FPS Finance – Complaint Upheld (Belgium, 2020)

The Federal Public Service of Finance maintain FisconetPlus, an online repository of Belgian tax laws, rulings and guidelines, aimed at informing tax payers on taxation questions and at easing their fiscal compliance. As a part of a revamp in 2018, FisconetPlus was moved to a SharePoint website, hosted in the Belgian federal government’s G-Cloud infrastructure. Thereafter, access to the repository was still free but required logging on to the portal with a Microsoft user account. As a part of their registration process for a Microsoft account, users needed to accept Microsoft’s privacy policy, which by default enabled certain tracking and advertising features. This change within FisconetPlus was examined by the Belgian Data Protection Authority, following a series of complaints. The DPA’s Inspection Service found in February 2019 that the update constituted a breach of the GDPR. The DPA considered that there was no legal basis that would allow the FPS Finance to force citizens to entrust their personal data to a private undertaking as a precondition for accessing public sector information. In June 2020, the DPA’s Inspection Service issued (for the first time in history!) a provisional measure that obliged the FPS Finance to provisionally suspend FisconetPlus, specifically the access to the repository via Microsoft’s SharePoint portal. This decision followed the recommendation published by the DPA’s in February 2019 on the obligation to create a user account with Microsoft for the purpose of consulting public service applications. As a result, the FPS Finance deactivated the access to its FisconetPlus portal via a Microsoft account, which however remained accessible through other means of access. The FPS Finance promised to rewrite FisconetPlus and switch from Microsoft tools to a platform developed internally and hosted entirely on its own infrastructure. Identification and authentication would then be done via the Federal Authentication Service ("FAS”); the creat