The Privacy, Data Protection and Cybersecurity Law Review: Belgium
The Belgian legislative and regulatory approach to privacy, data protection and cybersecurity is quite comprehensive. The most important legal provisions can be found in the following documents:
- Article 22 of the Belgian Constitution, which provides that everyone is entitled to the protection of his or her private and family life;
- the Act of 28 November 2000 on Cybercrime;
- the Act of 13 June 2005 on Electronic Communications (Electronic Communications Act);
- Book XII (Law of the Electronic Economy) of the Code of Economic Law, as adopted by the Act of 15 December 2013;
- the Act of 3 December 2017 on the establishment of the Data Protection Authority (DPA);
- the General Data Protection Regulation 2016/679 (GDPR), which is the EU regulation on data protection and privacy;
- the Act of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act) (which replaced the former Belgian Data Protection Act of 8 December 1992 with effect as of 5 September 2018). It concerns the further implementation of the GDPR and Directive 2016/680 regarding the processing of data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences; and
- the Act of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security (and the Royal Decree of 12 July 2019, which specifies certain provisions of this Act).
Belgium, as a member of the European Union, is subject to European Union law including the GDPR. The right to privacy is embedded in the Belgian Constitution, and privacy and data protection rules offer strong safeguards to Belgian citizens and foreigners living in Belgium. In addition, Article 8 on the right to respect for private and family life of the European Convention on Human Rights and Fundamental Freedoms, as well as Article 7 on the right to respect for private and family life and Article 8 on the right to protection of personal data of the Charter for Fundamental Rights of the European Union, apply directly in Belgium.
This contribution sets out the most important Belgian laws relating to privacy and data protection. It looks into the Belgian implementation of the GDPR and its results, including some of the most important fines delivered by the DPA as of May 2019 (when it became fully operational) until August 2021.
Given that the GDPR applies directly in all EU Member States, its content will not be reviewed in detail.
The year in review
Without any doubt, the most challenging event to privacy in 2020 was, and continues to be in 2021, covid-19. Belgium, like most countries, was forced to introduce far-reaching measures across all layers of public life to limit the spread of the virus, which raised many privacy questions. The fact that sensitive data concerning health is involved, as well as location-based data, makes the issue even more difficult. Employers have to understand how and whether they can check whether their employees could be ill, restaurants and bars had to register clients for contact tracing purposes for a certain period of time, data concerning the health of covid-19 patients has to be shared with governmental institutions, etc. The DPA stepped in early to provide practical guidelines with regard to the processing of personal data under the current circumstances. This shows the importance of early intervention by supervising authorities in providing practical information to the public, which helps to ensure that important rights are not disregarded so that security does not override privacy.
Contrary to other countries, Belgium has opted for a human-controlled contact tracing programme by which infected persons are contacted by 'contact tracers' and are asked several questions on their recent whereabouts. This information can be used to contact potentially infected persons and advise them to stay at home or get tested. A legislative framework has been put in place to ensure GDPR compliance (e.g., by providing a lawful basis for processing, determining the purposes of the processing, limiting the information collected and setting out rules on data storage and erasure).
A shift of focus took place in the second half of 2020. Where first information on whether a certain person could have been infected by covid-19 was essential to the government and many organisations, the focus more and more lies on whether a person is (fully) vaccinated against the virus. Contrary to other countries like France, Belgium has not (yet) introduced measures that would limit access to certain facilities such as bars and restaurants or schools to vaccinated people only. The DPA has currently taken the stance that such measures would be against the GDPR, as would be the request of an employer to an employee to present proof of vaccination. However, for certain events a covid safe ticket is required, which shows whether the person has been vaccinated, has had covid-19 or has obtained a negative test result.
The number of enforcement actions of the DPA have seen further growth in 2020 and 2021, although a number of decisions were annulled on procedural grounds, including the decision that imposed the highest Belgian fine yet under the GDPR (€600,000 on Google).
Cybercrime continues to constitute a considerable threat to Belgian businesses. In 2020, 40 per cent of Belgian business were targeted by cyberattacks (mostly ransomware) according to the Cyber Readiness Report 2021 prepared by Hiscox, a British insurer. Of these, 49 per cent of Belgian businesses paid a ransom that was on average €10,000 (the highest amount paid was €496,323). A parliamentary report from November 2020 states that Belgian companies pay €100 million ransom on a yearly basis to hackers. Of course, the real costs are far higher, as not all companies report that they have paid a ransom. Moreover, the actual cost for companies often involves fees for legal and technical specialists who are involved in responding to the cyberattack. In May 2021, Belgium was hit by the largest cyberattack in its digital history, targeting Belnet, the country's first internet service provider that is managed by the government. The attack was probably meant to cripple the functioning of Belgian government online services. Although the hackers did not fully succeed in doing so, several of government websites did not work properly for a couple of hours, certain online classes in universities could not be held due to connection problems, a number of parliamentary meetings were postponed, the Brussels public transport company STIB-MIVB had problems in selling transport tickets, ad online tax services were disrupted, as well as online vaccination appointment services.
i Privacy and data protection legislation and standards
The GDPR came into force on 25 May 2018 and directly applies to data processing activities performed by Belgium-based controllers and processors. Under the GDPR, personal data means any information relating to an identified or identifiable natural person whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data or an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person.
The data controller is the person who alone or jointly with others determines the purposes and means of the processing of personal data, and data processors are persons that process personal data on behalf of a data controller. Under Belgian law, it is also possible for different persons or entities to act as data controller in respect of the same personal data.
The Belgian Data Protection Act implementing the GDPR entered into force on 5 September 2018. The Act deals with, among other things, areas in the GDPR where the national legislator was able to add additional or clarifying requirements. This includes the age of children's consent, additional requirements for the processing of genetic, biometric and health data, additional requirements regarding the processing of criminal data, restrictions regarding processing for journalistic purposes and for the purpose of academic, artistic or literary expression, and additional exceptions for processing for the purpose of archiving in the public interest or for scientific or historical research or statistical purposes.
Regarding the processing of genetic, biometric and health data, or data related to criminal convictions and offences, the Belgian legislator has set out measures that must be taken, such as maintaining a list of persons entitled to consult the data, together with a description of their functions related to the processing of such data, which are bound by a legal or contractual duty of confidentiality. The controller or processor must make a list of these persons available to the DPA on request.
Concerning the processing of criminal data, Belgian law provides for additional grounds to process the data. As with the processing of genetic, biometric and health data, the persons entitled to consult this data must be designated, and bound by a legal or contractual duty of confidentiality, and a list must be kept at the disposal of the DPA. The following are additional grounds for processing of criminal data:
- by private companies, if necessary for the management of litigation to which the company is a party;
- by legal advisers if necessary to defend the interests of a client;
- if necessary for substantial public interest reasons or to perform a task in the public interest; and
- if necessary for archiving, scientific, historical research or statistical purposes.
The Belgian legislator has also included specific exceptions to data subject rights for processing for journalistic, academic, artistic or literary purposes, as well as for archiving in the public interest or for scientific or historical research or statistical purposes, whereby some of the articles of the GDPR such as consent, information obligation, right to restrict processing and right to object do not apply. It is noteworthy that disclosure of the register, personal data breach notifications and the duty to cooperate with the DPA also do not apply if they would jeopardise an intended publication or constitute a prior control.
Concerning archiving in the public interest or for scientific or historical research or statistical purposes, the data subject's rights are also restricted if these rights would render it impossible or seriously impair the achievement of these purposes. However, additional requirements are also imposed, such as an explanation in the records of why such data is processed, why an exercise of the data subject's rights would impair the achievement of the purposes and a justification for the use of data without pseudonymising this data, as well as, if necessary, the conducting of a data processing impact assessment. Data subjects should be informed whether the data is pseudonymised, as well as why the exercise of their rights would impair the achievement of the aforementioned purposes.
The Data Protection Act consolidates the patchy Belgian data protection regulatory framework that existed before the entry into force of the GDPR. For example, it incorporates the provisions of the Act of 25 December 2016 on the processors of passenger data.
In implementing Directive 2016/680 on the processing of personal data by criminal authorities, the Data Protection Act imposes certain requirements on government entities. For example, army forces and intelligence and security services must now comply with requests from data subjects to exercise certain data protection rights, albeit in a restricted fashion.
ii General obligations for data handlers
Data may be processed if the processing meets one of the requirements of Article 6 of the GDPR. The processing must comply with the general principles of data processing as set out in the GDPR. Sensitive personal data (i.e., personal data related to, for instance, racial or ethnic origin, sexual orientation or health) may only be processed if the processing meets the requirements of Article 9 of the GDPR.
Regarding consent, it must be added that parental consent is required for the processing of personal data concerning information services for children under the age of 13 (as opposed to the age of 16 in Article 8.1 of the GDPR).
As mentioned before, the Data Protection Act also further regulates possible exceptions regarding the processing of the above special categories of data in implementation of the GDPR.
With respect to the processing of employees' personal data, the DPA finds that such processing should be based on legal grounds other than consent, in particular the performance of a contract with the data subject, since obtaining valid consent from employees is considered difficult (if not impossible) given their subordinate relationship with the employer.
Since the GDPR has come into effect, data controllers no longer need to notify the DPA of all types of data processing operations. Instead, they are bound to keep records of their processing activities. It is now up to the controller to be able to prove that it has obtained consent for its data processing or has a legitimate reason for doing so under the GDPR.
Another obligation under the GDPR is the appointment of a data protection officer (DPO) in specific cases, such as for public authorities, or when there is large-scale systematic monitoring of personal data or large-scale processing of sensitive data.
In April 2020, the DPA delivered an important decision by which it imposed a fine of €50,000 on Belgium's largest telecoms company as its DPO also exercised the function of head of the audit, risk and compliance departments, which could be seen as a conflict of interests. After all, this meant that the respective person could determine the purposes and means of the processing of personal data within these departments, while also exercising supervision on these choices in his or her role as DPO. Hence, the DPA found that a person cannot combine the role of DPO and head of any department within the same organisation, as this role cannot be exercised independently.
iii Data subject rights
The GDPR sets out clearly which rights data subjects possess in Articles 13–22, which include the right of access, the right to rectification and the right to erasure.
iv Specific regulatory areas
Although Belgium has not adopted a sectoral approach towards data protection legislation, there are nevertheless separate regulations in place for certain industries and special (more vulnerable) data subjects. In addition to the Data Protection Act, specific laws have been adopted to provide additional protection for data subjects in the following sectors:
- Camera surveillance: the installation and use of surveillance cameras is governed by the Camera Surveillance Law of 21 March 2007.
- Workplace privacy: the installation and use of surveillance cameras for the specific purpose of monitoring employees is subject to Collective Bargaining Agreement No. 68 of 16 June 1998 concerning the camera surveillance of employees. In addition, the monitoring of employees' online communication is subject to the rules laid down in Collective Bargaining Agreement No. 81 of 26 April 2002 concerning the monitoring of electronic communications of employees.
- Electronic communications: the Electronic Communications Act of 13 June 2005 contains provisions on the secrecy of electronic communications and the protection of privacy in relation to such communications. Furthermore, the Electronic Communications Act imposes requirements on providers of telecommunication and internet services regarding data retention, the use of location data and the notification of data security breaches.
- Medical privacy: the Patient Rights Act of 22 August 2002 governs, inter alia, the use of patients' data and the information that patients need to receive in this respect. The Act of 21 August 2008 governs the establishment and organisation of the e-Health Platform. The Insurance Act of 4 April 2014 was amended to include a right to be forgotten for cancer patients entering into a credit insurance agreement. Their medical past with respect to cancer cannot be taken into account, provided that 10 years have lapsed since a successful treatment and no relapse took place within this period. This right applies to credit insurance contracts as of 1 February 2020.
- Financial privacy: the financial sector is heavily regulated. For instance, the use of credit card information for profiling violates consumer credit legislation, which clearly states that personal data collected by financial institutions can only be processed for specific purposes, only some data can be collected, and it is prohibited to use the data collected within the credit relationship for direct marketing or prospection purposes. Belgian legislation also requires that information be deleted when its retention is no longer justified. Further rules can be found in Book VII of the Belgian Code of Economic Law and the Act of 18 September 2018 on the prevention of money laundering and terrorist financing and the restriction on the use of cash.
On 3 May 2019, the Belgian Network and Information Security Act (NIS Act) entered into force, transposing the EU Network and Information Security Directive 2016/1148 (NIS Directive), which is currently being reviewed. In addition to the specific data protection rules above, the NIS Act adds a legal basis for higher cybersecurity standards in respect of certain essential services.
Pursuant to the Act, authorised government entities on two different levels, with separate functions, are in charge of ensuring compliance with the NIS Act. A national public entity (the Centre for Cybersecurity Belgium) is charged with monitoring compliance with and coordination of the implementation of this Act. On a sectoral level, sectoral authorities are charged with monitoring compliance for their respective sectors. A Royal Decree of 12 July 2019 provides a legal framework for its powers as well as for the notification and processing of incidents.
The NIS Act applies in particular to operators of essential services (OESs). OESs can be found in the following industries:
- energy (electricity, oil and gas);
- transportation (air, rail, water and road);
- banking and financial market infrastructure;
- health and drinking water supply and distribution; and
- digital infrastructure (including digital services such as online sales platforms, online search engines and cloud computing services).
To ensure an adequate level of network and information security in these sectors and to prevent, handle and respond to incidents affecting networks and information systems, the NIS Act sets out the following obligations for these OESs:
- the obligation to take appropriate technical and organisational measures to manage the risks posed to their network and information systems, and to prevent or minimise the impact in the event of a data breach; and
- the obligation to notify the competent authority, without undue delay, of all incidents with a significant impact on the security of the core services provided by these operators. To assess the impact of an incident, the following criteria should be taken into account: the number of users affected; the duration of the incident; the geographical spread with regard to the area affected by the incident; and in relation to certain OESs, the disruption of the functioning of the service and the extent of the impact on economic and societal activities.
The notification obligations, preventive actions and sanctions under the NIS Act should increase transparency regarding network and information security and heighten awareness of cybersecurity risks in the above-mentioned essential services.
The Act foresees the identification of OESs and establishes the safety requirements both on a national and sectoral level, as well as how these are monitored through internal and external audits, and sanctions for non-compliance (e.g., fines).
Concerning computer security incidents, computer security incident response teams are established on a national and sectoral level, as well as the procedures regarding the reporting of safety incidents.
v Technological innovation and privacy law
According to the DPA, consent cannot be considered validly given by ticking a box in the browser settings. In its Direct Marketing Guidelines (see below), it has also underlined the importance of active opt-in by the user, which means that the user must tick a box to accept cookies, but also has the right not to do so.
In addition, the proposal clarifies that no consent has to be obtained for non-privacy-intrusive cookies that improve the internet experience (e.g., shopping-cart history) or cookies used by a website to count the number of visitors.
It was initially foreseen that the ePrivacy Regulation would enter into force simultaneously with the GDPR, but the negotiations have been delayed and it is currently still unknown when an agreement on the final text will be reached.
Electronic marketing and advertising is regulated by the provisions of Book XII (Law of the Electronic Economy) of the Code of Economic Law, which has transposed Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002, as adopted by the Act of 15 December 2013, as well as the Royal Decree of 4 April 2003 providing for exceptions. The Belgian DPA has provided a lengthy recommendation (No 1/2020 of 17 January 2020) in which it discusses the most pressing direct marketing questions and provides useful guidance.
The automated sending of marketing communications by telephone without human intervention or by fax is prohibited without prior consent.
When a company wants to contact an individual personally by phone (i.e., in a non-automated manner) for marketing purposes, it should first check whether the individual is on the 'do-not-call-me' list of the non-profit organisation DNCM. Telecom operators should inform their users about this list and the option to register online. If the individual is registered on the list, the company should obtain the individual's specific consent before contacting him or her.
Likewise, the use of emails for advertising purposes is prohibited without the prior, free, specific and informed consent of the addressee pursuant to Section XII.13 of the Code of Economic Law. This consent can be revoked at any time, without any justification or any cost for the addressee. The sender must clearly inform the addressee of its right to refuse the receipt of any future email advertisements and on how to exercise this right using electronic means. The sender must also be able to prove that the addressee requested the receipt of electronic advertising. The sending of direct marketing emails does not require consent if they are sent to a legal entity using 'impersonal' electronic contact details (e.g., [email protected]) that also do not fall within the scope of the GDPR. The use of addresses such as [email protected], which include personal data, however, remains subject to the requirement for prior consent.
Other exceptions could also apply regarding electronic advertisements, such as for existing clients to whom advertisements are sent for similar products or services, given that the client did not object thereto. These exceptions are based on national legislation predating the GDPR, but have been accepted by the DPA as they can be justified as a legitimate interest.
Unless individuals have opted out, direct marketing communications through alternative means are allowed. Nonetheless, the GDPR prescribes a general obligation for data controllers to offer data subjects the right to opt out of the processing of their personal data for direct marketing purposes.
The European Data Protection Board (EDPB) issued its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR underlining the necessity of both pieces of legislation. In some cases, both apply, or the ePrivacy Directive even goes further than the GDPR (e.g., by protecting the legitimate interests of legal persons instead of only natural persons). So, if the ePrivacy Directive makes GDPR rules more specific, the former should prevail. In online marketing, for instance, if the ePrivacy Directive sets out a requirement to obtain consent for specific data processing, this will override all other possible lawful grounds for processing provided for by Article 6 of the GDPR.
The Camera Surveillance Act of 21 March 2007 regulates the placement and use of camera surveillance in Belgium.
A surveillance camera falls within the scope of this Act if it involves a fixed (temporarily or permanent) or mobile observation system with a purpose to survey and guard certain areas and that processes images for this purpose.
The purpose is further elaborated in Article 3 of the Camera Surveillance Law as being either of the following: prevention, ascertaining or investigation of crimes against persons or goods; or prevention, ascertaining or investigation of nuisance in accordance with Article 135 of the New Act on Municipalities, monitoring of the compliance with municipal regulations and public order.
To install camera surveillance, it is required that the police, rather than the DPA, be informed. This takes place via an online application.
The data controller must keep a separate record concerning the processing of this data. Further details on this record will be determined by Royal Decree.
It is also required for data controllers who install a surveillance camera in publicly accessible venues to indicate the existence thereof with a visible sign in proximity of the camera, as well as the provision in proximity of the camera of a screen that displays the images being recorded.
The use of surveillance cameras regulated by other special legislation or by public authorities does not fall within the scope of the Camera Surveillance Law. If surveillance cameras are used merely to monitor the safety, health, protection of the assets of the company and monitoring of the production process and the labour of employees, the Camera Surveillance Law is not applicable. However, if the surveillance cameras are also used for one of the purposes listed above in accordance with Article 3 of the Camera Surveillance Law, the Camera Surveillance Law will apply and precede any other legislation.
Employee monitoring is strictly regulated under Belgian law. Apart from the rules embedded in the Camera Surveillance Act of 16 April 2018, which will apply if the surveillance of employees would fall within its scope as discussed above, the monitoring of employees by means of surveillance cameras in particular is subject to the provisions of Collective Bargaining Agreement No. 68 of 16 June 1998. Pursuant to this Agreement, surveillance cameras are only allowed in the workplace for specific purposes:
- the protection of health and safety;
- the protection of the company's assets;
- control of the production process; and
- control of the work performed by employees.
In the latter case, monitoring may only be on a temporary basis. Employees must also be adequately informed of the purposes and the timing of the monitoring.
With respect to monitoring of emails and internet use, Collective Bargaining Agreement No. 81 of 26 April 2002 imposes strict conditions. Monitoring cannot be carried out systematically and on an individual basis. A monitoring system of emails and internet use should be general and collective, which means that it may not enable the identification of individual employees. The employer is only allowed to proceed with the identification of the employees concerned if the collective monitoring has unveiled an issue that could bring damage to the company or threaten the company's interests or the security of its IT infrastructure. If the issue only relates to a violation of the internal (internet) policies or the code of conduct, identification is only allowed after the employees have been informed of the fact that irregularities have been uncovered and that identification will take place if irregularities occur again in the future.
Finally, GPS monitoring in company cars is only allowed under Belgian law with respect to the use of the company car for professional reasons. Private use of the company car (i.e., journeys to and from the workplace and use during private time) cannot be monitored.
International data transfer and data localisation
Cross-border data transfers within the EEA or to countries that are considered to provide adequate data protection in accordance with EU and Belgian law are permitted. Transfers to other countries are only allowed if the transferor guarantees that adequate safeguards are in place. This can be done by entering into a model data transfer agreement (based on the EU standard contractual clauses) with the recipient or if the transfer is subject to binding corporate rules (BCRs).
Some countries are deemed to be adequate by the European Commission: Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
The EU–US Privacy Shield survived the second annual review at the end of 2018, resulting in the appointment of an ombudsperson by the US in February 2019 to handle any EU citizens' complaints, the sole demand made by the EU following the review. However, on 16 July 2020, the European Court of Justice decided in the Schrems II case (in which the international transfer of data by Facebook to the United States on the basis of standard contractual clauses (SCCs) had been challenged) that the EU–US Privacy Shield is invalid, which means that it cannot be relied on anymore to transfer personal data to the US. The Court even ruled that data transfers to the United States by way of undersea cable are susceptible to access by US intelligence services, which means that these fall short of EU legal requirements. Moreover, the validity of SCCs was confirmed provided that the data exporter considers the law and practice of the country to which data will be transferred, especially if public authorities may have access to the data. Specifically for the United States, SCCs may nevertheless prove problematic as the decision itself implies that data subjects will not enjoy an equivalent level of protection in the United States as they do in the European Union.
Organisations may therefore be required to take additional measures besides adopting SCCs for their personal data transfers to the US to ensure compliance with the level of data protection required under EU law. These can be technical (e.g., encryption or pseudonymisation of personal data), contractual (e.g., a transparency requirement regarding access by public authorities to the personal data transferred to the third country) or organisational (e.g., the appointment of a specific expert team governing transfers of personal data).
In the case of doubt as to the protection of the personal data in a third country, DPAs are generally recommended to halt the transfer of personal data to the respective third country.
If an international data transfer is concluded under the EU SCCs, a copy of these must be submitted to the DPA for information. The DPA will check their compliance with the SCCs and will subsequently inform the data controller whether the transfer is permitted. Data controllers need to wait for this confirmation from the DPA before initiating their international data transfer. In June 2021, the European Commission adopted new SCCs following Schrems II that entered into force on 27 June 2021. Previous versions of the SCCs will remain applicable until 27 September 2021. A transition period of 15 months applies wherein the SCCs concluded before 27 September 2021 shall be deemed to provide appropriate safeguards, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures the transfer of personal data is subject to appropriate safeguards. As of 27 December 2022, the new SCCs must be adopted.
In the case of non-standard ad hoc data transfer agreements, the DPA will examine whether the data transfer agreement provides adequate safeguards for the international data transfer. If the DPA believes that the safeguards are adequate, it will forward the request to the European Data Protection Board, which must also approve.
If a data controller gives sufficient guarantees for adequate data protection by adopting BCRs, a copy of the BCRs also needs to be sent to the DPA for approval, as well as the European Data Protection Board.
As an exemption to the above, transfers to countries not providing adequate protection are also allowed if the transfer:
- is made with the data subject's consent;
- is necessary for the performance of a contract with, or in the interests of, the data subject;
- is necessary or legally required on important public interest grounds or for legal claims;
- is necessary to protect the vital interests of the data subject; or
- is made from a public register.
Company policies and practices
The appointment of a data protection officer has become obligatory for many companies with the GDPR. According to the Belgian DPA, the number of Belgian DPOs has further grown from 4,397 to 5,416 within the second year following the entry into force of the GDPR, and to 5,980 as of December 2020. As of May 2021, 6,625 DPOs are registered in Belgium. Larger corporations often also have regional privacy officers. In smaller companies, the appointment of a chief privacy officer is rare. However, given the increasing importance of privacy and data security, even smaller companies often have employees at management level in charge of data privacy compliance (often combined with other tasks).
In large organisations, it is considered best practice to have written information security plans. Although this is also not required by law, it proves very useful, as companies are required to present a list of existing security measures when they notify their data processing operations to the DPA. The DPA has also recommended that companies have appropriate information security policies to avoid or address data security incidents. This has become even more important now in view of the short deadlines for data breach notifications under the GDPR.
Under the GDPR, organisations processing personal data within the EU must maintain records of their processing activities. Organisations with fewer than 250 employees are exempted from keeping such records, unless their processing activities are likely to result in a risk to the rights and freedoms of data subjects (e.g., automated decision-making); are not occasional; or include sensitive data.
On the basis of the above-mentioned non-cumulative conditions, it may be expected that basically all organisations processing personal data will have to maintain records of their processing activities in practice, even if they employ fewer than 250 people. The DPA advises all companies to do so.
In substance, these records should contain information on who processes personal data, what data is processed and why, where, how and for how long data is processed.
Discovery and disclosure
Pursuant to the Belgian Code of Criminal Procedure, the public prosecutors and the examining magistrates have the power to request the disclosure of personal data of users of electronic communications services (including telephone, email and internet) in the context of criminal investigations. This personal data may include, inter alia, names, IP logs, telephone numbers, aliases, alternative emails and billing information. Examining magistrates may also request technical cooperation of providers of electronic communications service providers and network operators in connection with wiretaps.
The personal and territorial scope of application of these powers has been the subject of a heated debate before the Belgian Supreme Court and criminal courts in two major cases regarding Yahoo! and Skype.
Belgian law enforcement makes frequent use of its powers to request data from providers of electronic communications services. For instance, Microsoft received 521 requests in 2019 and 593 requests in 2020. Google received 1,002 requests in 2019 and 580 requests in the first half of 2020.
Public and private enforcement
i Enforcement agencies
The Belgian enforcement agency with responsibility for privacy and data protection is the DPA, which is an independent administrative authority with legal personality and extensive investigative and sanctioning powers.
The DPA's mission is, inter alia, to monitor compliance with the provisions of the GDPR and the Data Protection Act. To this end, the DPA has general powers of investigation with respect to any type of processing of personal data (including the hearing of witnesses, conducting on-site inspections, seizing or sealing of goods, documents and computer systems) and may file a criminal complaint with the public prosecutor. It may also institute a civil action before the president of the court of first instance.
In May 2021, the Belgian DPA as the lead authority approved the EU Data Protection Code of Conduct for Cloud Service Providers, the first transnational EU code of conduct under the GDPR.
The Belgian DPA's task is also to advise on new laws and regulations. It rendered 138 pieces of such advice in 2020 and already 127 in 2021 (as of July 2021).
Along with natural persons, legal persons, associations or institutions are also able to lodge a complaint of an alleged data protection infringement.
ii Recent enforcement cases
While the Belgian DPA only became fully operational in May 2019, taking time to deliver the first decisions under the GDPR, the number of decisions rendered in 2020 rose to 83, including 34 decisions on the merits of the case. Seventy-eight sanctions were issued, including 19 monetary fines for a total amount of €885,000 (of which €57,000 was annulled in appeal).
The most important recent enforcement case undertaken by the DPA is the one initiated against Facebook in June 2015 concerning its unlawful processing of data through hidden cookies. Facebook has been condemned by the court of first instance. Following the appeal filed by Facebook, the Brussels Court of Appeal decided to refer the case to the European Court of Justice in May 2019 as Facebook argued that the Belgian DPA was not the lead authority competent to handle the case, given that Facebook's EU seat is registered in Ireland. In June 2021, the Court of Justice, however, decided that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, may be exercised both with respect to the main establishment of the controller which is located in that authority's own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power. This implies that the case in front of the Brussels Court of Appeal may continue.
In April 2020, the DPA found that the head of a department within an organisation cannot be appointed as DPO, given that in the first role the person determines the purposes and means of the personal data that is being processed, while the second role entails supervising these choices. Hence, a conflict of interests may arise (see above). The organisation, Belgium's largest telecommunications provider, was fined €50,000.
In May 2020, the DPA fined a social media platform because it allowed its members to invite their friends to register for the platform by uploading all contact data and sending invitations by email to these persons. This meant that the personal data of non-users was being processed without any lawful basis as they did not give consent and because this form of processing did not pass the legitimate interest test. A fine of €50,000 was imposed.
In January 2021, a company sending boxes with presents to newly born babies, operating since 1952, was fined €50,000 for sharing personal data of its 1 million customers for years with third parties without any valid consent of the data subjects involved.
In April 2021, an organisation giving access to the credit register of the Belgian National Bank was fined €100,000 for a lack of sufficient security measures whereby all personnel used the same login. Further, the organisation's DPO, also acting as chief information security officer as part of the management, could not combine both roles due to possible conflicts of interest.
The highest fine yet was imposed by the DPA on Google in July 2020 and amounted to €600,000 for failing to remove search results of a publicly known person (right to be forgotten) that showed his past political affiliations and a complaint for bullying that was filed against him in the past. However, this decision was annulled in appeal as the Brussels Court of Appeal ruled that the corrective measures imposed by the DPA should have been imposed on the data controller (Google LLC) and not on its Belgian subsidiary, whereby the DPA had not sufficiently explained how the activities of the Belgian subsidiary were inextricably linked to Google LLC.
Most fines issues by the Belgian DPA range between €1,000 and €50,000.
iii Private litigation
Private plaintiffs may seek judicial redress before the civil courts on the basis of the general legal provisions related to tort or, in some cases, contractual liability. In addition, they may file a criminal complaint against the party that committed the privacy breach. Financial compensation is possible, to the extent that the plaintiff is able to prove the existence of damage as well as the causal link between the damage and the privacy breach. Under Belgian law, there is no system of punitive damages.
The DPA received 351 complaints following the entry into force of the GDPR,. In 2020, this number nearly doubled to 668. Complaints mostly relate to general GDPR matters (26.05 per cent), data subject rights (10.48 per cent), privacy principles (9.58 per cent) and direct marketing (6.29 per cent).
Considerations for foreign organisations
Organisations based or operating outside Belgium may be subject to the Belgian data protection regime to the extent that they process personal data in Belgium. Physical presence in Belgium (either through a local legal entity or branch office, with or without employees, or through the use of servers or other infrastructure located on Belgian territory) will trigger the jurisdiction of Belgian privacy and data protection law even if the personal data that is processed in Belgium relates to foreign individuals. Foreign companies using cloud computing services for the processing of their personal client or employee data may, therefore, be subject to Belgian law (with respect to such processing) if the data is stored on Belgian servers.
It should be noted that the GDPR applies to data controllers having no presence at all (establishment, assets, legal representative, etc.) in the EU but who process EU citizens' personal data in connection with goods or services offered to those EU citizens; or who monitor the behaviour of individuals within the EU.
Cybersecurity and data breaches
As a member of the Council of Europe, Belgium entered into the Council's Convention on Cybercrime of 23 November 2001. Belgium implemented the Convention's requirements through an amendment of the Act of 28 November 2000 on cybercrime, which introduced cybercrime into the Belgian Criminal Code. With the Act of 15 May 2006, Belgium also implemented the requirements of the Additional Protocol to the Convention on Cybercrime of 28 January 2003 concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.
As previously mentioned, the CCB performs the following tasks:
- monitoring Belgium's cybersecurity;
- managing cybersecurity incidents;
- overseeing various cybersecurity projects;
- formulating legislative proposals relating to cybersecurity; and
- issuing of standards and guidelines for securing public sector IT systems.
With respect to data breach notifications, Article 114/1, Section 2 of the Electronic Communications Act requires companies in the telecommunications sector to notify immediately (within 24 hours) personal data breaches to the DPA, which must transmit a copy of the notification to the Belgian Institute for Postal Services and Telecommunications. If there is a breach of personal data or the privacy of individuals, the company must also notify the data subjects affected by the breach. The NIS Act additionally provides for a detailed procedure regarding breaches for operators of essential services (see above).
Article 33 of the GDPR provides for a duty for the data controller to report personal data breaches to the DPA without undue delay, and where feasible, not later than 72 hours after having become aware of it. This notification must describe the nature, communicate the details of the DPO or other contacts where more information can be obtained, describe the likely consequences of the breach and describe the measures taken or proposed to be taken by the controller to address the breach. A communication to the data subject can in some cases also be necessary if there is a high risk to their rights and freedoms. It must be noted that the DPA stresses that, in the event of public incidents, the DPA must be informed within 48 hours of the causes and damage. Although the concept of a public incident is not explained in greater detail, this could refer to an incident in which a breach has occurred that is likely to become known to the public or the DPA via, for example, the media, the internet or complaints from individuals. In 2019, the DPA was informed of the existence of 877 data breaches. The number of notified data breaches rose to 1,232 in 2020 and so far in 2021.
From 2020 to 2025, the DPA's plan is to focus on the processing of personal data by governmental authorities, direct marketing, the online protection of personal data (including cookies), the role of DPOs and the general awareness of the public with respect to privacy. As a number of enforcement actions relating to these topics were already taken in 2020, more such actions in these fields are expected.
Cybercrime continues to be a challenge for many countries. Belgium presented a 'Cyber Strategy 2.0' only two weeks after its largest cyberattack to date in May 2021 to become one of the least vulnerable countries as of 2025. It includes investments in cybersecurity, the increase of general awareness of the public with respect to cybersecurity and new diplomatic procedures in cases where foreign actors are identified as being responsible for a cyberattack. The EU's new package of cybersecurity tools, including a revision of the NIS Directive (NIS 2.0), which would include important organisations in addition to essential organisations under its scope, are likely to strengthen the legal cybersecurity framework.
It remains unclear when the ePrivacy Regulation, which will override the GDPR and provide for more clarity regarding specific issues that may arise concerning privacy in connection with online interactions, will be agreed upon. The ongoing negotiations only mean that its implementation will again be delayed until 2023 or later.
For the time being, covid-19 will remain the most important privacy risk as countries will continue to carefully balance the right of privacy against the protection of public health. The focus will shift (and is shifting) from the question of whether a person is infected to whether a person is vaccinated. Important privacy issues may arise if the trend in the EU to refuse non-vaccinated persons entry to certain facilities or require them to submit a corona safe ticket (possibly on the basis of a recent PCR test) continues. A need for strong supervision by national DPAs of the legality from a privacy perspective of such measures remains essential.
1 Steven De Schrijver and Olivier Van Fraeyenhoven are partners at Astrea.