The Belgian legislative and regulatory approach to privacy, data protection and cybersecurity is quite comprehensive. The most important legal provisions can be found in the following:
- Article 22 of the Belgian Constitution, which provides that everyone is entitled to the protection of his or her private and family life;
- the Act of 28 November 2000 on Cybercrime;
- the Act of 13 June 2005 on Electronic Communications (the Electronic Communications Act);
- Book XII (Law of the Electronic Economy) of the Code of Economic Law, as adopted by the Act of 15 December 2013;
- the Act of 3 December 2017 on the establishment of the Data Protection Authority;
- the General Data Protection Regulation 2016/679 (GDPR), which is the EU regulation on data protection and privacy;
- the Act of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data (the Data Protection Act)(which replaced the former Belgian Data Protection Act of 8 December 1992 with effect as of 5 September 2018). It concerns the further implementation of the GDPR and Directive 2016/680 regarding the processing of data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences; and
- the Act of 7 April 2019 establishing a framework for the security of networks and information systems of general Interest for public security.
Cybersecurity has increasingly received attention in Belgium in recent years, because of an increasing number of cybersecurity attacks on Belgian companies. The Cyber Readiness Report 2019 noted that around 70 per cent of the Belgian companies became a victim of one or more cyberattacks in 2018, resulting in an average loss of €329,000 per company. About 10 to 20 per cent of Belgian companies have taken out insurance against cybercrime.
Despite its substantial efforts to enhance cybersecurity, Belgium has risen to the 33rd most exposed country of 187 countries in Rapid7's National Exposure Index in 2018. Belgium scores high due to offering a higher percentage of exposed services in relation to its allocated IP address space. Belgium scores badly for, among other things, having a larger percentage of unencrypted port systems for email access. Cybercrime costs Belgium about €4.5 billion every year.
Cybercrime, including ransomware, is increasingly challenging companies in Belgium. The Belgian Federal Cyber Emergency Team notes up to 35 cases a day. In extreme cases, a large cyberattack can lead to a (partial) shutdown of a company. For instance, in July 2019, 150 out of 1,000 employees of an enterprise specialised in producing aircraft parts were technically jobless for almost a month following a ransomware attack.
Apart from more updates on cybersecurity, including the final implementation of the EU's Network and Information Security Act Directive (NIS Directive) into Belgian law, this contribution will set out the most important Belgian laws relating to privacy and data protection. It will look into the Belgian implementation of the GDPR and its first results.
II THE YEAR IN REVIEW
Facebook's use of 'social plug-ins' to track the internet behaviour of not only its users but also internet users without a Facebook account had come under fire by the Belgian Privacy Commission (renamed the Data Protection Authority (DPA) on 25 May 2018) in 2015. The Brussels Court of first instance concluded in its judgment of 16 February 2018 that Facebook did not respect Belgian privacy legislation, as it did not provide its customers with sufficient information regarding the data it collected, the purpose thereof, how the data is processed and how long the data was retained. Facebook also did not receive valid consent to collect and process this data. Consequently, Facebook was ordered to stop registering the internet use of people that use the internet from Belgium, until it aligns its policy with Belgian privacy legislation, and to delete all data it obtained unlawfully. Facebook lodged an appeal against this judgment with the Brussels Court of Appeal, which decided on 8 May 2019 to refer the case to the European Court of Justice. Given that the GDPR foresees a new cooperation-mechanism whereby only one DPA is competent to investigate a case, the European Court will have to determine whether the Belgian DPA can continue to work on the case, or whether the European Data Protection Board, or the Irish DPA - as Facebook's HQ is located in Ireland -, will become competent.
In February, the Belgian Supreme Court rendered its judgment determining whether Skype, as a foreign peer-to-peer internet software provider, should be considered as an electronic communications service provider under Belgian law and therefore whether it should be subject to the jurisdiction of the Belgian courts. In 2016, the Court of First Instance of Mechelen ruled that Skype's duty to cooperate with the Belgian judicial authorities was not only limited to disclose certain information, but also to provide technical assistance for the interception of the content of 'live' voice communications. In an earlier case concerning Yahoo! it was possible to locate the obligation to disclose information (and thus jurisdiction) in Belgium on the grounds of the 'portability' of information, despite the fact that Yahoo! lacked any establishment or personnel in Belgium. By contrast, Skype is a Luxembourg company without infrastructure in Belgium, which would require material acts abroad to be made by the Belgian judicial authorities to request disclosure of information.
Nonetheless, the Court of First Instance imposed a fine of €30,000 on Skype for its refusal to cooperate in setting up a wiretap ordered by the Mechelen investigative judge. The Court ruled that the technical assistance required of Skype was to be extended in Belgium and the technical impossibility of Skype cooperating was irrelevant because Skype itself had created this impossibility by organising its operations in the way it did. Skype has the duty to make sure it is able to comply with its obligations under Belgian law, and therefore needs to organise itself so it is able to lend its assistance to law enforcement upon request. This judgment was confirmed by the Court of Appeal of Antwerp. In the end, the Belgian Supreme Court has upheld the former judgement. The Court did not submit a question for a preliminary ruling to the European Court of Justice, as requested by Skype, that sought to argue that the need for an establishment in a certain Member State to provide wiretapped communications to the national authorities may violate the freedom to provide services (art. 56 of the Treaty on the Functioning of the European Union). The Court explained that an electronic communications service provider does not need any establishment in Belgium, but has to technically organise himself in such a way to make it possible to deliver wiretapped conversations to the Belgian authorities, be it digitally. Amongst others, the Court emphasised that Skype had been fined for not cooperating with the Belgian authorities, but not for lacking any technical infrastructure in Belgium.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The Belgian privacy and data protection legislation was set forth in the Data Protection Act, which had to be read in conjunction with the GDPR. However, since the Act of 30 July 2018 entered into force on 5 September 2018, this coexistence has ended.
Belgium had transposed the EU Data Protection Directive quite literally. Its definitions therefore leaned closely towards those used in EU law, but had to be amended in light of the GDPR. Under the GDPR, 'personal data' means any information relating to an identified or identifiable natural person whereby an 'identifiable person' is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person.
The data controller is the person who alone or jointly with others determines the purposes and means of the processing of personal data, and data processors are persons that process personal data on behalf of a data controller. Under Belgian law, it is also possible for different persons or entities to act as data controller in respect of the same personal data.
The Belgian enforcement agency with responsibility for privacy and data protection is, since the 25 May 2018, the DPA. The old Privacy Commission had as its main mission monitoring compliance and increasing awareness. It could, if needed, also initiate a case before the Belgian courts. The GDPR has broadened the powers of national DPAs, and the Belgian Privacy Commission was consequently reformed into the Belgian DPA in order to reflect this. In accordance with the Act of 3 December 2017, the DPA now has broad investigative powers, and the ability to impose temporary measures as well as administrative fines up until four percent of worldwide turnover.
The Data Protection Act brought to a logical end the peculiar coexistence of the Belgian Data Protection Act of 8 December 1992 with the GDPR. The GDPR came into force on 25 May 2018 and directly applies to data-processing activities performed by Belgium-based controllers and processors. After the Act of 3 December 2017 creating the DPA (replacing the Commission for the Protection of Privacy) tasked with monitoring compliance by Belgian entities with their privacy obligations, the Data Protection Act is the second piece of legislation triggered by the GDPR. The Data Protection Act implementing the GDPR was approved by the parliament on 30 July 2018, and entered into force on 5 September 2018. The Act deals with, among others, areas in the GDPR where the national legislator was able to add additional or clarifying requirements. This includes the age of children's consent, additional requirements for the processing of genetic, biometric and health data, additional requirements regarding the processing of criminal data, restrictions regarding processing for journalistic purposes and for the purpose of academic, artistic or literary expression, and additional exceptions for the processing for the purpose for archiving in the public interest or for scientific or historical research or statistical purposes.
The Belgian legislation set 13 as the age from which children may provide consent for the use of an information service, lower than the age of 16 set by the GDPR.
Regarding the processing of genetic, biometric and health data, or data related to criminal convictions and offences, the Belgian legislator has set out measures that must be taken, such as maintaining a list of persons entitled to consult the data, together with a description of their functions, related to the processing of such data, which are bound by a legal or contractual duty of confidentiality. The controller or processor must make a list of these persons available to the DPA on request. Although the latter obligation is not part of the GDPR, it existed previously under the Belgian Data Protection Act of 8 December 1992 and its implementing acts. Where applicable, affected entities must implement the requirements under the Data Protection Act.
Belgium has also established an Information Security Committee that is competent to preventively control whether the communication of personal data within the government, via the Crossroads Bank for Social Security, or of health data, complies with the GDPR's basic principles. It can also grant deliberations that will be binding between the parties and on third parties.
Concerning the processing of criminal data, the Belgian legislator has added additional grounds to process data, similar as those that had already been provided for in the Belgian Data Protection Act of 8 December 1992. As with the processing of genetic, biometric and health data, the persons entitled to consult these data must be designated, bound by a legal or contractual duty of confidentiality, and a list must be kept at the disposal of the DPA. The following are additional grounds for processing of criminal data:
- by private companies, if necessary for the management of litigation to which the company is a party;
- by legal advisers if necessary to defend the interests of a client;
- if necessary for substantial public interest reasons or to perform a task in the public interest; and
- if necessary for archiving, scientific, historical research or statistical purposes.
The Belgian legislator has also included specific exceptions to data subject rights for processing for journalistic, academic, artistic or literary purposes, as well as for archiving in the public interest or for scientific or historical research or statistical purposes. For journalistic, academic, artistic or literary expression purposes, some of the articles of the GDPR such as consent, information obligation, right to restrict processing and right to object do not apply. It is noteworthy that disclosure of the register, personal data breach notifications and the duty to cooperate with the DPA also does not apply if this would jeopardise an intended publication or constitute a prior control.
Concerning archiving in the public interest or for scientific or historical research or statistical purposes, the data subject's rights are also restricted if these rights would render it impossible or seriously impair the achievement of these purposes. However, additional requirements are also imposed, such as an explanation in the records of why these data are processed, why an exercise of the data subject's rights would impair the achievement of the purposes and a justification for the use of data without pseudonymising these data – as well as if necessary a data processing impact assessment. Data subjects should be informed whether the data are pseudonymised, as well as why the exercise of their rights would impair the achievement of the aforementioned purposes.
Belgium-based data controllers and processors should review their data protection documentation (for example, their privacy notices) to update any references to the Belgian Data Protection Act of 8 December 1992.
The Data Protection Act consolidates the patchy Belgian data protection regulatory framework. For example, it incorporates the provisions of the Act of 25 December 2016 on the processors of passenger data.
In implementing Directive 2016/680 on the processing of personal data by criminal authorities, the Data Protection Act imposes certain requirements on government entities that before were hardly affected by the Belgian Data Protection Act of 8 December 1992. For example, army forces and intelligence and security services must now comply with requests from data subjects to exercise certain data protection rights, albeit in a restricted fashion.
ii General obligations for data handlers
Data may be processed if the processing meets one of the following requirements (Article 6 of the GDPR):
- the data subject has unambiguously given his consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject under or by virtue of an act, decree or ordinance;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
The processing must comply with the general principles of data processing, which implies that personal data is to be:
- processed fairly and lawfully in a transparent matter;
- collected for specific, explicit and legitimate purposes, and not processed in a manner incompatible with those purposes;
- adequate, relevant and not excessive;
- accurate and, where necessary, up to date;
- kept in an identifiable form for no longer than necessary; and
- processed in a manner that ensures appropriate security of the personal data.
Sensitive personal data (i.e., personal data related to racial or ethnic origin, political opinions, sexual orientation, religious or political beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or judicial information) may only be processed in accordance with the GDPR if the processing:
- is carried out with the data subject's explicit written consent for one or more specified purposes;
- is necessary for a legal obligation in the field of employment, social security and social protection law in as far as it is authorised by law providing for appropriate safeguards for the fundamental rights and interests of the data subject;
- is necessary to protect the vital interests of the data subject where the data subject is unable (physically or legally) to give consent;
- is carried out in the course of its legitimate activities with appropriate safeguards by a non-profit body and relates to members of that body or persons who have regular contact with it and that the personal data are not disclosed outside that body without the consent of the data subjects;
- relates to data manifestly made public by the data subject;
- is necessary for legal claims;
- is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- is necessary for medical reasons;
- is necessary for reasons of public interest in the area of public health on the basis of law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; or
- is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Regarding consent, it must be added that parental consent is required for the processing of personal data concerning information services for children under the age of 13 (as opposed to the age of 16 in Article 8.1 of the GDPR).
As mentioned before, the Data Protection Act also further regulates possible exceptions regarding the processing of the above special categories of data in implementation of the GDPR.
In practice, however, the ground of legitimate interest is frequently relied upon (rather than consent) as a ground for processing non-sensitive personal data. It should be noted, however, that the DPA finds that obtaining the unambiguous consent of the data subject is best practice and that the legitimate interest condition is only a residual ground for processing.
Except with respect to the processing of sensitive personal data, where consent of the data subject must be provided in writing, Belgian law does not impose any formalities regarding obtaining consent to process personal data. Such consent may be express or implied, written or oral, provided it is freely given, specific and informed. However, as consent should be unambiguous as well, it is recommended to obtain express and written consent for evidential purposes.
With respect to the processing of employees' personal data, the DPA finds that such processing should be based on legal grounds other than consent, in particular the performance of a contract with the data subject, since obtaining valid consent from employees is considered difficult (if not impossible) given their subordinate relationship with the employer.
Since the GDPR is in effect, data controllers no longer need to notify the DPA of all types of data processing operations. Instead, they are bound to keep records of their processing activities. It is now up to the controller to be able to prove that it has obtained consent for its data processing or has a legitimate reason for doing so under the GDPR.
Another obligation under the GDPR is the appointment of a data protection officer (DPO) in specific cases, such as for public authorities, or when there is large-scale systematic monitoring of personal data or large-scale processing of sensitive data. On 24 May 2017, the DPA issued a recommendation to help data controllers and data processors with the preparation for the implementation of the obligations under the GDPR.
The DPO is not a new concept, as the Directive 95/46/EG did already provide for member states to foresee in a similar non-obligatory function, the appointment whereof would exempt the data controller from making a mandatory notification. In the former Data Protection Act of 1992, however, this function was not linked to an exemption of the notification, but rather an additional requirement that could be imposed by Royal Decree for situations where deemed necessary. A general Royal Decree was never issued in this regard, but specific legislation (such as for specific public databases, the police, and hospitals) did foresee in a mandatory appointment of a person with such a function.
Under the legislation pre-dating the GDPR, the 'old' DPO had a more limited function and mostly provided its institution or company with advice regarding compliance. Under the GDPR, the DPO has a much more prominent role, and the DPA considers them to be the cornerstone of accountability. For this reason, the DPA wishes to distance itself from its older advice regarding this function, and emphasises that under the GDPR, the appointment of the appropriate person as a DPO must be investigated separately. In this regard, the appointment of a DPO for government agencies has been reiterated and further regulated in the Data Protection Act.
iii Data subject rights
The GDPR sets out clearly which rights data subjects possess. In particular, data subjects have:
- the right to certain information when personal data are collected from the data subject (Article 13) or have not been obtained from him or her (Article 14), such as the identity of the controller, the period for which the personal data is stored or the possibility to access, rectify or erase the personal data held by the controller;
- the right of access (Article 15), whereby the data subject can inquire whether his or her personal data are being processed or not, and whereby, where that is the case, he or she can access the personal data and information such as the purpose of the processing, the recipients of the personal data or the source of the personal data;
- the right to rectification (Article 16), by which inaccurate personal data can be rectified;
- the right to erasure ('the right to be forgotten') (Article 17), which sets out certain grounds which can apply to exercise the right to obtain from the controller the erasure of personal data concerning him or her;
- the right to restriction of processing (Article 18), based on, for instance, an unlawful processing of personal data;
- the right to data portability (Article 20), which facilitates the transfer of personal data held by a certain controller to another;
- the right to object (Article 21) the processing of personal data;
- the right not to be subject to a decision based solely on automated processing, including profiling (Article 22).
iv Specific regulatory areas
Although Belgium has not adopted a sectoral approach towards data protection legislation, there are nevertheless separate regulations in place for certain industries and special (more vulnerable) data subjects. In addition to the Data Protection Act, specific laws have been adopted to provide additional protection for data subjects in the following sectors:
- Camera surveillance: the installation and use of surveillance cameras is governed by the Camera Surveillance Law of 21 March 2007, which was most recently amended by the Act of 16 April 2018, in order to comply with the GDPR, with the amended provisions taking effect on 25 May 2018, the date that the GDPR entered into effect.
- Workplace privacy: the installation and use of surveillance cameras for the specific purpose of monitoring employees is subject to Collective Bargaining Agreement No. 68 of 16 June 1998 concerning the camera surveillance of employees. In addition, the monitoring of employees' online communication is subject to the rules laid down in Collective Bargaining Agreement No. 81 of 26 April 2002 concerning the monitoring of electronic communications of employees.
- Electronic communications: the Electronic Communications Act of 13 June 2005 contains provisions on the secrecy of electronic communications and the protection of privacy in relation to such communications. Furthermore, the Electronic Communications Act imposes requirements on providers of telecommunication and internet services regarding data retention, the use of location data and the notification of data security breaches.
- Medical privacy: the Patient Rights Act of 22 August 2002 governs, inter alia, the use of patients' data and the information that patients need to receive in this respect.
- Financial privacy: the financial sector is heavily regulated. For instance, the use of credit card information for profiling violates consumer credit legislation, which clearly states that (1) personal data collected by financial institutions can only be processed for specific purposes, (2) only some data can be collected, and (3) it is prohibited to use the data collected within the credit relationship for direct marketing or prospection purposes. Belgian legislation also requires that information be deleted when its retention is no longer justified.
On 3 May 2019, the Belgian Network and Information Security Act (the NIS Act) entered into force, finally transposing the EU Network and Information Security Directive (the NIS Directive) into Belgian law, nearly a year too late as this should have been done by the EU Member States by 25 May 2018 together with the entry into force of the GDPR. In addition to the specific data protection rules above, the NIS Act adds a legal basis for higher cybersecurity standards in respect of certain 'essential' services.
Following the Act, authorised government entities on two different levels, with separate functions, will be in charge of the compliance with the NIS Act. A national public entity will be charged with monitoring compliance and coordination of the implementation of this Act. On a sectoral level, sectoral authorities will be charged with monitoring compliance for their respective sectors.
The NIS Directive applies in particular to operators of essential services (OESs). OESs can be found in the following industries:
- energy (electricity, oil and gas);
- transportation (air, rail, water and road);
- banking and financial market infrastructure;
- health and drinking water supply and distribution; and
- digital infrastructure (including digital services such as online sales platforms, online search engines and cloud computing services).
To ensure an adequate level of network and information security in these sectors and to prevent, handle and respond to incidents affecting networks and information systems, the NIS Act sets out the following obligations for these OESs:
- the obligation to take appropriate technical and organisational measures to manage the risks posed to their network and information systems, and to prevent or minimise the impact in the event of a data breach; and
- the obligation to notify the competent authority, without undue delay, of all incidents with a 'significant impact' on the security of the core services provided by these operators. To assess the impact of an incident, the following criteria should be taken into account: (1) the number of users affected; (2) the duration of the incident; (3) the geographical spread with regard to the area affected by the incident; and (4) in relation to certain OESs, the disruption of the functioning of the service and the extent of the impact on economic and societal activities.
The notification obligations, preventive actions and sanctions under the NIS Act should increase transparency regarding network and information security and heighten awareness of cybersecurity risks in the above-mentioned essential services.
The Act foresees in the identification of OES and establishes the safety requirements both on a national and sectoral level, as well as how this is monitored through internal and external audits, and sanctions for non-compliance (e.g. fines).
Concerning computer security incidents, computer security incident response teams are established on a national and sectoral level, as well as the procedures regarding the reporting of safety incidents.
v Technological innovation and privacy law
The Belgian DPA's most recent report on big data dates from March 2017. It aims to reconcile the need for legal certainty with the application of big data in current and future applications, especially in the light of the GDPR. It provides for 33 concrete recommendations on how to apply data protection principles to big data, covering various aspects, such as data protection compliance and respect for data subjects' rights. It is not the intention of the DPA to curtail unnecessarily the use of big-data applications as they are often very useful to society.
According to the DPA, consent cannot be considered validly given by ticking a box in the browser settings.
In January 2017, the European Commission published the draft text of the new ePrivacy Regulation, which will become directly applicable in Belgium and replace all the current national rules relating to, inter alia, cookies after its adoption. Both the European Parliament and the Council have published their respective drafts. The three EU entities remain in 'trilogue' negotiations since to determine the final text. The latest draft text was published on 12 July 2019 by the European Council. The current draft Regulation would possibly allow consent to be given through browser settings provided that this consent entails a clear affirmative action from the end user of terminal equipment to signify his or her freely given, specific, informed and unambiguous consent to the storage and access of third-party tracking cookies in and from the terminal equipment. This entails that internet browser providers will have to significantly change the way their browsers function for consent to be validly given via browser settings.
In addition, the proposal clarifies that no consent has to be obtained for non-privacy-intrusive cookies that improve the internet experience (e.g., shopping-cart history) or cookies used by a website to count the number of visitors. It was initially foreseen that the ePrivacy Regulation would enter into force simultaneously with the GDPR, but the negotiations have been delayed and it is currently unknown when an agreement on the final text will be reached.
Electronic marketing and advertising is regulated by the provisions of Book XII (Law of the Electronic Economy) of the Code of Economic Law, which has transposed Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002, as adopted by the Act of 15 December 2013, as well as the Royal Decree of 4 April 2003 providing for exceptions.
The automated sending of marketing communications by telephone without human intervention or by fax is prohibited without prior consent.
When a company wants to contact an individual personally by phone (i.e., in a non-automated manner) for marketing purposes, it should first check whether the individual is on the 'do-not-call-me' list of the non-profit organisation DNCM. Telecom operators should inform their users about this list and the option to register online. If the individual is registered on the list, the company should obtain the individual's specific consent before contacting him or her.
Furthermore, the proposal for the new ePrivacy Regulation (already referred to above) in the context of cookie rules) obliges marketing callers to always display their phone number or use a special prefix that indicates a marketing call. Again, as this is only a draft text, it is not certain that this obligation will effectively be imposed on marketing callers.
Likewise, the use of emails for advertising purposes is prohibited without the prior, free, specific and informed consent of the addressee pursuant to Section XII.13 of the Code of Economic Law. This consent can be revoked at any time, without any justification or any cost for the addressee. The sender must clearly inform the addressee of its right to refuse the receipt of any future email advertisements and on how to exercise this right using electronic means. The sender must also be able to prove that the addressee requested the receipt of electronic advertising. The sending of direct marketing emails does not require consent if they are sent to a legal entity using 'impersonal' electronic contact details (e.g., email@example.com) which also do not fall within the scope of the GDPR. The use of addresses such as firstname.lastname@example.org, which include personal data, however, remains subject to the requirement for prior consent.
Other exceptions could also apply regarding electronic advertisements, such as for existing clients to whom advertisements are sent for similar products or services, given that the client did not object thereto. These exceptions are based on national legislation predating the GDPR, however. It remains to be seen how the DPA will continue to interpret these exceptions after 25 May 2018, and whether it believes they comply with the strict criteria for processing data under the GDPR. We believe it is likely this will remain the case, as the DPA may accept that they fall under the 'legitimate interest' category, for which it has in the past already accepted that the maintenance of customer relationships could provide a legitimate interest.
Unless individuals have opted out, direct marketing communications through alternative means are allowed. Nonetheless, the GDPR prescribes a general obligation for data controllers to offer data subjects the right to opt out of the processing of their personal data for direct marketing purposes.
The European Data Protection Board (EDPB) issued its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR underlining the necessity of both pieces of legislation. In some cases, both apply, or the ePrivacy Directive even goes further than the GDPR (e.g., by protecting the legitimate interests of legal persons instead of only natural persons). So, if the ePrivacy Directice makes GDPR rules more specific, the former should prevail. In online marketing, for instance, if the ePrivacy Directive sets out a requirement to obtain consent for specific data processing, this will override all other possible lawful grounds for processing provided for by Article 6 of the GDPR.
On 16 April 2018, the Camera Surveillance Act was amended, both regarding use by law enforcement and use outside of law enforcement. The changes entered into effect on the 25th of May 2018, the same day that the GDPR entered into force. The changes reflect the changes to privacy law brought forward by the GDPR. To install camera surveillance, it is now required that the police, rather than the DPA, be informed. This will take place via an online application.
The data controller will also need to keep a separate record concerning the processing of these data. Further details on this record will be determined by Royal Decree.
It is also required for data controllers who install a surveillance camera in 'publicly accessible venues' to indicate the existence thereof with a visible sign in proximity of the camera, as well as the provision in proximity of the camera of a screen that displays the images being recorded.
Regarding the scope of the Camera Surveillance Law, a surveillance camera falling within the scope of this Act is: a fixed (temporarily or permanent) or mobile observation system, with as purpose to survey and guard certain areas which processes images for this purpose.
The purpose is further elaborated in Article 3 of the Camera Surveillance Law as being either of the following:
- prevention, ascertaining or investigation of crimes against persons or goods; or
- prevention, ascertaining or investigation of nuisance in accordance with Article 135 of the New Act on Municipalities, monitoring of the compliance with municipal regulations and public order.
The use of surveillance cameras regulated by other special legislation or by public authorities does not fall within the scope of the Camera Surveillance Law. If surveillance cameras are used merely to monitor the safety, health, protection of the assets of the company and monitoring of the production process and the labour by the employee, the Camera Surveillance Law is not applicable. However, if the surveillance cameras are also used for one of the purposes listed above in accordance with Article 3 of the Camera Surveillance Law, the Camera Surveillance Law will apply and precede any other legislation.
Employee monitoring is strictly regulated under Belgian law. Apart from the rules embedded in the Camera Surveillance Act of 16 April 2018, which will apply if the surveillance of employees would fall within its scope as discussed above, the monitoring of employees by means of surveillance cameras in particular is subject to the provisions of Collective Bargaining Agreement No. 68 of 16 June 1998. Pursuant to this Agreement, surveillance cameras are only allowed in the workplace for specific purposes:
- the protection of health and safety;
- the protection of the company's assets;
- control of the production process; and
- control of the work performed by employees.
In the latter case, monitoring may only be on a temporary basis. Employees must also be adequately informed of the purposes and the timing of the monitoring.
With respect to monitoring of emails and internet use, Collective Bargaining Agreement No. 81 of 26 April 2002 imposes strict conditions. Monitoring cannot be carried out systematically and on an individual basis. A monitoring system of emails and internet use should be general and collective, which means that it may not enable the identification of individual employees. The employer is only allowed to proceed with the identification of the employees concerned if the collective monitoring has unveiled an issue that could bring damage to the company or threaten the company's interests or the security of its IT infrastructure. If the issue only relates to a violation of the internal (internet) policies or the code of conduct, identification is only allowed after the employees have been informed of the fact that irregularities have been uncovered and that identification will take place if irregularities occur again in the future. In 2012, the DPA issued a specific recommendation on workplace cyber-surveillance. In this regard, the DPA advises employers to encourage employees to label their private emails as 'personal' or to save their personal emails in a folder marked as private. Furthermore, companies should appoint a neutral party to review a former or absent employee's emails and assess whether certain emails are of a professional nature and should be communicated to the employer.
Finally, GPS monitoring in company cars is only allowed under Belgian law with respect to the use of the company car for professional reasons. Private use of the company car (i.e., journeys to and from the workplace and use during private time) cannot be monitored.
Electronic privacy issues
The Belgian broadcaster VRT made public in July 2019 that it had obtained access to more than 1,000 recordings of commands directed to Google assistants recorded by Google Home, Google Home Mini, or through a smartphone. While most of them were recorded when the assistant was started by giving the command 'Okay Google', more than 100 of the obtained recordings were made accidentally, following words that resembled the command. While the recordings are shared with contractors without any further details of the user, journalists were able to trace multiple users by the information shared in the recordings, including names or home addresses. Google has confirmed the practice, but claims that only 0.2 per cent of the recordings are being listened to by 'language experts' to improve its services. Following the revelation, Google announced that it would also not listen to recordings of Europeans for a period of three months. While users give permission to process those recordings in Google's terms and conditions, these do not mention that humans listen to them, nor for how long they are stored. Following the story in the media, the Belgian DPA has announced that it will probably launch an investigation into Google and has called on users to file complaints with the DPA.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Cross-border data transfers within the EEA or to countries that are considered to provide adequate data protection in accordance with EU and Belgian law are permitted. Transfers to other countries are only allowed if the transferor guarantees that adequate safeguards are in place. This can be done by entering into a model data transfer agreement (based on the EU standard contractual clauses) with the recipient or if the transfer is subject to binding corporate rules (BCRs).
Some countries are deemed to be adequate by the European Commission, such as Switzerland, Canada, Andorra and the United States if the transfer of data meets the requirements as adopted in the EU–US Privacy Shield, Argentina, etc. Recently, an agreement was made between the European Union and Japan. The EU–US Privacy Shield survived the second annual review at the end of 2018, resulting in the appointment of an ombudsperson by the US in February 2019 to handle any EU citizens' complaints, the sole demand made by the EU following the review. Currently, the European Court of Justice is reviewing the Schrems II case, in which the international transfer of data by Facebook to the United States on the basis of standard contractual clauses has been challenged.
If an international data transfer is concluded under the EU standard contract clauses, a copy of these must be submitted to the DPA for information. The DPA will check their compliance with the standard contractual clauses and will subsequently inform the data controller whether the transfer is permitted. Data controllers need to wait for this confirmation from the DPA before initiating their international data transfer.
In the case of non-standard ad hoc data transfer agreements, the DPA will examine whether the data transfer agreement provides adequate safeguards for the international data transfer. If the DPA believes that the safeguards are adequate, it will forward the request to the European Data Protection Board, which must also approve.
If a data controller gives 'sufficient guarantees' for adequate data protection by adopting BCRs, a copy of the BCRs also needs to be sent to the DPA for approval, as well as the European Data Protection Board.
As an exemption to the above, transfers to countries not providing adequate protection are also allowed if the transfer:
- is made with the data subject's consent;
- is necessary for the performance of a contract with, or in the interests of, the data subject;
- is necessary or legally required on important public interest grounds or for legal claims;
- is necessary to protect the vital interests of the data subject; or
- is made from a public register.
V COMPANY POLICIES AND PRACTICES
The appointment of a Data Protection Officer has become obligatory for many companies with the GDPR. The number of DPOs has grown from 989 to 4,397 within the first year following the entry into force of the GDPR, according to the Belgian DPA. Larger corporations often also have regional privacy officers. In smaller companies, the appointment of a chief privacy officer is rare. However, given the increasing importance of privacy and data security, even smaller companies often have employees at management level in charge of data privacy compliance (often combined with other tasks).
The GDPR contains an obligation to conduct a data protection impact assessment (DPIA) for high-risk data processing activities. The DPA has taken the liberty of issuing recommendations on the DPIA requirement of the GDPR. In addition to the non-exhaustive list of processing activities as envisaged by the GDPR (i.e., any processing that entails a systematic and extensive evaluation of personal aspects that produce legal effects; any processing on a large scale of special categories of data; and any systematic monitoring of a publicly accessible area on a large scale), the DPA clarifies its position on what qualifies as high risk, when a DPIA must be conducted, what it should entail and when it should be notified of the results of a DPIA. The main takeaway of the DPA's statement is that it should only be notified of processing activities where the residual risk (i.e., the risk after mitigating measures have been taken by the controller) remains high. Whether the DPA's position will be supported at EU level remains to be seen, since the interpretation of DPIA methodologies is in principle an EU-level matter.
A substantial number of companies have conducted privacy audits certainly now in view of the implementation of the GDPR to get a clear view on their data flows and security measures. These audits have often resulted in the implementation of overall privacy compliance projects, including the review and update of IT infrastructure, the conclusion of data transfer agreements or adoption of BCRs and the review and update of existing data processing agreements with third parties.
In large organisations, it is considered best practice to have written information security plans. Although this is also not required by law, it proves very useful, as companies are required to present a list of existing security measures when they notify their data processing operations to the DPA. The DPA has also recommended that companies have appropriate information security policies to avoid or address data security incidents. This has become even more important now in view of the short deadlines for data breach notifications under the GDPR.
On 14 June 2017, the DPA published a recommendation on processing-activity record-keeping as discussed above. As from the entry into force of the GDPR in 2018, organisations processing personal data within the EU must maintain Records of their processing activities. Organisations with fewer than 250 employees are exempted from keeping such records, unless their processing activities:
- are likely to result in a risk to the rights and freedoms of data subjects (e.g., automated decision-making);
- are not occasional; or
- include sensitive data.
On the basis of the above-mentioned non-cumulative conditions, it may be expected that basically all organisations processing personal data will have to maintain records of their processing activities in practice, even if they employ fewer than 250 people. The DPA advises all companies to do so.
In substance, these records should contain information on who processes personal data, what data is processed and why, where, how and for how long data is processed.
VI DISCOVERY AND DISCLOSURE
Pursuant to the Belgian Code of Criminal Procedure, the public prosecutors and the examining magistrates have the power to request the disclosure of personal data of users of electronic communications services (including telephone, email and internet) in the context of criminal investigations. Examining magistrates may also request technical cooperation of providers of electronic communications service providers and network operators in connection with wiretaps.
The personal and territorial scope of application of these powers has been the subject of a heated debate before the Belgian Supreme Court and criminal courts in two major cases regarding Yahoo! and Skype (see above).
Belgian law enforcement makes frequent use of its powers to request data from providers of electronic communications services. For instance, Microsoft received 625 requests in 2018, Google 815 and Apple 449.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The Belgian enforcement agency with responsibility for privacy and data protection is the DPA.
The DPA's mission is, inter alia, to monitor compliance with the provisions of the GDPR and the Data Protection Act. To this end, the DPA has general power of investigation with respect to any type of processing of personal data and may file a criminal complaint with the public prosecutor. It may also institute a civil action before the president of the court of first instance. Whereas this is where the scope of authority ended for the original Privacy Commission, the reformed DPA (in light of the GDPR) is an independent administrative authority with legal personality and extensive investigative and sanctioning powers, composed of six different bodies: an executive committee, a general secretariat, a front-line service, a knowledge centre, an inspection service and a dispute chamber.
The executive committee, composed of the leaders of the five other bodies, is responsible for the adoption of the DPA's general policies and strategic plan.
A general secretariat is responsible for the reception and processing of complaints and to inform citizens about their data protection rights.
The inspection service functions as the investigating body of the DPA, with a wide array of investigative powers (e.g., interrogation of individuals).
The front-line service has a singular role in providing guidance (e.g., with regard to adequate data protection techniques under the GDPR) and supervising data controllers and processors and their compliance with data protection legislation.
Led by six experts in the field, the knowledge centre provides public decision-makers with the necessary expertise to understand the technologies likely to impact on the processing of personal data.
The dispute chamber, composed of a president and six judges, is able to impose sanctions of up to €20 million or up to 4 per cent of the total worldwide annual turnover of the infringing company.
As well as the above-mentioned bodies being established under the auspices of the reformed DPA, an independent think tank is set up to reflect society as a whole, both participants in the creation of the digital world and those affected by it, and to provide the executive committee with a broad vision and guidance as it negotiates current and future data protection challenges.
Along with natural persons, legal persons, associations or institutions are also able to lodge a complaint of an alleged data protection infringement.
ii Recent enforcement cases
The most important recent enforcement case undertaken by the DPA is the one initiated against Facebook in June 2015 concerning its unlawful processing of data through hidden cookies. As mentioned above, Facebook has been condemned by the Court of First Instance. Following the appeal filed by Facebook, the Brussels Court of Appeal has decided to refer the case to the European Court of Justice.
Within the first year of the functioning of the reformed DPA following the introduction of the GDPR on 25 May 2018 only one fine has been issued yet. The case involved a mayor who, in the execution of his powers as a public official, sent out an email to a few citizens shortly prior to the municipal elections in which he campaigned for himself. The DPA concluded that the mayor had abused personal data which he received during the exercise of his function for personal purposes and issued a fine of €2,000.
In July 2019, the DPA has reproached the Ministry of Health for not responding to a request of a citizen that wished to exercise his right of access following two complaints of the citizen concerned. No fine was issued, as, under Belgian law, a state institution cannot be fined for violating the GDPR. The fact that not all of the GDPR's provisions apply equally to state institutions has been criticised by the Federation of Enterprises in Belgium (FEB), which has started a case before the Constitutional Court against what it calls a 'discrimination of enterprises'.
iii Private litigation
Private plaintiffs may seek judicial redress before the civil courts on the basis of the general legal provisions related to tort or, in some cases, contractual liability. In addition, they may file a criminal complaint against the party that committed the privacy breach. Financial compensation is possible, to the extent that the plaintiff is able to prove the existence of damages as well as the causal link between the damage and the privacy breach. Under Belgian law, there is no system of punitive damages.
The Belgian DPA received 328 complaints following the entry into force of the GDPR, which mostly concerned data subject rights, camera surveillance or direct marketing. As mentioned above, only one fine has been issued until now.
Class actions were traditionally not possible under Belgian law until 1 September 2014, when a new Act on Class Actions entered into force. The Belgian consumer organisation Test-Aankoop, for instance, has launched a class action against Facebook together with sister-organisations in Spain, Italy and Portugal, demanding €200 damages per claim for abusing personal data of its users. In Belgium, 42,000 people have joined the class action, and in Europe overall 250,000 people.
In a judgment of 29 April 2016, the Supreme Court ruled in favour of the right to be forgotten. The case concerned the online disclosure of an archived database of a famous Belgian newspaper, which would result in the publication of the full name of a driver who was involved in a car accident in 1994 in which two people died. Both the Court of Appeal and the Supreme Court considered the right to be forgotten essential in this case and ruled in favour of a limitation of the right of freedom of expression.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Organisations based or operating outside Belgium may be subject to the Belgian data protection regime to the extent that they process personal data in Belgium. Physical presence in Belgium (either through a local legal entity or branch office, with or without employees, or through the use of servers or other infrastructure located on Belgian territory) will trigger the jurisdiction of Belgian privacy and data protection law even if the personal data that is processed in Belgium relates to foreign individuals. Foreign companies using cloud computing services for the processing of their personal client or employee data may, therefore, be subject to Belgian law (with respect to such processing) if the data is stored on Belgian servers.
In principle, the mere provision of online services to persons in Belgium, without actual physical presence, will not trigger Belgian jurisdiction. However, as discussed before, according to the recent Supreme Court decision in the Skype case, the Belgian judicial authorities would have jurisdiction over foreign entities providing online services or software to users in Belgium, even if they are not present in Belgium. This is certainly an issue to follow up, as it may have an important impact on the territorial scope of application of Belgian law.
It should be noted that the GDPR applies to data controllers having no presence at all (establishment, assets, legal representative, etc.) in the EU but who process EU citizens' personal data in connection with goods or services offered to those EU citizens; or who monitor the behaviour of individuals within the EU.
IX CYBERSECURITY AND DATA BREACHES
As a member of the Council of Europe, Belgium entered into the Council's Convention on Cybercrime of 23 November 2001. Belgium implemented the Convention's requirements through an amendment of the Act of 28 November 2000 on cybercrime, which introduced cybercrime into the Belgian Criminal Code. With the Act of 15 May 2006, Belgium also implemented the requirements of the Additional Protocol to the Convention on Cybercrime of 28 January 2003 concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.
As previously mentioned, the CCB performs the following tasks:
- monitoring Belgium's cybersecurity;
- managing cybersecurity incidents;
- overseeing various cybersecurity projects;
- formulating legislative proposals relating to cybersecurity; and
- issuing of standards and guidelines for securing public sector IT systems.
Since becoming operational at the end of 2015, the CCB has carried out several awareness campaigns; for instance, in the context of the Petya ransomware cyberattacks and the 'CEO fraud' (a large-scale scam where cybercriminals contact a company as the alleged CEO of another big company with a request to make an important payment into the first company's bank account).
Furthermore, the management of CERT, which has been in the hands of Belnet since 2009, was transferred to the CCB in December 2016. The transfer of all CERT activities is part of the continuing coordination of Belgian cybersecurity and is aimed at assisting companies and organisations in the event of cyber incidents by providing advice both about finding solutions when such incidents arise and about preventing incidents occurring.
Additionally, the Belgian Cyber Security Coalition, which is a partnership between parties from the academic world, public authorities and the private sector, was established in October 2014. Currently, more than 50 key participants from across the three sectors are active members. These include large financial institutions, universities, consultancy companies, professional organisations and government bodies. The main goals of the Coalition are to raise awareness about cybersecurity, exchange know-how, take collective actions in the fight against cybercrime and support governmental and sectoral bodies in setting policies and determining ways to implement these policies.
With respect to data breach notifications, Article 114/1, Section 2 of the Electronic Communications Act requires companies in the telecommunications sector to notify immediately (within 24 hours) personal data breaches to the DPA, which must transmit a copy of the notification to the Belgian Institute for Postal Services and Telecommunications. If there is a breach of personal data or the privacy of individuals, the company must also notify the data subjects affected by the breach. The NIS Act additionally provides for a detailed procedure regarding breaches for operators of essential services (see above).
The Belgian Data Protection Act of 8 December 1992 did not, however, provide for a general data breach notification obligation, as is provided for in the GDPR. In 2013, the DPA was confronted by a series of data security incidents of which it only became aware after those incidents were published in the media. Unable to change the legislation itself (which, of course, would require legislative intervention), the DPA issued a recommendation upon its own initiative stating that it considered data breach notifications to be an inherent part of the general security obligations incumbent on any data controller.
With the entry into force of the GDPR, Article 33 of the GDPR now provides for a duty for the data controller to report personal data breaches to the DPA without undue delay, and where feasible, not later than 72 hours after having become aware of it. This notification must describe the nature, communicate the details of the DPO or other contacts where more information can be obtained, describe the likely consequences of the breach and describe the measures taken or proposed to be taken by the controller to address the breach. A communication to the data subject can in some cases also be necessary, if there is a high risk to their rights and freedoms. It must be noted that the DPA's recommendation also stresses that, in the event of public incidents, the DPA must be informed within 48 hours of the causes and damage. Although the concept of a 'public incident' is not explained in greater detail, this could refer to an incident in which a breach has occurred that is likely to become known to the public or the DPA via, for example, the media, the internet, or complaints from individuals. Within the first year following the entry into force of the GDPR, the DPA has been informed of the existence of 645 data breaches.
In relation to data security, the International Chamber of Commerce in Belgium and the Federation of Enterprises in Belgium, together with the B-CCentre, have taken the initiative to create the Belgian Cybersecurity Guide in cooperation with Ernst & Young and Microsoft. The Guide is aimed at helping companies protect themselves against cybercriminality and data breaches. To that effect, it has listed 10 key security principles and 10 'must do' actions, including user education, protecting and restricting access to information, keeping IT systems up to date, using safe passwords, enforcing safe-surfing rules, applying a layered approach to viruses and other malware, and making and checking backup copies of business data and information.
The GDPR has, as expected, not resulted in major changes to the Belgian situation in practice as Belgian legislation and the interpretation to it by the DPA have traditionally been in line with EU law, the positions of the European Commission and the Article 29 Working Party (now the European Data Protection Board). Although the GDPR has strengthened the investigative and sanctioning powers of the DPA, its effective functioning was impeded due to a delayed appointment of its new directors, which finally happened in April 2019. It is to be seen whether the DPA, now that it can fully function, will make more use of its newly acquired powers. Until now, it has only issued one fine, which, in comparison with the neighbouring countries, is extremely low. Apart from sanctioning, the DPA is still assisting companies, data controllers and data processors to comply with the GDPR.
Unfortunately, it is yet unsure when the ePrivacy Regulation, which will override the GDPR and provide for more clarity regarding specific issues that may arise concerning privacy in connection with online interactions, will be agreed upon. The ongoing negotiations only mean that its implementation will again be delayed until 2020 or later.
1 Steven De Schrijver and Olivier Van Fraeyenhoven are partners at Astrea.