Belgium

Privacy Culture

For a small country, Belgium is a significant hub for many international companies, not to mention that Brussels is the centre for all the mayor EU institutions. Data protection & privacy issues remain a key priority for the Belgian government. The political parties forming the 2014 coalition set a new trend and drafted a coalition agreement that pays particular attention to privacy-related issues. That indicates how serious Belgians are about safeguarding their privacy. Even so, according to the 2015 EuroBarometer Survey on Data Protection issued by the European Commission some 33% of Belgians feel they have no control at all over their information provided online. This is in line with what other Europeans think (31% of all respondents are of the same opinion). 

Legal History

The basic act regarding data protection and privacy in Belgium is the Law on the protection of privacy in relation to the processing of personal data of December 8, 1992 (Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel or 'DPL'). The EU Data Protection Directive has been transposed into Belgian law by the royal Decree of 13 February 2001 (Arrêté royal portant exécution de la loi du 8 décembre 1992 relative à la protection de la vie privée à l’égard des traitements de données à caractère personnel or 'Royal Decree').

In addition to the DPL and the Royal Decree, Belgium has adopted a number of laws and rules that apply to the protection of privacy and personal data:

The Electronic Communications Act of 13 June 2005 (Loi relative aux communications électroniques) - contains provisions that protect privacy in relation to electronic communications and the confidentiality of such communications. 
The Camera Surveillance Law of 21 March 2007 (Loi réglant l'installation et l'utilisation de caméras de surveillance) - regulates the installation and use of surveillance cameras;
The Act on market practices and consumer protection of April 6, 2010 (Loi relative aux pratiques du marché et à la protection du consommateur) and the eCommerce Act of March 11, 2003 (Loi sur certains aspects juridiques des services de la société de l’information) - lays down conditions for sending electronic marketing communications.  
The Patient Rights Law of 22 August 2002 (Loi relative aux droits du patient)- includes, but is not limited to, the regulation of the use of patients' medical and personal data.


Enforcement and Court Action

The main authority responsible for overseeing and enforcement of Belgian data protection and privacy law is the Belgian Commission for the Protection of Privacy (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée or 'CPP'). The CPP has power to issue non-binding recommendations that facilitate interpretation and application of the DPL. The Commission has investigatory powers and can execute them either ex officio or following complaints from individuals. 

When the CPP receives a complaint, it will first seek to reach an amicable solution between the parties. The CPP has the power to issue opinions as well as to initiate investigations in order to assess whether any violation of data protection & privacy law has occurred. The investigated data controller is under a legal obligation to provide all necessary information and to cooperate with the CPP. Notably, the Commission does not have the power to impose sanctions. Nevertheless, the CPP can refer the case to a prosecuting body if it determines that an offence was committed. Contraventions of the DPL may constitute a criminal offence and attract a fine of up to 550.000,00 EUR. The court may also order the erasure of the data, confiscation of the media containing the personal data to which the offence relates, and it can prohibit the control of any processing of personal data, directly or through an agent, for a period of up to two years. Any repeated violations of the data protection and privacy law may result in imprisonment for up to two years, and/or a fine up to 550.000,00 EUR. Moreover, a court may 'name and shame' the perpetrator by ordering the publication of the judgment in one or more newspapers.  


Corporate Risk

In general, data protection and privacy law infringements very rarely lead to criminal proceedings and these are typically only initiated in cases of severe violations. As a result, few criminal penalties have been imposed. Nevertheless, the CPP is becoming more active in this area. 

In 2015 the CPP has seen a significant rise in numbers, mainly due to its own significant increase in visibility with the general public. The Privacy Commission has indeed been very active in the media and in the public debate in 2015, and high-profile cases such as the “Facebook case” increase citizens’ awareness of their own rights and potential risks. 

More specifically, the CPP treated 4192 question/complaint files (an increase of 366 compared to 2014), of which 3561 were information requests, 347 mediation requests, and 284 control files. The CPP also initiated 5 recommendation files containing recommendations for legislative institutions or data controllers and 64 advice files, mostly triggered by requests for advice from legislative institutions. Out of 347 requests for mediation closed in 2015, 64% were declared to constitute a breach of privacy.


Future Outlook

The Secretary of State also intends to make the most out of the two-year period before the newly adopted GDPR enters into force to guide companies in seizing the opportunities that will arise from the GDPR. A set of guidance will be provided through the consultation platform on privacy, which consists of representatives of the sector federations and civil society.

Recent CPP investigations include a review of Facebook’s data protection policies, following the launch of its updated privacy policy in January 2015. In September 2015, the CPP started to investigate whether Facebook’s system of tracking of users via social media plug-ins complies with Belgian data protection & privacy law.

In the latest event the Facebook Inc. won an appeal in front of the Brussels Court of Appeal, which stated that the national data protection authority couldn’t prevent Facebook from storing data from non-users in a fight over measures the technology giant says help it combat hacking attacks. The main reason for such a ruling lies in the fact that Belgian courts don’t have international jurisdiction over Facebook Ireland, where the data concerning Europe is processed. The Court also said there was no urgency to rule on the case since Belgian court proceedings only started in mid-2015 over Facebook’s behaviour that started in 2012.

In October 2014, the Belgian Government appointed its very first Secretary of State for Privacy, Mr. Bart Tommelein. He has taken several initiatives in order to strengthen enforcement of the data protection & privacy law. Most notably, Mr. Tommelein proposed an amendment to the national legislation so that the Belgium’s Privacy Commission would be able to impose fines of up to 810.000,00 EUR against companies that break privacy and data protection laws. This proposal was a consequence of the fact that the Belgian law allows for criminal prosecutions for breaches of data protection laws, but they are rarely carried out. 

His successor, Philippe De Backer presented a policy note in June 2016 which sets out his plans in the area of privacy and data protection. His priorities are the reform of the Belgian data protection rules against the backdrop of the recently adopted GDPR, personal data and public security, personal data held by public authorities, open data and big data, privacy in the new media, and the security of personal data.


Sources:


1. Pricewaterhouse Coopers Legal LLP, Privacy and Security Enforcement Tracker, March 2015
http://pwc.blogs.com/data_protection/2015/03/enforcement-tracker-download-here.html 
European Commission, EROBAROMETER Survey on Data Protection, 28/02/2015 – 09/03/2015 http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_fact_be_en.pdf 

2. Hunton & Williams: Wim Nauwelaerts & Laura De, The International Comparative Legal Guide to: Data Protection 2014, Belgium- Data Protection 2014(Global Legal Group) https://www.huntonprivacyblog.com/files/2011/04/DP14_Chapter_5_Belgium.pdf  

3. Alan Hope, Fines for privacy breaches up to €810,000 to be proposed, http://www.flanderstoday.eu/politics/fines-privacy-breaches-eu810000-be-proposed

4. Hunton & Williams: Wim Nauwelaerts & David Dumont, The International Comparative Legal Guide to: Data Protection 2015, Belgium- Data Protection 2015 (Global Legal Group) http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2015/belgium 

5. Linklaters: Tanguy Van Overstraeten& Guillaume Couneson, EU - Data protection authorities fight to regulate Facebook , 15/06/2015 http://www.linklaters.com/Insights/Publication1403Newsletter/TMT-News-June-2015/Pages/EU-Data-protection-authorities-fight-regulate-Facebook.aspx

6. Thibaut D'hulst, Laura de Jong, New Secretary of State Presents Privacy Policy for Upcoming Year, https://www.lexgo.be/en/papers/ip-it-telecom/it-law/new-secretary-of-state-presents-privacy-policy-for-upcoming-year,105489.html

7. Stephanie Bodoni, Aoife White, Facebook Wins Belgian Court Case Over Storing Non-User Data, http://www.bloomberg.com/news/articles/2016-06-29/facebook-wins-belgian-court-appeal-over-storing-non-user-data 

8. Yves Van Couter, Stéphanie De Smedt, Data Protection Alert : Belgian Privacy Commission publishes annual report 2015, http://www.loyensloeff.com/en-us/news/publications/flashes/data-protection-alert-belgian-privacy-commission-publishes-annual-report-2015 



Data Privacy Recruitment Ltd. 

All rights reserved. All opinions expressed to be treated strictly as guidance and not as legal advice. 

September 2016
London, the United Kingdom