The Privacy, Data Protection and Cybersecurity Law Review: Belgium
The Belgian legislative and regulatory approach to privacy, data protection and cybersecurity is quite comprehensive. The most important legal provisions can be found in the following:
- Article 22 of the Belgian Constitution, which provides that everyone is entitled to the protection of his or her private and family life;
- the Act of 28 November 2000 on Cybercrime;
- the Act of 13 June 2005 on Electronic Communications (the Electronic Communications Act);
- d Book XII (Law of the Electronic Economy) of the Code of Economic Law, as adopted by the Act of 15 December 2013;
- the Act of 3 December 2017 on the establishment of the Data Protection Authority;
- the General Data Protection Regulation 2016/679 (GDPR), which is the EU regulation on data protection and privacy;
- the Act of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data (the Data Protection Act) (which replaced the former Belgian Data Protection Act of 8 December 1992 with effect as of 5 September 2018). It concerns the further implementation of the GDPR and Directive 2016/680 regarding the processing of data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences; and
- the Act of 7 April 2019 establishing a framework for the security of networks and information systems of general Interest for public security (and the Royal Decree of 12 July 2019, which specifies certain provisions of this Act).
Belgium, as a member of the European Union, is subject to European Union law including the GDPR. The right to privacy is embedded in the Belgian constitution and privacy and data protection rules offer strong safeguards to Belgian citizens and foreigners living in Belgium. In addition, Article 8 on the right to respect for private and family life of the European Convention on Human Rights and Fundamental Freedoms, as well as Article 7 on the right to respect for private and family life and Article 8 on the right to protection of personal data of the Charter for Fundamental Rights of the European Union, apply directly in Belgium.
This contribution will set out the most important Belgian laws relating to privacy and data protection. It will look into the Belgian implementation of the GDPR and its first results, including some of the most important fines that were delivered by the Belgian DPA as of May 2019 (when it became fully operational).
Given that the GDPR applies directly in all EU Member States, its content will not be reviewed in detail.
The year in review
The enforcement actions of the Belgian Data Protection Act (DPA) play a central role in our review of the second year following the entry into force of the GDPR. After the appointment of its staff in May 2019, it could finally commence to fully exercise its tasks. During the past 15 months it has taken its role seriously and has been able to deliver multiple decisions, some of which have attracted wide European interest, especially its decision with respect to the role of the DPO (see below). However, the Belgian DPA still has some work to further develop its methodology, as its first important decision (concerning the use by shops of identity cards – which contain a chip in Belgium –to read them and create customer cards with the information contained in the identity cards) was struck down in appeal as the decision itself and the basis for the fine were insufficiently motivated.
Without doubt, the most challenging event to privacy of 2020 has and will be covid-19. Belgium, like most countries, had to introduce far-reaching measures across all layers of public life to limit the spread of the virus, which raises many privacy questions. The fact that sensitive data concerning health is involved, as well as location-based data, makes the issue even more difficult. The Belgian DPA stepped in early to provide practical guidelines with regard to the processing of personal data under the current circumstances. This shows the importance of early intervention by supervising authorities in providing practical information to the public, which helps to ensure that important rights are not disregarded so that security does not override privacy.
Contrary to other countries, Belgium has opted for a human-controlled contact tracing programme by which infected persons are contacted by 'contact tracers' and are asked several questions on their recent whereabouts. This information can be used to contact potentially infected persons and advise them to stay at home or get tested. A legislative framework has been put in place to ensure GDPR compliance (e.g., by providing a lawful basis for processing, determining the purposes of the processing, limiting the information collected and setting out rules on data storage and erasure).
Belgium is looking to introduce a voluntary contact tracing application in September 2020, which will not store data centrally nor store data location. It will only be used to warn potentially infected people, but not to enforce social distancing rules.
Cybercrime continues to constitute a vivid threat to Belgian businesses, having risen by 61 per cent. An average incident can cost a company €54,000. Most common are phishing and computer viruses. The latest trend is to personally address employees within businesses to gain trust. In covid-19 times, where a large portion of the population have moved to remote working from home (often on their own devices) and thus where businesses rely more than ever on their IT systems to remain operational, it is expected that cybercrime will remain on the rise.
i Privacy and data protection legislation and standards
The GDPR came into force on 25 May 2018 and directly applies to data-processing activities performed by Belgium-based controllers and processors. Under the GDPR, 'personal data' means any information relating to an identified or identifiable natural person whereby an 'identifiable person' is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person.
The data controller is the person who alone or jointly with others determines the purposes and means of the processing of personal data, and data processors are persons that process personal data on behalf of a data controller. Under Belgian law, it is also possible for different persons or entities to act as data controller in respect of the same personal data.
The Belgian Data Protection Act implementing the GDPR entered into force on 5 September 2018. The Act deals with, among others, areas in the GDPR where the national legislator was able to add additional or clarifying requirements. This includes the age of children's consent, additional requirements for the processing of genetic, biometric and health data, additional requirements regarding the processing of criminal data, restrictions regarding processing for journalistic purposes and for the purpose of academic, artistic or literary expression, and additional exceptions for the processing for the purpose for archiving in the public interest or for scientific or historical research or statistical purposes.
Regarding the processing of genetic, biometric and health data, or data related to criminal convictions and offences, the Belgian legislator has set out measures that must be taken, such as maintaining a list of persons entitled to consult the data, together with a description of their functions, related to the processing of such data, which are bound by a legal or contractual duty of confidentiality. The controller or processor must make a list of these persons available to the DPA on request.
Concerning the processing of criminal data, Belgian law provides for additional grounds to process the data. As with the processing of genetic, biometric and health data, the persons entitled to consult these data must be designated, bound by a legal or contractual duty of confidentiality, and a list must be kept at the disposal of the DPA. The following are additional grounds for processing of criminal data:
- by private companies, if necessary for the management of litigation to which the company is a party;
- by legal advisers if necessary to defend the interests of a client;
- if necessary for substantial public interest reasons or to perform a task in the public interest; and
- if necessary for archiving, scientific, historical research or statistical purposes.
The Belgian legislator has also included specific exceptions to data subject rights for processing for journalistic, academic, artistic or literary purposes, as well as for archiving in the public interest or for scientific or historical research or statistical purposes, whereby some of the articles of the GDPR such as consent, information obligation, right to restrict processing and right to object do not apply. It is noteworthy that disclosure of the register, personal data breach notifications and the duty to cooperate with the DPA also do not apply if they would jeopardise an intended publication or constitute a prior control.
Concerning archiving in the public interest or for scientific or historical research or statistical purposes, the data subject's rights are also restricted if these rights would render it impossible or seriously impair the achievement of these purposes. However, additional requirements are also imposed, such as an explanation in the records of why these data are processed, why an exercise of the data subject's rights would impair the achievement of the purposes and a justification for the use of data without pseudonymising these data – as well as if necessary a data processing impact assessment. Data subjects should be informed whether the data are pseudonymised, as well as why the exercise of their rights would impair the achievement of the aforementioned purposes.
The Data Protection Act consolidates the patchy Belgian data protection regulatory framework. For example, it incorporates the provisions of the Act of 25 December 2016 on the processors of passenger data.
In implementing Directive 2016/680 on the processing of personal data by criminal authorities, the Data Protection Act imposes certain requirements on government entities. For example, army forces and intelligence and security services must now comply with requests from data subjects to exercise certain data protection rights, albeit in a restricted fashion.
ii General obligations for data handlers
Data may be processed if the processing meets one of the requirements of Article 6 of the GDPR. The processing must comply with the general principles of data processing as set out in the GDPR. Sensitive personal data (i.e., personal data related to, for instance, racial or ethnic origin, sexual orientation or health) may only be processed if the processing meets the requirements of Article 9 of the GDPR.
Regarding consent, it must be added that parental consent is required for the processing of personal data concerning information services for children under the age of 13 (as opposed to the age of 16 in Article 8.1 of the GDPR).
As mentioned before, the Data Protection Act also further regulates possible exceptions regarding the processing of the above special categories of data in implementation of the GDPR.
With respect to the processing of employees' personal data, the DPA finds that such processing should be based on legal grounds other than consent, in particular the performance of a contract with the data subject, since obtaining valid consent from employees is considered difficult (if not impossible) given their subordinate relationship with the employer.
Since the GDPR is in effect, data controllers no longer need to notify the DPA of all types of data processing operations. Instead, they are bound to keep records of their processing activities. It is now up to the controller to be able to prove that it has obtained consent for its data processing or has a legitimate reason for doing so under the GDPR.
Another obligation under the GDPR is the appointment of a data protection officer (DPO) in specific cases, such as for public authorities, or when there is large-scale systematic monitoring of personal data or large-scale processing of sensitive data.
In April 2020, the DPA delivered an important decision by which it imposed a fine of €50,000 on Belgium's largest telecoms company as its DPO also exercised the function of head of the audit, risk and compliance departments, which could be seen as a conflict of interests. After all, this meant that the respective person could determine the purposes and means of the processing of personal data within these departments, while also exercising supervision on these choices in his or her role as DPO. Hence, the DPA found that a person cannot combine the role of DPO and head of a(ny) department within the same organisation, as this role cannot be exercised independently.
iii Data subject rights
The GDPR sets out clearly which rights data subjects possess in Articles 13–22, which include the right of access, the right to rectification and the right to erasure.
iv Specific regulatory areas
Although Belgium has not adopted a sectoral approach towards data protection legislation, there are nevertheless separate regulations in place for certain industries and special (more vulnerable) data subjects. In addition to the Data Protection Act, specific laws have been adopted to provide additional protection for data subjects in the following sectors:
- Camera surveillance: the installation and use of surveillance cameras is governed by the Camera Surveillance Law of 21 March 2007.
- Workplace privacy: the installation and use of surveillance cameras for the specific purpose of monitoring employees is subject to Collective Bargaining Agreement No. 68 of 16 June 1998 concerning the camera surveillance of employees. In addition, the monitoring of employees' online communication is subject to the rules laid down in Collective Bargaining Agreement No. 81 of 26 April 2002 concerning the monitoring of electronic communications of employees.
- Electronic communications: the Electronic Communications Act of 13 June 2005 contains provisions on the secrecy of electronic communications and the protection of privacy in relation to such communications. Furthermore, the Electronic Communications Act imposes requirements on providers of telecommunication and internet services regarding data retention, the use of location data and the notification of data security breaches.
- Medical privacy: the Patient Rights Act of 22 August 2002 governs, inter alia, the use of patients' data and the information that patients need to receive in this respect. The Act of 21 August 2008 governs the establishment and organisation of the e-Health Platform. The Insurance Act of 4 April 2014 was amended to include a right to be forgotten for cancer patients entering into a credit insurance. Their medical past with respect to cancer cannot be taken into account, provided that 10 years have lapsed since a successful treatment and no relapse took place within this period. This right applies to credit insurance contracts as of 1 February 2020.
- Financial privacy: the financial sector is heavily regulated. For instance, the use of credit card information for profiling violates consumer credit legislation, which clearly states that (1) personal data collected by financial institutions can only be processed for specific purposes, (2) only some data can be collected, and (3) it is prohibited to use the data collected within the credit relationship for direct marketing or prospection purposes. Belgian legislation also requires that information be deleted when its retention is no longer justified. Further rules can be found in Book VII of the Belgian Code of Economic Law and the Act of 18 September 2018 on the prevention of money laundering and terrorist financing and the restriction on the use of cash.
On 3 May 2019, the Belgian Network and Information Security Act (the NIS Act) entered into force, transposing the EU Network and Information Security Directive 2016/1148 (the NIS Directive). In addition to the specific data protection rules above, the NIS Act adds a legal basis for higher cybersecurity standards in respect of certain 'essential' services.
Pursuant to the Act, authorised government entities on two different levels, with separate functions, are in charge of ensuring compliance with the NIS Act. A national public entity (the Centre for Cybersecurity Belgium) is charged with monitoring compliance and coordination of the implementation of this Act. On a sectoral level, sectoral authorities are charged with monitoring compliance for their respective sectors. A Royal Decree of 12 July 2019 provides a legal framework for its powers as well as for the notification and processing of incidents.
The NIS Act applies in particular to operators of essential services (OESs). OESs can be found in the following industries:
- energy (electricity, oil and gas);
- transportation (air, rail, water and road);
- banking and financial market infrastructure;
- health and drinking water supply and distribution; and
- digital infrastructure (including digital services such as online sales platforms, online search engines and cloud computing services).
To ensure an adequate level of network and information security in these sectors and to prevent, handle and respond to incidents affecting networks and information systems, the NIS Act sets out the following obligations for these OESs:
- the obligation to take appropriate technical and organisational measures to manage the risks posed to their network and information systems, and to prevent or minimise the impact in the event of a data breach; and
- the obligation to notify the competent authority, without undue delay, of all incidents with a 'significant impact' on the security of the core services provided by these operators. To assess the impact of an incident, the following criteria should be taken into account: (1) the number of users affected; (2) the duration of the incident; (3) the geographical spread with regard to the area affected by the incident; and (4) in relation to certain OESs, the disruption of the functioning of the service and the extent of the impact on economic and societal activities.
The notification obligations, preventive actions and sanctions under the NIS Act should increase transparency regarding network and information security and heighten awareness of cybersecurity risks in the above-mentioned essential services.
The Act foresees in the identification of OES and establishes the safety requirements both on a national and sectoral level, as well as how this is monitored through internal and external audits, and sanctions for non-compliance (e.g., fines).
Concerning computer security incidents, computer security incident response teams are established on a national and sectoral level, as well as the procedures regarding the reporting of safety incidents.
v Technological innovation and privacy law
According to the DPA, consent cannot be considered validly given by ticking a box in the browser settings. In its Direct Marketing Guidelines (see below), it has also underlined the importance of active opt-in by the user, which means that the user must tick a box to accept cookies, but also has the right not to do so.
In January 2017, the European Commission published the draft text of the new ePrivacy Regulation, which will become directly applicable in Belgium and replace all the current national rules relating to, inter alia, cookies after its adoption. Both the European Parliament and the Council have published their respective drafts. The three EU entities remain in 'trilogue' negotiations since to determine the final text. The latest draft text was published on 21 February 2020 by the European Council. The current draft Regulation would possibly allow consent to be given through browser settings provided that this consent entails a clear affirmative action from the end user of terminal equipment to signify his or her freely given, specific, informed and unambiguous consent to the storage and access of third-party tracking cookies in and from the terminal equipment. This entails that internet browser providers will have to significantly change the way their browsers function for consent to be validly given via browser settings.
In addition, the proposal clarifies that no consent has to be obtained for non-privacy-intrusive cookies that improve the internet experience (e.g., shopping-cart history) or cookies used by a website to count the number of visitors. It was initially foreseen that the ePrivacy Regulation would enter into force simultaneously with the GDPR, but the negotiations have been delayed and it is currently unknown when an agreement on the final text will be reached.
Electronic marketing and advertising is regulated by the provisions of Book XII (Law of the Electronic Economy) of the Code of Economic Law, which has transposed Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002, as adopted by the Act of 15 December 2013, as well as the Royal Decree of 4 April 2003 providing for exceptions. The Belgian DPA has provided a lengthy recommendation (No 1/2020 of 17 January 2020) in which it discusses the most pressing direct marketing questions and provides useful guidance.
The automated sending of marketing communications by telephone without human intervention or by fax is prohibited without prior consent.
When a company wants to contact an individual personally by phone (i.e., in a non-automated manner) for marketing purposes, it should first check whether the individual is on the 'do-not-call-me' list of the non-profit organisation DNCM. Telecom operators should inform their users about this list and the option to register online. If the individual is registered on the list, the company should obtain the individual's specific consent before contacting him or her.
Likewise, the use of emails for advertising purposes is prohibited without the prior, free, specific and informed consent of the addressee pursuant to Section XII.13 of the Code of Economic Law. This consent can be revoked at any time, without any justification or any cost for the addressee. The sender must clearly inform the addressee of its right to refuse the receipt of any future email advertisements and on how to exercise this right using electronic means. The sender must also be able to prove that the addressee requested the receipt of electronic advertising. The sending of direct marketing emails does not require consent if they are sent to a legal entity using 'impersonal' electronic contact details (e.g., [email protected]) which also do not fall within the scope of the GDPR. The use of addresses such as [email protected], which include personal data, however, remains subject to the requirement for prior consent.
Other exceptions could also apply regarding electronic advertisements, such as for existing clients to whom advertisements are sent for similar products or services, given that the client did not object thereto. These exceptions are based on national legislation predating the GDPR, but have been accepted by the DPA as they can be justified as a legitimate interest.
Unless individuals have opted out, direct marketing communications through alternative means are allowed. Nonetheless, the GDPR prescribes a general obligation for data controllers to offer data subjects the right to opt out of the processing of their personal data for direct marketing purposes.
The European Data Protection Board (EDPB) issued its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR underlining the necessity of both pieces of legislation. In some cases, both apply, or the ePrivacy Directive even goes further than the GDPR (e.g., by protecting the legitimate interests of legal persons instead of only natural persons). So, if the ePrivacy Directice makes GDPR rules more specific, the former should prevail. In online marketing, for instance, if the ePrivacy Directive sets out a requirement to obtain consent for specific data processing, this will override all other possible lawful grounds for processing provided for by Article 6 of the GDPR.
The Camera Surveillance Act of 21 March 2007 regulates the placement and use of camera surveillance in Belgium.
A surveillance camera falls within the scope of this Act if it involves a fixed (temporarily or permanent) or mobile observation system, with as purpose to survey and guard certain areas which processes images for this purpose.
The purpose is further elaborated in Article 3 of the Camera Surveillance Law as being either of the following:
- prevention, ascertaining or investigation of crimes against persons or goods; or
- prevention, ascertaining or investigation of nuisance in accordance with Article 135 of the New Act on Municipalities, monitoring of the compliance with municipal regulations and public order.
To install camera surveillance, it is required that the police, rather than the DPA, be informed. This takes place via an online application.
The data controller must keep a separate record concerning the processing of these data. Further details on this record will be determined by Royal Decree.
It is also required for data controllers who install a surveillance camera in 'publicly accessible venues' to indicate the existence thereof with a visible sign in proximity of the camera, as well as the provision in proximity of the camera of a screen that displays the images being recorded.
The use of surveillance cameras regulated by other special legislation or by public authorities does not fall within the scope of the Camera Surveillance Law. If surveillance cameras are used merely to monitor the safety, health, protection of the assets of the company and monitoring of the production process and the labour by the employee, the Camera Surveillance Law is not applicable. However, if the surveillance cameras are also used for one of the purposes listed above in accordance with Article 3 of the Camera Surveillance Law, the Camera Surveillance Law will apply and precede any other legislation.
Employee monitoring is strictly regulated under Belgian law. Apart from the rules embedded in the Camera Surveillance Act of 16 April 2018, which will apply if the surveillance of employees would fall within its scope as discussed above, the monitoring of employees by means of surveillance cameras in particular is subject to the provisions of Collective Bargaining Agreement No. 68 of 16 June 1998. Pursuant to this Agreement, surveillance cameras are only allowed in the workplace for specific purposes:
- the protection of health and safety;
- the protection of the company's assets;
- control of the production process; and
- control of the work performed by employees.
In the latter case, monitoring may only be on a temporary basis. Employees must also be adequately informed of the purposes and the timing of the monitoring.
With respect to monitoring of emails and internet use, Collective Bargaining Agreement No. 81 of 26 April 2002 imposes strict conditions. Monitoring cannot be carried out systematically and on an individual basis. A monitoring system of emails and internet use should be general and collective, which means that it may not enable the identification of individual employees. The employer is only allowed to proceed with the identification of the employees concerned if the collective monitoring has unveiled an issue that could bring damage to the company or threaten the company's interests or the security of its IT infrastructure. If the issue only relates to a violation of the internal (internet) policies or the code of conduct, identification is only allowed after the employees have been informed of the fact that irregularities have been uncovered and that identification will take place if irregularities occur again in the future.
Finally, GPS monitoring in company cars is only allowed under Belgian law with respect to the use of the company car for professional reasons. Private use of the company car (i.e., journeys to and from the workplace and use during private time) cannot be monitored.
International data transfer and data localisation
Cross-border data transfers within the EEA or to countries that are considered to provide adequate data protection in accordance with EU and Belgian law are permitted. Transfers to other countries are only allowed if the transferor guarantees that adequate safeguards are in place. This can be done by entering into a model data transfer agreement (based on the EU standard contractual clauses) with the recipient or if the transfer is subject to binding corporate rules (BCRs).
Some countries are deemed to be adequate by the European Commission, such as Argentina, Switzerland, Canada, Israel, Andorra and the United States if the transfer of data meets the requirements as adopted in the EU–US Privacy Shield, etc. Recently, an agreement was made between the European Union and Japan. The EU–US Privacy Shield survived the second annual review at the end of 2018, resulting in the appointment of an ombudsperson by the US in February 2019 to handle any EU citizens' complaints, the sole demand made by the EU following the review. However, on 16 July 2020, the European Court of Justice decided in the Schrems II case (in which the international transfer of data by Facebook to the United States on the basis of standard contractual clauses (SCRs) had been challenged) that the EU–US Privacy Shield is invalid, which means that it cannot be relied on anymore. The Court even ruled that data transfers to the United States by way of undersea cable are susceptible to access by US intelligence services, which means that these fall short of EU legal requirements. Moreover, the validity of SCRs was confirmed provided that the data exporter considers the law and practice of the country to which data will be transferred, especially if public authorities may have access to the data. Specifically for the United States, SCRs may nevertheless prove problematic as the decision itself implies that data subjects will not enjoy an equivalent level of protection in the United States as they do in the European Union. The Belgian DPA has, at the time of writing, not provided any guidance on this matter, while other DPAs, especially in Germany, have advised to immediately halt any data transfers to the US.
If an international data transfer is concluded under the EU standard contract clauses, a copy of these must be submitted to the DPA for information. The DPA will check their compliance with the standard contractual clauses and will subsequently inform the data controller whether the transfer is permitted. Data controllers need to wait for this confirmation from the DPA before initiating their international data transfer.
In the case of non-standard ad hoc data transfer agreements, the DPA will examine whether the data transfer agreement provides adequate safeguards for the international data transfer. If the DPA believes that the safeguards are adequate, it will forward the request to the European Data Protection Board, which must also approve.
If a data controller gives 'sufficient guarantees' for adequate data protection by adopting BCRs, a copy of the BCRs also needs to be sent to the DPA for approval, as well as the European Data Protection Board.
As an exemption to the above, transfers to countries not providing adequate protection are also allowed if the transfer:
- is made with the data subject's consent;
- is necessary for the performance of a contract with, or in the interests of, the data subject;
- is necessary or legally required on important public interest grounds or for legal claims;
- is necessary to protect the vital interests of the data subject; or
- is made from a public register.
Company policies and practices
The appointment of a Data Protection Officer has become obligatory for many companies with the GDPR. According to the Belgian DPA, the number of Belgian DPOs has further grown from 4,397 to 5,416 within the second year following the entry into force of the GDPR. Larger corporations often also have regional privacy officers. In smaller companies, the appointment of a chief privacy officer is rare. However, given the increasing importance of privacy and data security, even smaller companies often have employees at management level in charge of data privacy compliance (often combined with other tasks).
In large organisations, it is considered best practice to have written information security plans. Although this is also not required by law, it proves very useful, as companies are required to present a list of existing security measures when they notify their data processing operations to the DPA. The DPA has also recommended that companies have appropriate information security policies to avoid or address data security incidents. This has become even more important now in view of the short deadlines for data breach notifications under the GDPR.
Under the GDPR, organisations processing personal data within the EU must maintain records of their processing activities. Organisations with fewer than 250 employees are exempted from keeping such records, unless their processing activities:
- are likely to result in a risk to the rights and freedoms of data subjects (e.g., automated decision-making);
- are not occasional; or
- include sensitive data.
On the basis of the above-mentioned non-cumulative conditions, it may be expected that basically all organisations processing personal data will have to maintain records of their processing activities in practice, even if they employ fewer than 250 people. The DPA advises all companies to do so.
In substance, these records should contain information on who processes personal data, what data is processed and why, where, how and for how long data is processed.
Discovery and disclosure
Pursuant to the Belgian Code of Criminal Procedure, the public prosecutors and the examining magistrates have the power to request the disclosure of personal data of users of electronic communications services (including telephone, email and internet) in the context of criminal investigations. This personal data may include names, IP logs, telephone numbers, etc. Examining magistrates may also request technical cooperation of providers of electronic communications service providers and network operators in connection with wiretaps.
The personal and territorial scope of application of these powers has been the subject of a heated debate before the Belgian Supreme Court and criminal courts in two major cases regarding Yahoo! and Skype.
Belgian law enforcement makes frequent use of its powers to request data from providers of electronic communications services. For instance, Microsoft received 521 requests in 2019 and Google 1,002.
Public and private enforcement
i Enforcement agencies
The Belgian enforcement agency with responsibility for privacy and data protection is the DPA, which is an independent administrative authority with legal personality and extensive investigative and sanctioning powers.
The DPA's mission is, inter alia, to monitor compliance with the provisions of the GDPR and the Data Protection Act. To this end, the DPA has general power of investigation with respect to any type of processing of personal data (including the hearing of witnesses, conducting on-site inspections, seize or seal goods, documents and computer systems) and may file a criminal complaint with the public prosecutor. It may also institute a civil action before the president of the court of first instance.
Along with natural persons, legal persons, associations or institutions are also able to lodge a complaint of an alleged data protection infringement.
ii Recent enforcement cases
The most important recent enforcement case undertaken by the DPA is the one initiated against Facebook in June 2015 concerning its unlawful processing of data through hidden cookies. Facebook has been condemned by the Court of First Instance. Following the appeal filed by Facebook, the Brussels Court of Appeal has decided to refer the case to the European Court of Justice in May 2019.
As the DPA only became fully operational in May 2019, it took some time before the first Belgian decisions with regard to the GDPR were delivered. Until July 2020, the Belgian DPA has decided on 37 cases, which have not all been published. Two of the four judgments that are known to have been appealed were annulled by the Markets Court (part of the Brussel's Court of Appeal). In its judgments, the Markets Court has been critical of the DPA's insufficient reasoning behind its decisions and the construction of its fines.
In April 2020, the DPA found that the head of a department within an organisation cannot be appointed as DPO, given that in the first role the person determines the purposes and means of the personal data that is being processed, while the second role entails supervising these choices. Hence, a conflict of interests may arise (see above). The organisation, Belgium's largest telecommunications provider, was fined €50,000.
In May 2020, the DPA fined a social media platform because it allowed its members to invite their friends to register for the platform by uploading all contact data and sending invitations by email to these persons. This meant that the personal data of non-users was being processed without any lawful basis as they did not give consent and because this form of processing did not pass the legitimate interest test. A fine of €50,000 was imposed.
The highest fine yet was imposed by the DPA on Google in July 2020 and amounted to €600,000 for failing to remove search results of a publicly known person (right to be forgotten) that showed his past political affiliations and a complaint for bullying that was filed against him in the past.
iii Private litigation
Private plaintiffs may seek judicial redress before the civil courts on the basis of the general legal provisions related to tort or, in some cases, contractual liability. In addition, they may file a criminal complaint against the party that committed the privacy breach. Financial compensation is possible, to the extent that the plaintiff is able to prove the existence of damages as well as the causal link between the damage and the privacy breach. Under Belgian law, there is no system of punitive damages.
The Belgian DPA received 351 complaints following the entry into force of the GDPR, which mostly concerned data subject rights, camera surveillance or direct marketing. As mentioned above, only one fine has been issued until now.
Considerations for foreign organisations
Organisations based or operating outside Belgium may be subject to the Belgian data protection regime to the extent that they process personal data in Belgium. Physical presence in Belgium (either through a local legal entity or branch office, with or without employees, or through the use of servers or other infrastructure located on Belgian territory) will trigger the jurisdiction of Belgian privacy and data protection law even if the personal data that is processed in Belgium relates to foreign individuals. Foreign companies using cloud computing services for the processing of their personal client or employee data may, therefore, be subject to Belgian law (with respect to such processing) if the data is stored on Belgian servers.
It should be noted that the GDPR applies to data controllers having no presence at all (establishment, assets, legal representative, etc.) in the EU but who process EU citizens' personal data in connection with goods or services offered to those EU citizens; or who monitor the behaviour of individuals within the EU.
Cybersecurity and data breaches
As a member of the Council of Europe, Belgium entered into the Council's Convention on Cybercrime of 23 November 2001. Belgium implemented the Convention's requirements through an amendment of the Act of 28 November 2000 on cybercrime, which introduced cybercrime into the Belgian Criminal Code. With the Act of 15 May 2006, Belgium also implemented the requirements of the Additional Protocol to the Convention on Cybercrime of 28 January 2003 concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.
As previously mentioned, the CCB performs the following tasks:
- monitoring Belgium's cybersecurity;
- managing cybersecurity incidents;
- overseeing various cybersecurity projects;
- formulating legislative proposals relating to cybersecurity; and
- issuing of standards and guidelines for securing public sector IT systems.
With respect to data breach notifications, Article 114/1, Section 2 of the Electronic Communications Act requires companies in the telecommunications sector to notify immediately (within 24 hours) personal data breaches to the DPA, which must transmit a copy of the notification to the Belgian Institute for Postal Services and Telecommunications. If there is a breach of personal data or the privacy of individuals, the company must also notify the data subjects affected by the breach. The NIS Act additionally provides for a detailed procedure regarding breaches for operators of essential services (see above).
Article 33 of the GDPR provides for a duty for the data controller to report personal data breaches to the DPA without undue delay, and where feasible, not later than 72 hours after having become aware of it. This notification must describe the nature, communicate the details of the DPO or other contacts where more information can be obtained, describe the likely consequences of the breach and describe the measures taken or proposed to be taken by the controller to address the breach. A communication to the data subject can in some cases also be necessary, if there is a high risk to their rights and freedoms. It must be noted that the DPA stresses that, in the event of public incidents, the DPA must be informed within 48 hours of the causes and damage. Although the concept of a 'public incident' is not explained in greater detail, this could refer to an incident in which a breach has occurred that is likely to become known to the public or the DPA via, for example, the media, the internet, or complaints from individuals. In the period between May 2019 and May 2020, the DPA has been informed of the existence of 937 data breaches.
The Belgian DPA needed a year to sufficiently organise itself and could only commence the exercise of its tasks in May 2019. Despite this late start, it has already delivered a few important decisions in the second year following the entry into force of the GDPR. The DPO and Google decisions show that the DPA is handling complex cases with significant consequences and with ever larger fines. Certainly, more decisions are expected to follow.
The enormous growth of GDPR fines across the European Union may, however, lead to a divergence in interpretation of the Regulation's provisions. Given that effective enforcement is indispensable to any legislation, but should not lack legal certainty, it must be made sure that the principles of sanctioning are harmonised across the European Union, for instance by the publication of EDPB guidelines on fining under the GDPR – pursuant to the German DPA's, which introduced their own national guidelines (a sign of divergence on its own).
In addition, the European Commission concluded in its review of the GDPR's implementation on the occasion of its second anniversary that national DPAs have not yet made full use of the tools the GDPR provides, such as joint operations that could lead to joint investigations. Stronger cooperation could lead to a further strengthening of the privacy of European citizens, as cross-border cases are more likely to involve a large number of data subjects.
The Schrems II decision, which has invalidated the EU–US Privacy Shield but upheld the validity of standard contractual clauses under certain circumstances, means that transfers of data to the United States will have to be treated more carefully and that standard contractual clauses will gain importance.
Unfortunately, it is not clear when the ePrivacy Regulation, which will override the GDPR and provide for more clarity regarding specific issues that may arise concerning privacy in connection with online interactions, will be agreed upon. The ongoing negotiations only mean that its implementation will again be delayed until 2023 or later.
For the time being, covid-19 will remain the most important privacy risk as countries will be carefully balancing the right of privacy against the protection of public health. The further introduction of tracking apps and a more organised state system to monitor cases and trace contacts in a second wave of covid-19 will require national DPAs' strong supervision more than ever, as even in the light of a severe pandemic the importance of privacy and data protection of individuals should not be disregarded.
1 Steven De Schrijver and Olivier Van Fraeyenhoven are partners at Astrea.