FPS Finance – Complaint Upheld (Belgium, 2020)
The Belgian Data Protection Authority upheld a complaint against FPS Finance for requiring users to create a Microsoft account to access public tax information. This matters because it shows that companies can't force users to share personal data to access public services. Businesses should rethink how they handle user data and consent.
What happened
FPS Finance required users to create a Microsoft account, which involved accepting privacy terms that enabled tracking, to access public tax information.
Who was affected
Citizens who wanted to access public tax information but were forced to share personal data with Microsoft were affected.
What the authority found
The Belgian Data Protection Authority ruled that FPS Finance had no legal basis for requiring personal data sharing as a condition for accessing public information.
Why this matters
This ruling sets a precedent that public services cannot force users to share personal data with private companies. Organizations should review their access requirements to ensure they respect user privacy.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Federal Public Service of Finance maintain FisconetPlus, an online repository of Belgian tax laws, rulings and guidelines, aimed at informing tax payers on taxation questions and at easing their fiscal compliance. As a part of a revamp in 2018, FisconetPlus was moved to a SharePoint website, hosted in the Belgian federal government’s G-Cloud infrastructure. Thereafter, access to the repository was still free but required logging on to the portal with a Microsoft user account. As a part of their registration process for a Microsoft account, users needed to accept Microsoft’s privacy policy, which by default enabled certain tracking and advertising features. This change within FisconetPlus was examined by the Belgian Data Protection Authority, following a series of complaints. The DPA’s Inspection Service found in February 2019 that the update constituted a breach of the GDPR. The DPA considered that there was no legal basis that would allow the FPS Finance to force citizens to entrust their personal data to a private undertaking as a precondition for accessing public sector information. In June 2020, the DPA’s Inspection Service issued (for the first time in history!) a provisional measure that obliged the FPS Finance to provisionally suspend FisconetPlus, specifically the access to the repository via Microsoft’s SharePoint portal. This decision followed the recommendation published by the DPA’s in February 2019 on the obligation to create a user account with Microsoft for the purpose of consulting public service applications. As a result, the FPS Finance deactivated the access to its FisconetPlus portal via a Microsoft account, which however remained accessible through other means of access. The FPS Finance promised to rewrite FisconetPlus and switch from Microsoft tools to a platform developed internally and hosted entirely on its own infrastructure. Identification and authentication would then be done via the Federal Authentication Service ("FAS”); the creat
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (3)
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for FPS Finance in BE
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. FPS Finance - Belgium (2020). Retrieved from cookiefines.eu
Last updated: