The Belgian legislative and regulatory approach to privacy, data protection and cybersecurity is quite comprehensive. The most important legal provisions can be found in the following:
- the General Data Protection Regulation 2016/679 (GDPR), which is the EU regulation on data protection and privacy;
- Article 22 of the Belgian Constitution, which provides that everyone is entitled to the protection of his or her private and family life;
- the Act of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data (the Data Protection Act)(replacing the former Belgian Data Protection Act of 8 December 1992 with effect as of 5 September 2018). It concerns the further implementation of the GDPR and Directive 2016/680 regarding the processing of data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences;
- the Act of 3 December 2017 on the establishment of the Data Protection Authority;
- Book XII (Law of the Electronic Economy) of the Code of Economic Law, as adopted by the Act of 15 December 2013;
- the Act of 13 June 2005 on Electronic Communications (the Electronic Communications Act); and
- the Act of 28 November 2000 on Cybercrime.
Because of a series of cybersecurity attacks on a number of banks and private companies in the past few years, cybersecurity has increasingly received more and more attention in Belgium in recent years. One of Belgium's most notable cybersecurity incidents, however, was the lightning strike in 2015 at the Google data centre in Mons, which was struck four times during a summer storm, resulting in permanent data loss on a tiny fraction (0.000001 per cent) of the total disk space.
Since presenting its national cybersecurity strategy in 2012, Belgium has made substantial efforts to enhance cybersecurity. For instance, a secret Belgian operation in 2016 prevented the worldwide cyberattacks by the WannaCry ransomware virus from causing large-scale damage in Belgium in 2017. The Centre for Cybersecurity Belgium (CCB) had collected data from the global IT security company Rapid7 on Belgian companies' cybersecurity in 2016 after the country scored badly in Rapid7's National Exposure Index report that year, and used this information to warn companies. In 2017, Belgium was ranked as the 179th most exposed country of 183 countries, in comparison with 2016, when it was ranked first, and therefore the most exposed country. However, in 2018 Belgium has risen to be the 33rd most exposed country of 187 countries. Belgium scores high due to offering a higher percentage of exposed services in relation to its allocated IP address space. Belgium scores badly for, among other things, having a larger percentage of unencrypted port systems for email access. Cybercrime costs Belgium about €3 billion every year.
Furthermore, while the NotPetya ransomware virus did cause some damage within multinationals in Belgium, the federal cyber-emergency team (CERT) reports that efforts made after the WannaCry ransomware attack have paid off, as the damage in Belgium was limited. The responsibilities of the CCB and CERT are discussed further in Section IX. Belgium is now looking to also improve cybersecurity in the military field, with the Belgian army recruiting 92 computer experts in 2017, and planning to recruit up to 200, to form a 'cyber-army' responsible for protecting possible military targets. In addition, the police units want to increase the number of cyberspecialists to 700 by 2030.
II THE YEAR IN REVIEW
The Brussels Court of first instance rendered its judgment on 16 February 2016 in the case against Facebook initiated by the Belgian Privacy Commission (renamed the Data Protection Authority (DPA) on 25 May 2018). This case concerned Facebook's use of 'social plug-ins' to track the internet behaviour of not only its users, but also internet users without a Facebook account. In its judgment, the Court determined that Facebook did not respect Belgian privacy legislation, as it did not provide its customers with sufficient information regarding the data it collected, the purpose thereof, how the data is processed and how long the data was retained. Facebook also did not receive valid consent to collect and process this data. Therefore, Facebook was ordered to stop registering the internet use of people that use the internet from Belgium, until it aligns its policy with Belgian privacy legislation, and must also delete all data that it obtained unlawfully. Facebook has indicated it is disappointed with the judgment, and it has filed for appeal.
Another important judgment, delivered near the end of 2017, related to the ongoing discussion about whether foreign internet service providers, such as Yahoo!, or peer-to-peer internet software providers, such as Skype, are to be considered electronic communications service providers under Belgian law and subject to the jurisdiction of the Belgian courts.
After the final judgment in the Yahoo! case on 1 December 2015, in which the Belgian Supreme Court dismissed an appeal lodged by Yahoo! against the ruling of the Court of Appeal of Antwerp obliging Yahoo! to disclose to the Belgian judicial authorities (despite the fact that Yahoo! had no establishment or personnel in Belgium) the identity of persons who committed fraud via its email service, the Court of First Instance of Mechelen had to rule on Skype's duty not only to disclose certain information, but also to provide technical assistance for the interception of the content of 'live' voice communications. Whereas the obligation to disclose information (and thus jurisdiction) could be located in Belgium in the Yahoo! case on the grounds of the 'portability' of information, this reasoning was difficult to apply by analogy to technical assistance that had to be provided in Luxembourg because Skype is a Luxembourg company and has no infrastructure in Belgium, and this would require material acts abroad. Nonetheless, the Court of First Instance imposed a fine of €30,000 on Skype for its refusal to cooperate in setting up a wiretap ordered by the Mechelen investigative judge. The Court ruled that the technical assistance required of Skype was to be extended in Belgium and the technical impossibility of Skype cooperating was irrelevant because Skype itself had created this impossibility by organising its operations in the way it did. Skype has the duty to make sure it is able to comply with its obligations under Belgian law, and therefore needs to organise itself so it is able to lend its assistance to law enforcement upon request. Skype lodged an appeal against this judgment with the Court of Appeal of Antwerp, which followed the Court of First Instance's reasoning (see Section VI). Skype has filed for appeal with the Belgian Supreme Court, which is still pending.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The Belgian privacy and data protection legislation was set forth in the Data Protection Act, which had to be read in conjunction with the GDPR. However, since the Law of 30 July 2018 entered into force on 5 September 2018, this coexistence has ended.
Belgium had transposed the EU Data Protection Directive quite literally. Its definitions therefore lean closely towards those used in EU law, but must be amended in light of the GDPR. Under the GDPR, 'personal data' means any information relating to an identified or identifiable natural person whereby an 'identifiable person' is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person.
The data controller is the person who alone or jointly with others determines the purposes and means of the processing of personal data, and data processors are persons that process personal data on behalf of a data controller. Under Belgian law, it is also possible for different persons or entities to act as data controller in respect of the same personal data.
The Belgian enforcement agency with responsibility for privacy and data protection is, since the 25 May 2018, the DPA. The old Privacy Commission had as its main mission monitoring compliance and increasing awareness. It could, if needed, also initiate a case before the Belgian courts. The GDPR has broadened the powers of national DPAs, and the Belgian Privacy Commission was consequently reformed into the Belgian DPA in order to reflect this. In accordance with the Act of 3 December 2017, the DPA now has broad investigative powers, and the ability to impose temporary measures as well as administrative fines up until four percent of worldwide turnover.
The Data Protection Act brought to a logical end the peculiar coexistence of the Belgian Data Protection Act of 8 December 1992 with the GDPR. The GDPR came into force on 25 May 2018 and directly applies to data-processing activities performed by Belgium-based controllers and processors. After the Act of 3 December 2017 creating the DPA (replacing the Commission for the Protection of Privacy) tasked with monitoring compliance by Belgian entities with their privacy obligations, the Data Protection Act is the second piece of legislation triggered by the GDPR. The Data Protection Act implementing the GDPR was approved by the parliament on 30 July 2018, and entered into force on 5 September 2018. The Act deals with, among others, areas in the GDPR where the national legislator was able to add additional or clarifying requirements. This includes the age of children's consent, additional requirements for the processing of genetic, biometric and health data, additional requirements regarding the processing of criminal data, restrictions regarding processing for journalistic purposes and for the purpose of academic, artistic or literary expression, and additional exceptions for the processing for the purpose for archiving in the public interest or for scientific or historical research or statistical purposes.
The Belgian legislation set 13 as the age from which children may provide consent for the use of an information service, lower than the age of 16 set by the GDPR.
Regarding the processing of genetic, biometric and health data, or data related to criminal convictions and offences, the Belgian legislator has set out measures that must be taken, such as maintaining a list of persons entitled to consult the data, together with a description of their functions, related to the processing of such data, which are bound by a legal or contractual duty of confidentiality. The controller or processor must make a list of these persons available to the DPA on request. Although the latter obligation is not part of the GDPR, it existed previously under the Belgian Data Protection Act of 8 December 1992 and its implementing acts. Where applicable, affected entities must implement the new requirements under the Data Protection Act.
Concerning the processing of criminal data, the Belgian legislator has added additional grounds to process data, similar as those that had already been provided for in the Belgian Data Protection Act of 8 December 1992. As with the processing of genetic, biometric and health data, the persons entitled to consult these data must be designated, bound by a legal or contractual duty of confidentiality, and a list must be kept at the disposal of the DPA. The following are additional grounds for processing of criminal data:
- by private companies, if necessary for the management of litigation to which the company is a party;
- by legal advisers if necessary to defend the interests of a client;
- if necessary for substantial public interest reasons or to perform a task in the public interest; and
- if necessary for archiving, scientific, historical research or statistical purposes.
The Belgian legislator has also included specific exceptions to data subject rights for processing for journalistic, academic, artistic or literary purposes, as well as for archiving in the public interest or for scientific or historical research or statistical purposes. For journalistic, academic, artistic or literary expression purposes, some of the articles of the GDPR such as consent, information obligation, right to restrict processing and right to object do not apply. It is noteworthy that disclosure of the register, personal data breach notifications and the duty to cooperate with the DPA also does not apply if this would jeopardise an intended publication or constitute a prior control.
Concerning archiving in the public interest or for scientific or historical research or statistical purposes, the data subject's rights are also restricted if these rights would render it impossible or seriously impair the achievement of these purposes. However, additional requirements are also imposed, such as an explanation in the records of why these data are processed, why an exercise of the data subject's rights would impair the achievement of the purposes and a justification for the use of data without pseudonymising these data – as well as if necessary a data processing impact assessment. Data subjects should be informed whether the data are pseudonymised, as well as why the exercise of their rights would impair the achievement of the aforementioned purposes.
Belgium-based data controllers and processors should review their data protection documentation (for example, their privacy notices) to update any references to the Belgian Data Protection Act of 8 December 1992.
The new Data Protection Act consolidates the patchy Belgian data protection regulatory framework. For example, it incorporates the provisions of the Act of 25 December 2016 on the processors of passenger data.
In implementing Directive 2016/680 on the processing of personal data by criminal authorities, the Data Protection Act imposes certain requirements on government entities that before were hardly affected by the Belgian Data Protection Act of 8 December 1992. For example, army forces and intelligence and security services must now comply with requests from data subjects to exercise certain data protection rights, albeit in a restricted fashion.
ii General obligations for data handlers
Data may be processed if the processing meets one of the following requirements (Article 6 of the GDPR):
- the data subject has unambiguously given his consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject under or by virtue of an act, decree or ordinance;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
The processing must comply with the general principles of data processing, which implies that personal data is to be:
- processed fairly and lawfully in a transparent matter;
- collected for specific, explicit and legitimate purposes, and not processed in a manner incompatible with those purposes;
- adequate, relevant and not excessive;
- accurate and, where necessary, up to date;
- kept in an identifiable form for no longer than necessary; and
- processed in a manner that ensures appropriate security of the personal data.
Sensitive personal data (i.e., personal data related to racial or ethnic origin, political opinions, sexual orientation, religious or political beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or judicial information) may only be processed in accordance with the GDPR if the processing:
- is carried out with the data subject's explicit written consent for one or more specified purposes;
- is necessary for a legal obligation in the field of employment, social security and social protection law in as far as it is authorised by law providing for appropriate safeguards for the fundamental rights and interests of the data subject;
- is necessary to protect the vital interests of the data subject where the data subject is unable (physically or legally) to give consent;
- is carried out in the course of its legitimate activities with appropriate safeguards by a non-profit body and relates to members of that body or persons who have regular contact with it and that the personal data are not disclosed outside that body without the consent of the data subjects;
- relates to data manifestly made public by the data subject;
- is necessary for legal claims;
- is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- is necessary for medical reasons;
- is necessary for reasons of public interest in the area of public health on the basis of law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; or
- is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Regarding consent, it must be added that parental consent is required for the processing of personal data concerning information services for children under the age of 13 (as opposed to the age of 16 in Article 8.1 of the GDPR).
As mentioned before, the new Data Protection Act also further regulates possible exceptions regarding the processing of the above special categories of data in implementation of the GDPR.
In practice, however, the ground of legitimate interest is frequently relied upon (rather than consent) as a ground for processing non-sensitive personal data. It should be noted, however, that the DPA finds that obtaining the unambiguous consent of the data subject is best practice and that the legitimate interest condition is only a residual ground for processing.
Except with respect to the processing of sensitive personal data, where consent of the data subject must be provided in writing, Belgian law does not impose any formalities regarding obtaining consent to process personal data. Such consent may be express or implied, written or oral, provided it is freely given, specific and informed. However, as consent should be unambiguous as well, it is recommended to obtain express and written consent for evidential purposes.
With respect to the processing of employees' personal data, the DPA finds that such processing should be based on legal grounds other than consent, in particular the performance of a contract with the data subject, since obtaining valid consent from employees is considered difficult (if not impossible) given their subordinate relationship with the employer.
As far as the data subjects' right of access, correction and removal is concerned, the GDPR provides that a data controller must provide a data subject access to his or her data upon request. The data subject has the right to have inaccurate data corrected or deleted and, in certain cases, he or she may object to decisions being made about him or her based solely on automatic processing.
Since the GDPR is in effect, data controllers no longer need to notify the DPA of all types of data processing operations. Instead, they are bound to keep records of their processing activities. It is now up to the controller to be able to prove that it has obtained consent for its data processing or has a legitimate reason for doing so under the GDPR.
The DPA has issued a recommendation regarding data processing records to be held in 2017. In this recommendation, the DPA explains that both the controller and the processor must keep records, regardless of whether they are natural or legal persons, or if they are entities without legal personality. These records must be made available upon first request. Exceptions can be made, but these are not absolute. For small entities, the DPA recommends that records are held in any case, even if they would fall under an exception. The DPA, however, does not object to the fact that the records do not include occasional, incidental processing of data. The recommendation further includes additional information regarding the Records, such as how it relates to the previous notifications, how these notifications can be used as a starting point for establishing the records, and how the records require a broader registration of data processing that the old notifications did. Old notifications will remain available online for one year after the entry into effect of the GDPR on 25 May 2018. The records can be held in any language, but the DPA may request the data controller or processor to provide them with a translation in one of the national languages. Therefore, if possible, it is advised to keep the records in Dutch, French or German in order to avoid additional costs.
A new obligation under the GDPR is also the appointment of a data protection officer (DPO) in specific cases, such as for public authorities, or when there is large-scale systematic monitoring of personal data or large-scale processing of sensitive data. On 24 May 2017, the DPA issued a recommendation to help data controllers and data processors with the preparation for the implementation of the obligations under the GDPR.
The DPO is not a new concept, as the Directive 95/46/EG did already provide for member states to foresee in a similar non-obligatory function, the appointment whereof would exempt the data controller from making a mandatory notification. In the former Data Protection Act of 1992, however, this function was not linked to an exemption of the notification, but rather an additional requirement that could be imposed by Royal Decree for situations where deemed necessary. A general Royal Decree was never issued in this regard, but specific legislation (such as for specific public databases, the police, and hospitals) did foresee in a mandatory appointment of a person with such a function.
Under the legislation pre-dating the GDPR, the 'old' DPO had a more limited function and mostly provided its institution or company with advice regarding compliance. Under the GDPR, the DPO has a much more prominent role, and the DPA considers them to be the cornerstone of accountability. For this reason, the DPA wishes to distance itself from its older advice regarding this function, and emphasises that under the GDPR, the appointment of the appropriate person as a DPO must be investigated separately. In this regard, the appointment of a DPO for government agencies has been reiterated and further regulated in the Data Protection Act.
iii Specific regulatory areas
Although Belgium has not adopted a sectoral approach towards data protection legislation, there are nevertheless separate regulations in place for certain industries and special (more vulnerable) data subjects. In addition to the Data Protection Act, specific laws have been adopted to provide additional protection for data subjects in the following sectors:
- camera surveillance: the installation and use of surveillance cameras is governed by the Camera Surveillance Law of 21 March 2007, which was most recently amended by the Act of 16 April 2018, in order to comply with the GDPR, with the amended provisions taking effect on 25 May 2018, the date that the GDPR entered into effect;
- workplace privacy: the installation and use of surveillance cameras for the specific purpose of monitoring employees is subject to Collective Bargaining Agreement No. 68 of 16 June 1998 concerning the camera surveillance of employees. In addition, the monitoring of employees' online communication is subject to the rules laid down in Collective Bargaining Agreement No. 81 of 26 April 2002 concerning the monitoring of electronic communications of employees.
- electronic communications: the Electronic Communications Act of 13 June 2005 contains provisions on the secrecy of electronic communications and the protection of privacy in relation to such communications. Furthermore, the Electronic Communications Act imposes requirements on providers of telecommunication and internet services regarding data retention, the use of location data and the notification of data security breaches;
- medical privacy: the Patient Rights Act of 22 August 2002 governs, inter alia, the use of patients' data and the information that patients need to receive in this respect; and
- financial privacy: the financial sector is heavily regulated. For instance, the use of credit card information for profiling violates consumer credit legislation, which clearly states that (1) personal data collected by financial institutions can only be processed for specific purposes, (2) only some data can be collected, and (3) it is prohibited to use the data collected within the credit relationship for direct marketing or prospection purposes. Belgian legislation also requires that information be deleted when its retention is no longer justified.
Noteworthy in an EU context is the fact that jointly with the entry into force of the GDPR, the Network and Information Security Directive (the NIS Directive) should have been transposed into national law by the EU Member States by 25 May 2018. In addition to the specific data protection rules above, the NIS Directive adds a legal basis for higher cybersecurity standards in respect of certain 'essential' services. The Belgian implementation of the NIS Directive is currently still being drafted. The Belgian government has finalised its draft Act, and it is expected that this will soon be presented to the parliament for approval.
Currently, the draft Act will appoint authorised government entities on two different levels, and with separate functions. A national public entity will be charged with monitoring compliance and coordination of the implementation of this Act. On a sectoral level, sectoral authorities will be charged with monitoring compliance for their respective sectors.
The NIS Directive applies in particular to operators of essential services (OESs). OESs can be found in the following industries:
- energy (electricity, oil and gas);
- transportation (air, rail, water and road);
- banking and financial market infrastructure;
- health and drinking water supply and distribution; and
- digital infrastructure.
To ensure an adequate level of network and information security in these sectors and to prevent, handle and respond to incidents affecting networks and information systems, the NIS Directive sets out the following obligations for these OESs:
- the obligation to take appropriate technical and organisational measures to manage the risks posed to their network and information systems, and to prevent or minimise the impact in the event of a data breach; and
- the obligation to notify the competent authority, without undue delay, of all incidents with a 'significant impact' on the security of the core services provided by these operators. To assess the impact of an incident, the following criteria should be taken into account: (1) the number of users affected; (2) the duration of the incident; (3) the geographical spread with regard to the area affected by the incident; and (4) in relation to certain OESs, the disruption of the functioning of the service and the extent of the impact on economic and societal activities.
The notification obligations, preventive actions and sanctions under the NIS Directive should increase transparency regarding network and information security and heighten awareness of cybersecurity risks in the above-mentioned essential services.
The Draft Act foresees in the identification of OES and establishes the safety requirements both on a national and sectoral level, as well as how this is monitored through internal and external audits, and sanctions for non-compliance.
Concerning computer security incidents, computer security incident response teams are established on a national and sectoral level, as well as the procedures regarding the reporting of safety incidents.
iv Technological innovation and privacy law
The DPA released in March 2017 a report on the use of big data, on which stakeholders could comment until 11 April 2017.
The report aims to reconcile the need for legal certainty with the application of big data in current and future applications, especially in the light of the GDPR. The recommendations made in the report cover various aspects, such as data protection compliance and respect for data subjects' rights. It is not the intention of the DPA to curtail unnecessarily the use of big-data applications as they are often very useful to society.
According to the DPA, consent cannot be considered validly given by ticking a box in the browser settings.
In January 2017, the European Commission published the draft text of the new e-Privacy Regulation, which will become directly applicable in Belgium and replace all the current national rules relating to, inter alia, cookies after its adoption. Both the European Parliament and the Council have published their respective drafts. The three EU entities are now in the middle of their 'trilogue' negotiations to determine the final text. The current draft Regulation would possibly allow consent to be given through browser settings provided that this consent entails a clear affirmative action from the end user of terminal equipment to signify his or her freely given, specific, informed and unambiguous consent to the storage and access of third-party tracking cookies in and from the terminal equipment. This entails that internet browser providers will have to significantly change the way their browsers function for consent to be validly given via browser settings.
In addition, the proposal clarifies that no consent has to be obtained for non-privacy-intrusive cookies that improve the internet experience (e.g., shopping-cart history) or cookies used by a website to count the number of visitors. It was initially foreseen that the e-Privacy Regulation would enter into force simultaneously with the GDPR, but the negotiations have been postponed. The finalisation of the Regulation is foreseen in 2019, after which (much like the GDPR) a transitory period will most likely be foreseen before the Regulation becomes enforceable.
Electronic marketing and advertising is regulated by the provisions of Book XII (Law of the Electronic Economy) of the Code of Economic Law, which has transposed Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002, as adopted by the Act of 15 December 2013, as well as the Royal Decree of 4 April 2003 providing for exceptions.
The automated sending of marketing communications by telephone without human intervention or by fax is prohibited without prior consent.
When a company wants to contact an individual personally by phone (i.e., in a non-automated manner) for marketing purposes, it should first check whether the individual is on the 'do-not-call-me' list of the non-profit organisation DNCM. Telecom operators should inform their users about this list and the option to register online. If the individual is registered on the list, the company should obtain the individual's specific consent before contacting him or her.
Furthermore, the proposal for the new e-Privacy Regulation (already referred to above) in the context of cookie rules) obliges marketing callers to always display their phone number or use a special prefix that indicates a marketing call. Again, as this is only a draft text, it is not certain that this obligation will effectively be imposed on marketing callers.
Likewise, the use of emails for advertising purposes is prohibited without the prior, free, specific and informed consent of the addressee pursuant to Section XII.13 of the Code of Economic Law. This consent can be revoked at any time, without any justification or any cost for the addressee. The sender must clearly inform the addressee of its right to refuse the receipt of any future email advertisements and on how to exercise this right using electronic means. The sender must also be able to prove that the addressee requested the receipt of electronic advertising. The sending of direct marketing emails does not require consent if they are sent to a legal entity using 'impersonal' electronic contact details (e.g., firstname.lastname@example.org) which also do not fall within the scope of the GDPR. The use of addresses such as email@example.com, which include personal data, however, remains subject to the requirement for prior consent.
Other exceptions could also apply regarding electronic advertisements, such as for existing clients to whom advertisements are sent for similar products or services, given that the client did not object thereto. These exceptions are based on national legislation predating the GDPR, however. It remains to be seen how the DPA will continue to interpret these exceptions after 25 May 2018, and whether it believes they comply with the strict criteria for processing data under the GDPR. We believe it is likely this will remain the case, as the DPA may accept that they fall under the 'legitimate interest' category, for which it has in the past already accepted that the maintenance of customer relationships could provide a legitimate interest.
Unless individuals have opted out, direct marketing communications through alternative means are allowed. Nonetheless, the GDPR prescribes a general obligation for data controllers to offer data subjects the right to opt out of the processing of their personal data for direct marketing purposes.
On 16 April 2018, the Camera Surveillance Act was amended, both regarding use by law enforcement and use outside of law enforcement. The changes entered into effect on the 25th of May 2018, the same day that the GDPR entered into force. The changes reflect the changes to privacy law brought forward by the GDPR. To install camera surveillance, it is now required that the police, rather than the DPA, be informed. This will take place via an online application.
The data controller will also need to keep a separate record concerning the processing of these data. Further details on this record will be determined by Royal Decree.
It is also required for data controllers who install a surveillance camera in 'publicly accessible venues' to indicate the existence thereof with a visible sign in proximity of the camera, as well as the provision in proximity of the camera of a screen that displays the images being recorded.
Regarding the scope of the Camera Surveillance Law, a surveillance camera falling within the scope of this Act is: a fixed (temporarily or permanent) or mobile observation system, with as purpose to survey and guard certain areas which processes images for this purpose.
The purpose is further elaborated in Article 3 of the Camera Surveillance Law as being either of the following:
- prevention, ascertaining or investigation of crimes against persons or goods; or
- prevention, ascertaining or investigation of nuisance in accordance with Article 135 of the New Act on Municipalities, monitoring of the compliance with municipal regulations and public order.
The use of surveillance camera's regulated by other special legislation or by public authorities does not fall within the scope of the Camera Surveillance Law. If surveillance cameras are used merely to monitor the safety, health, protection of the assets of the company and monitoring of the production process and the labour by the employee, the Camera Surveillance Law is not applicable. However, if the surveillance camera's would also be used with as purpose one of the purposes listen above in accordance with Article 3 of the Camera Surveillance Law, the Camera Surveillance Law will apply and precede any other legislation.
Employee monitoring is strictly regulated under Belgian law. Apart from the rules embedded in the Camera Surveillance Act of 16 April 2018, which will apply if the surveillance of employees would fall within its scope as discussed above, the monitoring of employees by means of surveillance cameras in particular is subject to the provisions of Collective Bargaining Agreement No. 68 of 16 June 1998. Pursuant to this Agreement, surveillance cameras are only allowed in the workplace for specific purposes:
- the protection of health and safety;
- the protection of the company's assets;
- control of the production process; and
- control of the work performed by employees.
In the latter case, monitoring may only be on a temporary basis. Employees must also be adequately informed of the purposes and the timing of the monitoring.
With respect to monitoring of emails and internet use, Collective Bargaining Agreement No. 81 of 26 April 2002 imposes strict conditions. Monitoring cannot be carried out systematically and on an individual basis. A monitoring system of emails and internet use should be general and collective, which means that it may not enable the identification of individual employees. The employer is only allowed to proceed with the identification of the employees concerned if the collective monitoring has unveiled an issue that could bring damage to the company or threaten the company's interests or the security of its IT infrastructure. If the issue only relates to a violation of the internal (internet) policies or the code of conduct, identification is only allowed after the employees have been informed of the fact that irregularities have been uncovered and that identification will take place if irregularities occur again in the future. In 2012, the DPA issued a specific recommendation on workplace cyber-surveillance. In this regard, the DPA advises employers to encourage employees to label their private emails as 'personal' or to save their personal emails in a folder marked as private. Furthermore, companies should appoint a neutral party to review a former or absent employee's emails and assess whether certain emails are of a professional nature and should be communicated to the employer.
Finally, GPS monitoring in company cars is only allowed under Belgian law with respect to the use of the company car for professional reasons. Private use of the company car (i.e., journeys to and from the workplace and use during private time) cannot be monitored.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Cross-border data transfers within the EEA or to countries that are considered to provide adequate data protection in accordance with EU and Belgian law are permitted. Transfers to other countries are only allowed if the transferor guarantees that adequate safeguards are in place. This can be done by entering into a model data transfer agreement (based on the EU standard contractual clauses) with the recipient or if the transfer is subject to binding corporate rules (BCRs).
Some countries are deemed to be adequate by the European Commission, such as Switzerland, Canada, Andorra and the United States if the transfer of data meets the requirements as adopted in the EU–US Privacy Shield, Argentina, etc. Recently, an agreement was made between the European Union and Japan. It remains to be seen whether or not the EU–US Privacy Shield will survive the second annual review, or be suspended following the adoption by the US of the Cloud Act allowing police to access personal data outside US boundaries and continuing failure by the US to comply with the Privacy Shield requirements (e.g., the appointment of an ombudsman).
If an international data transfer is concluded under the EU standard contract clauses, a copy of these must be submitted to the DPA for information. The DPA will check their compliance with the standard contractual clauses and will subsequently inform the data controller whether the transfer is permitted. Data controllers need to wait for this confirmation from the DPA before initiating their international data transfer.
In the case of non-standard ad hoc data transfer agreements, the DPA will examine whether the data transfer agreement provides adequate safeguards for the international data transfer. If the DPA believes that the safeguards are adequate, it will forward the request to the European Data Protection Board, which must also approve.
If a data controller gives 'sufficient guarantees' for adequate data protection by adopting BCRs, a copy of the BCRs also needs to be sent to the DPA for approval, as well as the European Data Protection Board.
As an exemption to the above, transfers to countries not providing adequate protection are also allowed if the transfer:
- is made with the data subject's consent;
- is necessary for the performance of a contract with, or in the interests of, the data subject;
- is necessary or legally required on important public interest grounds or for legal claims;
- is necessary to protect the vital interests of the data subject; or
- is made from a public register.
V COMPANY POLICIES AND PRACTICES
The appointment of a chief privacy officer is not very common in Belgium, except within large (and mostly multinational) corporations. Such corporations often also have regional privacy officers. In smaller companies, the appointment of a chief privacy officer is rare. However, given the increasing importance of privacy and data security, even smaller companies often have employees at management level in charge of data privacy compliance (often combined with other tasks). Of course, with the GDPR, this will become different as for many companies it will now be required to appoint a Data Protection Officer (see above).
The GDPR contains an obligation to conduct a data protection impact assessment (DPIA) for high-risk data processing activities. The DPA has taken the liberty of issuing recommendations on the DPIA requirement of the GDPR. In addition to the non-exhaustive list of processing activities as envisaged by the GDPR (i.e., any processing that entails a systematic and extensive evaluation of personal aspects that produce legal effects; any processing on a large scale of special categories of data; and any systematic monitoring of a publicly accessible area on a large scale), the DPA clarifies its position on what qualifies as high risk, when a DPIA must be conducted, what it should entail and when it should be notified of the results of a DPIA. The main takeaway of the DPA's statement is that it should only be notified of processing activities where the residual risk (i.e., the risk after mitigating measures have been taken by the controller) remains high. Whether the DPA's position will be supported at EU level remains to be seen, since the interpretation of DPIA methodologies is in principle an EU-level matter.
A substantial number of companies have conducted privacy audits certainly now in view of the implementation of the GDPR to get a clear view on their data flows and security measures. These audits have often resulted in the implementation of overall privacy compliance projects, including the review and update of IT infrastructure, the conclusion of data transfer agreements or adoption of BCRs and the review and update of existing data processing agreements with third parties.
In large organisations, it is considered best practice to have written information security plans. Although this is also not required by law, it proves very useful, as companies are required to present a list of existing security measures when they notify their data processing operations to the DPA. The DPA has also recommended that companies have appropriate information security policies to avoid or address data security incidents. This has become even more important now in view of the short deadlines for data breach notifications under the GDPR.
On 14 June 2017, the DPA published a recommendation on processing-activity record-keeping as discussed above. As from the entry into force of the GDPR in 2018, organisations processing personal data within the EU must maintain Records of their processing activities. Organisations with fewer than 250 employees are exempted from keeping such records, unless their processing activities:
- are likely to result in a risk to the rights and freedoms of data subjects (e.g., automated decision-making);
- are not occasional; or
- include sensitive data.
On the basis of the above-mentioned non-cumulative conditions, it may be expected that basically all organisations processing personal data will have to maintain records of their processing activities in practice, even if they employ fewer than 250 people. The DPA advises all companies to do so.
In substance, these records should contain information on who processes personal data, what data is processed and why, where, how and for how long data is processed.
VI DISCOVERY AND DISCLOSURE
Pursuant to the Belgian Code of Criminal Procedure, the public prosecutors and the examining magistrates have the power to request the disclosure of personal data of users of electronic communications services (including telephone, email and internet) in the context of criminal investigations. Examining magistrates may also request technical cooperation of providers of electronic communications service providers and network operators in connection with wiretaps.
The personal and territorial scope of application of these powers is currently the subject of a heated debate before the Belgian Supreme Court and criminal courts. In 2009, Yahoo! was prosecuted for non-compliance with the provisions of the Code of Criminal Procedure, as it had refused to disclose certain personal data related to a Yahoo! account that had been used in connection with a drug-related criminal offence. In addition, Skype was also charged with non-compliance as a result of its alleged lack of technical cooperation in connection with a wiretap on the communication of one of its Belgian users (see also Section II). The discussion in both cases deals with two issues: first, can Yahoo!, Skype and similar service or software providers be considered as providers of electronic communications services under Belgian law; and second, does the duty of cooperation set forth in the Belgian Code of Criminal Procedure apply to foreign entities that have no physical presence (no offices, infrastructure, servers, etc.) in Belgium – and if so, can it be enforced against them by the Belgian courts?
A detailed discussion of both questions is beyond the scope of this chapter, but it is interesting to note that the Supreme Court has already issued two surprising decisions in the Yahoo! case that may have far-reaching consequences. In its first decision, the Court has extended the scope of the definition of providers of electronic communications services, so that it includes not only service providers that take care of the transmission of signals and data over the electronic communications networks, but also 'anyone offering a service that allows its customers to obtain, receive or spread information via an electronic communications network'. This new definition seems problematic for multiple reasons. First, the Supreme Court disregards the very clear definition of 'providers of electronic communications services' set forth in the Act of 13 June 2005 on electronic communications. Second, its own definition is very vague and gives courts a great margin of appreciation, which goes against the principle of legal certainty (in particular in criminal matters). Therefore, it can be expected that in the future, the duty to disclose personal data will apply not only to traditional internet access providers and telephone companies, but also to a wide variety of online software or service providers. This broad definition has, after the Supreme Court judgement, now been adopted into the Belgian Code of Criminal Procedure (e.g., in Articles 46 bis, 88 bis and 90 quater of the Code of Criminal Procedure) and is, therefore, indisputable.
The second decision of the Supreme Court in the Yahoo! case is even more important from an international perspective: the Court ruled that even though Yahoo! had no physical presence in Belgium, the provisions of the Code of Criminal Procedure applied to it, as the 'service' it offers can be used in Belgium via the internet. It also stated that the fact that the public prosecutor sent the request to disclose personal data directly to Yahoo! in the United States (without making use of the procedures set out in the applicable treaties regarding mutual legal assistance in criminal matters) did not make the request invalid or unenforceable.
This latter decision essentially implies that foreign entities offering an online service (or software) are subject to Belgian criminal law as soon as the software service can be used in Belgium, and that the Belgian public prosecutor has the power to enforce Belgian criminal law against such foreign entities without the intervention or assistance of the judicial authorities of the state of residence of these entities. Obviously, this position taken by the Supreme Court would also imply that foreign judicial authorities could enforce their national criminal law against service providers located in Belgium and do so without assistance from the Belgian courts.
Finally, on 1 December 2015, the Supreme Court put an end to the legal proceedings by rejecting the appeal, thereby confirming the Court of Appeal's decision, which has caused important implications for the international system of mutual legal assistance in criminal matters.
Analogously, the Court of First Instance of Mechelen condemned Skype Communications SARL, a Luxembourg-based entity, for refusing to set up a wiretap in Mechelen in its ruling of 27 October 2016. The wiretap concerned was ordered by the Mechelen examining judge in the framework of an investigation into a Skype user. Again, the Belgian authorities ignored the European Convention on Mutual Assistance in Criminal Matters and imposed the wiretap order directly on Skype in Luxembourg. The Court of Mechelen applied a similar reasoning to that applied by the Supreme Court in the Yahoo! case and held that the alleged offence, namely the refusal to provide technical assistance, can be deemed to have occurred in the place where the information should have been received, regardless of where the operator was established.
Notably, the context of the Skype case is quite different from the situation in the Yahoo! case. While the Yahoo! case involved the mere refusal to disclose information to the Belgian authorities (Section 46 bis Section 1 of the Belgian Code of Criminal Procedure), the Skype case concerns the provision of metadata and the refusal to set up a wiretap (Article 88 bis Section 2 and Article 90 quater Section 2 of the Belgian Code of Criminal Procedure). The latter is undeniably a completely different type of measure, encompassing not only the provision of information, but also material acts by Skype and the necessary technical infrastructure to perform them, which Skype did not have in Belgium. Unsurprisingly, Skype appealed against this judgment before the Court of Appeal of Antwerp, but the Court of Appeal confirmed the judgment by the Court of First Instance of Mechelen. Notably, the Court confirmed the fact that Skype has the duty to make sure it has the necessary technical infrastructure to perform the measures requested (the wiretap), even if this would result in a large cost for Skype. Skype appealed against this judgment before the Belgian Supreme Court. This appeal is currently still pending.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The Belgian enforcement agency with responsibility for privacy and data protection is the DPA.
The DPA's mission is, inter alia, to monitor compliance with the provisions of the GDPR and the Data Protection Act. To this end, the DPA has general power of investigation with respect to any type of processing of personal data and may file a criminal complaint with the public prosecutor. It may also institute a civil action before the president of the court of first instance. Whereas this is where the scope of authority ended for the original Privacy Commission, the reformed DPA (in light of the GDPR) is an independent administrative authority with legal personality and extensive investigative and sanctioning powers, composed of six different bodies: an executive committee, a general secretariat, a front-line service, a knowledge centre, an inspection service and a dispute chamber.
The executive committee, composed of the leaders of the five other bodies, is responsible for the adoption of the DPA's general policies and strategic plan.
A general secretariat is responsible for the reception and processing of complaints and to inform citizens about their data protection rights.
The inspection service functions as the investigating body of the DPA, with a wide array of investigative powers (e.g., interrogation of individuals).
The front-line service has a singular role in providing guidance (e.g., with regard to adequate data protection techniques under the GDPR) and supervising data controllers and processors and their compliance with data protection legislation.
Led by six experts in the field, the knowledge centre provides public decision-makers with the necessary expertise to understand the technologies likely to impact on the processing of personal data.
The dispute chamber, composed of a president and six judges, is able to impose sanctions of up to €20 million or up to 4 per cent of the total worldwide annual turnover of the infringing company.
As well as the above-mentioned bodies being established under the auspices of the reformed DPA, an independent think tank is set up to reflect society as a whole, both participants in the creation of the digital world and those affected by it, and to provide the executive committee with a broad vision and guidance as it negotiates current and future data protection challenges.
Another novelty of the new DPA is that, along with natural persons, legal persons, associations or institutions will also be able to lodge a complaint of an alleged data protection infringement.
In spite of the expansion of the DPA's powers, the government had initially announced not to increase its budget. However, it has been reported that the government has put aside €1.6 million for the new DPA to be able to perform its new tasks.
While the new DPA with its new bodies had to be fully functional from 25 May 2018, it ran into some difficulties concerning the nomination of its members. Until this is completed, the new DPA will continue to be headed by its former management, but with all new competences and functions.
ii Recent enforcement cases
The most important recent enforcement case undertaken by the DPA is the one initiated against Facebook in June 2015 concerning its unlawful processing of data through hidden cookies. The Court of First Instance has rendered its judgment, condemning Facebook (see above). Facebook has filed for appeal.
The European Court of Justice recently concurred in its judgement in Case C-210/162 with Advocate General Bot and in its judgment stated that the promotion and sale of advertising space by Facebook Germany was inextricably linked to the contested data processing, and therefore German law is applicable. In his non-binding opinion, Advocate General Bot had stated in 2017 that Facebook should indeed adhere to the national privacy rules of EU Member States if it collects and processes data from users in those Member States and has a physical establishment (e.g., a sales office) on their territory. Hence, the advocate general opposed Facebook's argument that it should comply only with Ireland's privacy legislation, the country where it has its European headquarters.
In addition to the Facebook case, the most important enforcement cases before the Belgian courts are the Yahoo! and Skype cases, discussed in Sections II and VI.
iii Private litigation
Private plaintiffs may seek judicial redress before the civil courts on the basis of the general legal provisions related to tort or, in some cases, contractual liability. In addition, they may file a criminal complaint against the party that committed the privacy breach. Financial compensation is possible, to the extent that the plaintiff is able to prove the existence of damages as well as the causal link between the damage and the privacy breach. Under Belgian law, there is no system of punitive damages.
Class actions were traditionally not possible under Belgian law until 1 September 2014, when a new Act on Class Actions entered into force.
In a judgment of 29 April 2016, the Supreme Court ruled in favour of the right to be forgotten. The case concerned the online disclosure of an archived database of a famous Belgian newspaper, which would result in the publication of the full name of a driver who was involved in a car accident in 1994 in which two people died. Both the Court of Appeal and the Supreme Court considered the right to be forgotten essential in this case and ruled in favour of a limitation of the right of freedom of expression.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Organisations based or operating outside Belgium may be subject to the Belgian data protection regime to the extent that they process personal data in Belgium. Physical presence in Belgium (either through a local legal entity or branch office, with or without employees, or through the use of servers or other infrastructure located on Belgian territory) will trigger the jurisdiction of Belgian privacy and data protection law even if the personal data that is processed in Belgium relates to foreign individuals. Foreign companies using cloud computing services for the processing of their personal client or employee data may, therefore, be subject to Belgian law (with respect to such processing) if the data is stored on Belgian servers.
In principle, the mere provision of online services to persons in Belgium, without actual physical presence, will not trigger Belgian jurisdiction. However, as discussed under Section VI, according to a recent Supreme Court decision, the Belgian judicial authorities would have jurisdiction over foreign entities providing online services or software to users in Belgium, even if they are not present in Belgium. This is certainly an issue to follow up, as it may have an important impact on the territorial scope of application of Belgian law.
It should be noted that the GDPR applies to data controllers having no presence at all (establishment, assets, legal representative, etc.) in the EU but who process EU citizens' personal data in connection with goods or services offered to those EU citizens; or who monitor the behaviour of individuals within the EU.
IX CYBERSECURITY AND DATA BREACHES
As a member of the Council of Europe, Belgium entered into the Council's Convention on Cybercrime of 23 November 2001. Belgium implemented the Convention's requirements through an amendment of the Act of 28 November 2000 on cybercrime, which introduced cybercrime into the Belgian Criminal Code. With the Act of 15 May 2006, Belgium also implemented the requirements of the Additional Protocol to the Convention on Cybercrime of 28 January 2003 concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.
As previously mentioned, the CCB performs the following tasks:
- monitoring Belgium's cybersecurity;
- managing cybersecurity incidents;
- overseeing various cybersecurity projects;
- formulating legislative proposals relating to cybersecurity; and
- issuing of standards and guidelines for securing public sector IT systems.
Since becoming operational at the end of 2015, the CCB has carried out several awareness campaigns; for instance, in the context of the Petya ransomware cyberattacks and the 'CEO fraud' (a large-scale scam where cybercriminals contact a company as the alleged CEO of another big company with a request to make an important payment into the first company's bank account).
Furthermore, the management of CERT, which has been in the hands of Belnet since 2009, was transferred to the CCB in December 2016. The transfer of all CERT activities is part of the continuing coordination of Belgian cybersecurity and is aimed at assisting companies and organisations in the event of cyber incidents by providing advice both about finding solutions when such incidents arise and about preventing incidents occurring.
Additionally, the Belgian Cyber Security Coalition, which is a partnership between parties from the academic world, public authorities and the private sector, was established in October 2014. Currently, more than 50 key participants from across the three sectors are active members. These include large financial institutions, universities, consultancy companies, professional organisations and government bodies. The main goals of the Coalition are to raise awareness about cybersecurity, exchange know-how, take collective actions in the fight against cybercrime and support governmental and sectoral bodies in setting policies and determining ways to implement these policies.
With respect to data breach notifications, Article 114/1, Section 2 of the Electronic Communications Act requires companies in the telecommunications sector to notify immediately (within 24 hours) personal data breaches to the DPA, which must transmit a copy of the notification to the Belgian Institute for Postal Services and Telecommunications. If there is a breach of personal data or the privacy of individuals, the company must also notify the data subjects affected by the breach. It is expected that the Belgian implementation of the NIS-Directive will provide for a detailed procedure regarding breaches for operators of essential services (see above).
The Belgian Data Protection Act of 8 December 1992 did not, however, provide for a general data breach notification obligation, as is provided for in the GDPR. In 2013, the DPA was confronted by a series of data security incidents of which it only became aware after those incidents were published in the media. Unable to change the legislation itself (which, of course, would require legislative intervention), the DPA issued a recommendation upon its own initiative stating that it considered data breach notifications to be an inherent part of the general security obligations incumbent on any data controller.
With the entry into force of the GDPR, Article 33 of the GDPR now provides for a duty for the data controller to report personal data breaches to the DPA without undue delay, and where feasible, not later than 72 hours after having become aware of it. This notification must describe the nature, communicate the details of the DPO or other contacts where more information can be obtained, describe the likely consequences of the breach and describe the measures taken or proposed to be taken by the controller to address the breach. A communication can in some cases also be necessary to the data subject, if there is a high risk to their the rights and freedoms. It must be noted that the DPA's recommendation also stresses that, in the event of public incidents, the DPA must be informed within 48 hours of the causes and damage. Although the concept of a 'public incident' is not explained in greater detail, this could refer to an incident in which a breach has occurred that is likely to become known to the public or the DPA via, for example, the media, the internet, or complaints from individuals.
In relation to data security, the International Chamber of Commerce in Belgium and the Federation of Enterprises in Belgium, together with the B-CCentre, have taken the initiative to create the Belgian Cyber Security Guide in cooperation with Ernst & Young and Microsoft. The Guide is aimed at helping companies protect themselves against cybercriminality and data breaches. To that effect, it has listed 10 key security principles and 10 'must do' actions, including user education, protecting and restricting access to information, keeping IT systems up to date, using safe passwords, enforcing safe-surfing rules, applying a layered approach to viruses and other malware, and making and checking backup copies of business data and information.
With regard to the entry into force of the GDPR this year, the overall focus of the DPA will obviously be on assisting companies, data controllers and data processors with the implementation of this new EU data protection framework. To this end, the DPA had launched a new separate section dedicated to the GDPR on its website and a 13-step plan for companies involved in data collection or processing, or both, to help them comply with the forthcoming new rules of the GDPR. That said, months after the entry into force of the GDPR, its website, containing many specific guidelines regarding data protection compliance, still has not been fully updated to reflect the changes made by the GDPR.
Apart from the strengthening of the investigative and sanctioning powers of the DPA (see Section VII), we do not expect the GDPR to result in any major changes to the Belgian situation in practice. Belgium's legislation and the interpretation given to it by the DPA have traditionally been in line with EU law and the positions of the European Commission and the Article 29 Working Party (now the European Data Protection Board).
As mentioned above (see Section VII), the investigative and sanctioning powers of the DPA will be significantly expanded under the GDPR. In the event of a complaint being lodged with the DPA or of a data breach incident, it will have broader competence to examine the complaint and to impose higher sanctions on the alleged violator. In its assessment of alleged data protection violations, the DPA will definitely check whether sufficient efforts have been made to meet the requirements laid down in the GDPR. Therefore, actual enforcement of data protection legislation may now become more frequent, although it remains to be seen which resources the DPA will have available to actually enforce compliance with the GDPR.
Other than the GDPR, upcoming legislation includes the implementation of the NIS-Directive, meaning that Belgium may obtain a more structured landscape as regards cybersecurity and continuity of essential services. Upcoming European legislation also includes the e-Privacy legislation, which will override the GDPR and provide for more clarity regarding specific issues that may arise concerning privacy in connection with online interactions.