,000 for requesting a copy of identity documents (ID) from data subjects to verify their identity. DPG successfully appealed to the court.
DPG asked data subjects for a copy of ID to verify their identity as a condition for (further) processing their request for inspection or deletion. DPG requested this information by default and in advance when data subjects made a request outside the online login environment. In doing so, DPG did not investigate whether it could identify the data subject by other means. According to the AP, this standard request - given the process and the nature of the data processed - is disproportionate and creates an undue barrier for data subjects to exercise their rights.
In practice, there is a tension between facilitating data subjects' rights under Article 12(2) AVG and mandatory identity verification. According to the court, the AP applied the correct standard. The term "facilitating" within the meaning of Article 12(2) AVG means that a controller must provide an arrangement that makes it possible to exercise the rights, without unnecessary obstacles. The mandatory verification of the applicant's identity may be an obstacle, but this obstacle should not be unnecessary. DPG did not observe the principles of proportionality, subsidiarity and data minimization. For example, it improperly processed the BSN, document number and ID photo (violation of data minimization) and requested the ID regardless of the nature of the request (violation of proportionality, subsidiarity). The fact that in practice there was more room to deviate from the mandatory ID check, the court finds irrelevant. DPG could have designed its process so that there was more room at an earlier stage to take into account all relevant circumstances, including the nature of the request and the information requested. This assessment does not surprise and is in line with previous Council of State case law on the identification requirement. There it was already confirmed that a copy of an identity document is not in itself an unreasonable means of identifying a person. Nor does the EDPB necessarily disapprove of the use of a copy ID. However, its Guidelines on the Right of Inspection (Guidelines 01/2022)(1) do state that, in principle, a copy ID is not appropriate ("should be considered inappropriate)" unless necessary, appropriate and in line with national law.
According to established case law, the amount of the fine must fit the gravity of the violation and the extent to which it can be blamed on the offender. The circumstances under which the violation was committed must be taken into account (Section 5:46(2) of the Awb). The court ruled that in this case, the AP should not have imposed the fine because it did not sufficiently consider the following circumstances:
DPG did not treat its duties as a data controller lightly, but merely misjudged the required balance between data protection and facilitating other rights under the AVG. There is no serious culpability.
The AVG had only just come into effect and the AP was mostly doing education.
Based on DPG's initial response, the AP should have indicated that DPG's policy needed to be modified to comply with the AVG. The AP apparently did not do so. In addition, the AP consistently waited months during the investigation to take follow-up action. The protracted nature of the breach is therefore not DPG Media's fault, according to the court.
DPG had already changed the policy on its own accord by the time the AP's draft report appeared.
The violation of Article 12(2) AVG concerned the minority of requests from data subjects. The vast majority of access requests, namely those within the online login environment, did not involve a violation of Article 12(2) AVG because identity was verified by other means.
Thus, according to the court, DPG's violation was not serious (enough) and the protracted nature of the violation (due to the AP's long response times) was not DPG's fault. The AP should not have imposed a fine under these circumstances. In this context, the court also refers to alternative measures that the AP could have imposed, such as a warning or reprimand.
This is not the first time a fine decision by the Personal Data Authority has been successfully challenged. In addition to the annulment of the fine against VoetbalTV (ECLI:NL:RVS:2022:2173), the District Court of The Hague mitigated, for example, the fine of the HagaZiekenhuis (ECLI:NL:RBDHA:2021:3090) (peeking into Barbie file) from EUR 460,000 to EUR 350,000 because the hospital had taken mitigating measures and had still implemented two-factor authentication and intensified logging during the objection phase. These actions nuanced the hospital's negligence, the court said. Also in a recent ruling by the District Court of Gelderland, the fine to BKR of EUR 830,000 was mitigated to EUR 668,000 due to consistency between the violations and the presence of mitigating circumstances (ECLI:NL:RBGEL:2023:4071)(2).
Although under these circumstances the court could also have chosen to moderate the fine (after all, the violation is well established), it swept the entire fine off the table. In doing so, the court sends a clear signal to the AP to give more weight to the seriousness of the violation and to improve its own processes. Setting aside the fine to DPG potentially ensures that the AP will keep its fines only for the more serious cases.
Whether the AP will appeal the ruling is not yet clear. The AP announced on its website that it is studying the ruling.
https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBAMS:2023:5074&showbutton=true&keyword=2023%253a5074&idx=1;
https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022-data-subject-rights-right_en;
https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBGEL:2023:4071;
