From now on, anyone who searches for information on the Fisconetplus portal of the FPS Finance to complete their tax declaration will no longer have to use their Microsoft account.
This is the result of a provisional measure imposed by the ODA on the SPF. The APD has indeed ordered the SPF to suspend access to its Fisconetplus application through a Microsoft account.
Provisional inspection service measure :
It is the first time that the Inspection Service has decided on an interim measure.
The provisional measure is one of the powers provided by law for the ODA Inspection Service.
The Inspector-General and the inspectors can thus order the suspension, limitation or temporary freeze of data processing if this measure makes it possible to avoid a situation likely to cause serious, immediate and difficult to repair damage.
Provisional measures decided by the Inspection Service can last up to three months, which can be extended by a further three months at most.
Recommendation 01/2019 of February 6, 2019:
This decision follows the recommendation published in February 2019, by the Data Protection Authority concerning the illegality of an obligation to create a user account with Microsoft to consult public service applications.
It was clearly stated in the body of the text that this recommendation was intended to apply to all public services that plan to deploy similar applications using external partnerships.
Content of the recommendation:
The Authority considered in this recommendation on the one hand that making access to a commercial application (which only gives access to public information to its users) like Microsoft is contrary to the principles of data protection from the design and by default (article 25 of the GDPR).
Indeed, the Authority notes that in order to create an account, users must submit to Microsoft's privacy and cookies policy and its standard cookie settings. These standard settings do not respect these two principles because they let Microsoft collect a large series of data on its users.
The Authority also notes that the legal basis for this processing is not clearly stated by the public authority which requires recourse to the creation of an account.
The processing therefore does not comply with Article 6 of the GDPR as well as Articles 8 and 22 of the ECHR.
In addition, the principle of proportionality and legitimacy of the processing mentioned in article 5 of the GDPR is also ignored. as nothing seems to justify the necessity of this treatment. (The accessible information is only public information so it is not a priori necessary to have to create an account to access it.)
Finally, the Authority notes that the controller (the public authority) cannot discharge its own obligation to inform users (under Articles 13 and 14 of the GDPR) by using as it does a trading company to provide basic functionality.
In terms of cookies, the combination of a compulsory registration of the data subject, their compulsory acceptance of various cookies (including cookies implemented by third parties) and a very broad basic setting is contrary to the consent requirement listed in Article 129 of the LCE.
For these reasons, the APD concludes that the imposition by public authorities of the use of a Microsoft account to access an application that only makes public information available to its users and not personal data personal is contrary to the GDPR.
In all cases, given the potential risks to the rights and freedoms of the persons concerned, in particular with regard to the security of the Platform (article 32 of the GDPR), the public authority should at least have conducted a relative impact assessment data protection before putting such a system in place.
By this provisional measure, the Data Protection Authority asserts itself and confirms its intention to fully use the prerogatives assigned to it by law.
If you have any questions relating to this subject, do not hesitate to contact me via the “contact me” section of the blog. or write an email.