IAB Europe – Violation Found (Belgium, 2021)

The complainants, Johnny Ryan, Pierre Dewitte, Jeff Ausloos, Bruno Bidon, Panoptykon (NGO), Bits of Freedom (NGO) and La Ligue des Droits de l'Homme, filed several complaints against the Interactive Advertising Bureau Europe (IAB Europe) for various GDPR violations (including the principles of legality, transparency and fairness, minimisation and security among others). In total, 4 complaints were filed before the ADP and 5 before other data protection authorities through the IMI ( Internal Market Information) system. These complaints were therefore joint into one investigation. As this is an international issue with complainants residing in various Member States, the Belgian DPA provides an interlocutory decision on the language of the procedure. What language should the Belgian DPA use in a cross-border procedure concerning complaints by data subjects in different Member States? The Belgian DPA outlined that it must first consider what language the complainants used to communicate with the DPA and what language the DPA used to communicate with them. As Article 30 of the Belgian Constitution provides for "linguistic liberty", the complainant can address the DPA in any language. However, in terms of the language for a procedure, Article 57 of the Law on the creation of the data protection authority (Loi portant création de l'Autorité de protection des données) states that the DPA uses the language "in which the proceedings are conducted according to the specific needs of the case". The complainants argued that Article 57 of the Law on the creation of the DPA was contrary to the constitutional provision cited above. However, the DPA held that it was not competent to address the legality of the Law in relation to the Constitution. It therefore went on to say that, Article 57 of the Law, read in combination with Article 60 of the same Law, provide that procedures must be conducted in one of the national languages. In this context, the DPA noted that it general