In Belgium, the provisions on privacy and data protection are spread over various laws. The general basis of the legal provisions can be found in the Constitution, Articles 22 and 29 of which acknowledge the right to respect for private life, family life and correspondence as fundamental human rights. These provisions are very similar to international regulations in this respect, in particular the European Convention for the Protection of Human Rights and Fundamental Freedoms of 4 November 1950 and the Charter of Fundamental Rights of the European Union.
Since 25 May 2018, the principal data protection legislation in Belgium, as in other Member States of the European Union, has been Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC Regulation (EU) 2016/679 (the General Data Protection Regulation – GDPR).
Two Acts implementing the GDPR have been adopted in Belgium.
First of all, the Belgian legislator adopted the law of 3 December 2017 on the establishment of the Belgian Data Protection Authority, which has implemented the requirements of the GDPR with respect to national supervisory authorities and reformed the Belgian Commission for the Protection of Privacy (the DPA Act). As of 25 May 2018, the Belgian Commission for the Protection of Privacy carries the name “Data Protection Authority” and has the powers and competences which the GDPR requires national supervisory authorities to possess.
A second Act, the law of 30 July 2018 on the protection of individuals with respect to the processing of personal data (the GDPR Implementation Act), addresses the national substantive aspects of the GDPR and introduces several specifications and derogations, such as determining the age of consent for children in an online context and imposing additional security measures in relation to sensitive data. At the same time, it abolishes and replaces the 1992 Data Protection Act and the 2001 Royal Decree that implemented it.
These data protection laws are supplemented by (sector-)specific legislation such as the law of 13 June 2005 on electronic communications (the Electronic Communications Act) that implements the requirements of Directive 2002/58/EC (as amended by Directive 2009/136/EC) (the ePrivacy Directive), which provides a specific set of privacy rules to harmonise the processing of personal data by the telecoms sector. In addition, the Belgian Code of Economic Law deals with certain legal aspects of information society services as well as market practices and consumer protection, and provides a specific set of rules regarding the use of personal data for direct marketing purposes via electronic post (which includes email, SMS and MMS) and via telephone, fax and automatic calling machines without human intervention.
Furthermore, as regards public administrations, the Law of 3 August 2012 contains provisions relating to the processing of personal data carried out by the Federal Public Service Finance in the framework of the carrying out of its mission, and the Flemish Decree of 18 July 2008 provides a specific set of rules concerning the exchange of administrative data by public authorities within the Flemish region.
There is also an act that regulates the installation and use of surveillance cameras: the Camera Act of 21 March 2007. As regards employee monitoring, Collective Bargaining Agreement No 68 on the use of cameras in the workplace and Collective Bargaining Agreement No 81 on the monitoring of electronic communications in the workplace are relevant.
The former Commission for the Protection of Privacy has been known as the Data Protection Authority since 25 May 2018, and has the powers and competences that the GDPR requires national supervisory authorities to possess. Together with the change of name, the powers of the Data Protection Authority have also been greatly expanded. The Data Protection Authority is responsible for monitoring compliance with the fundamental principles of the protection of personal data within the framework of the GDPR and the laws containing provisions on the protection of the processing of personal data.
The Data Protection Authority has six bodies, which play a specific role in the evaluation of a data protection matter:
Investigations that are carried out by the Inspection Service of the Data Protection Authority can be initiated on the Data Protection Authority’s own initiative, or following a complaint or request. The Inspection Service has extensive powers when conducting an investigation – for example, it can conduct interrogations and site searches, identify persons present at the sites being checked or users of communication services, or even consult and copy computer systems and the data they contain, as well as carry out seizures.
At the level of the Flemish Region, the Flemish Supervisory Commission has been established and is responsible for monitoring compliance with the GDPR by the Flemish public authorities. No regulator has yet been created in the Walloon or Brussels Capital Region.
The Belgian Institute for Postal Services and Telecommunications has the authority to monitor compliance with the Electronic Communications Act, and can co-operate with the Data Protection Authority to perform investigations.
Finally, the Federal Public Service Economy has the authority to control, inspect and sanction any infringement of the provisions of the Belgian Code of Economic Law, including those relating to direct marketing, for example.
The Data Protection Authority can launch an investigation for various reasons, with the most logical way being in response to a complaint or request, which can come from anyone and does not necessarily have to come from an interested party or data subject. A complaint will first be checked for its admissibility by the First Line Service before being forwarded to the Litigation Chamber or the Inspection Service. It entails a written procedure.
In addition to the admissibility check, the First Line Service may proceed to mediation.
A complaint is admissible if it is drawn up in one of the national languages (Dutch, French or German), if it contains a statement of the facts and the necessary indications for identifying the processing to which it relates, and if it falls within the competences of the Data Protection Authority. A request is admissible if it is drawn up in one of the national languages and if it falls under the powers of the Data Protection Authority.
The decision of the First Line Service on the admissibility of the complaint or request must be notified to the person making the complaint or request. Where the decision on inadmissibility is taken, the First Line Service must also communicate the reasons for its inadmissibility.
In addition to the possibility to rule on complaints and requests, the Data Protection Authority may be triggered in other ways in order to process a file and conduct an investigation. In this case, the file is immediately forwarded to the Inspection Service, which may also launch an investigation on its own initiative or at the request of the Executive Committee if it has serious indications of a possible breach of the fundamental principles of personal data protection, where this is within the framework of co-operation with the data protection authority of another State or where the Data Protection Authority is seized by a judicial authority or an administrative supervisor.
The Inspection Service can also be appointed by the Litigation Chamber, which has the ability to carry out a comprehensive examination of an organisation's practices before taking a decision (although it is not obliged to do so).
If the organisation disagrees with certain decisions of the Inspection Service, it may lodge an appeal with the Litigation Chamber. This is only possible for fairly far-reaching measures, such as interim measures, seizure and sealing.
As set out in the GDPR, the Data Protection Authority has far-reaching powers to impose sanctions. However, administrative fines cannot be imposed upon public authorities. The Belgian Constitutional Court recently rejected an appeal that argued that the exemption for public authorities would be discriminatory. The Constitutional Court held that the difference of treatment between public and private entities is justified and non-discriminatory.
The procedure before the Litigation Chamber has undergone step-by-step fine-tuning through several decisions of the Litigation Chamber in 2020. As an administrative disputes body, the Litigation Chamber is not subject to the general procedural rules described in either the Judicial Code or the administrative legislation. Because of the unique position of the Litigation Chamber, at the end of 2020 and the beginning of 2021 it issued three guidelines relating to:
If one of the parties concerned does not agree with the decision of the Litigation Chamber, an appeal can be lodged. This appeal must be submitted to the Market Court, which is a separate chamber within the Brussels Court of Appeal and has exclusive competence for complex litigation against regulators such as the Data Protection Authority.
As a civil law country, Belgium has legal codes that specify all matters capable of being brought before a court, the applicable procedure, and the appropriate sanction for each offence. These codifications are the primary source of law. Belgium applies a strict hierarchy of norms, which means that there is a hierarchy between the various regulatory texts, recognising international and European norms as the most important source of law.
On 1 January 2021, the United Kingdom officially left the European Union. On 24 December 2020, the European Union and the United Kingdom reached agreement on a Free Trade and Cooperation Agreement, which has an impact on data protection. In this Free Trade and Cooperation Agreement, a bridging period of up to six months is provided, which means that the United Kingdom will not immediately qualify as a third country, with all the consequences that this entails. It is expected that the European Commission will take a so-called “adequacy decision” in the meantime. If an adequacy decision is not adopted within that timeframe, transfers of personal data to the UK will be prohibited, unless appropriate additional measures are taken to ensure the protection of personal data.
In Belgium, several NGOs are actively dealing with privacy-related issues. For example, there are human rights organisations such as the Liga voor Mensenrechten, which is actively involved in protecting privacy, and consumer organisations such as Test-Achats, which organises privacy awareness campaigns aimed at consumers.
Moreover, the Federation of Enterprises of Belgium (FEB/VBO) is active in the protection of personal data, and is now entitled to initiate class actions/collective redress under Belgian law.
Following the ministerial decree of 30 September 2020, NOYB – European Center for Digital Rights (founded notably by Maximilien Schrems) is also entitled to act as a representative of the consumer group in a collective redress action in Belgium.
Various self-regulatory organisations are also taking measures in view of protecting privacy. For example, various professional groups educate their members on privacy and have adopted rules in deontological codes, such as the Council for Journalism and the Medical Association.
The GDPR permitted Member States to regulate some particular elements independently. It is in this context that the Belgian legislator decided to regulate several matters in its GDPR Implementation Act, as follows:
In addition, the Belgian legislator has laid down the administrative proceedings before the Data Protection Authority in the DPA Act. This can therefore differ considerably from the proceedings in other countries.
So far, an insufficient number of decisions have been rendered in order to determine whether the Data Protection Authority has enforced the GDPR and the GDPR Implementation Act more or less strictly than other Supervisory Authorities. That being said, the Data Protection Authority is rather active and the Litigation Chamber regularly imposes sanctions, including administrative fines.
In recent months, part of the focus of the Supervisory Authorities has been on the COVID-19 health crisis. The EU Commission, the European Data Protection Board (EDPB) and some Data Protection Authorities, including the Belgian Data Protection Authority, have published guidance regarding the legal framework of tracing apps as one of the tools of a broader set of measures for fighting the virus. General obligations of controllers in the GDPR, such as transparency and integrity, will have to be complied with. Health public authorities and employers must always have a legal ground for the processing of personal data.
In an employment context, the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject, such as obligations relating to health and safety in the workplace, or to the public interest, such as the control of diseases and other threats to health. The employer may ask employees to undergo a medical examination (eg, temperature check), but not on a general or systematic basis and only when required by health and safety (eg, for employees returning from risk areas).
The impact of the Court of Justice of the European Union (CJEU) on the data protection landscape in the past year cannot be underestimated. In a game-changing decision in Data Protection Commissioner v. Facebook Ireland Limited, Max Schrems (C-311/18, the Schrems II Case), the CJEU declared the Commission Implementing Decision 2016/1250 (the Privacy Shield Decision) invalid as it fails to protect people’s rights to privacy, data protection and access to remedy. On the other hand, the CJEU declared that examination of Decision 2010/87 on Standard Contractual Clauses (SCCs Decision) in light of the Charter of Fundamental Rights (the Charter) has disclosed nothing to affect the validity of that decision, but nevertheless questioned the SCCs' validity for transfers to the US and other third countries. Therefore, organisations needed to re-evaluate their data transfers to third countries if based on SCCs. Whether the SCCs are still a sufficient safeguard for transfers to certain third countries will require further examination. For instance, in the US, it is hard to see how the concerns raised by the CJEU regarding the Privacy Shield would not apply when the SCCs are at issue.
On a national level, as the GDPR became a real buzzword, many data subjects found their way to the Belgian supervisory authority, the Data Protection Authority. In the last year, the Data Protection Authority’s Inspection Service showed its teeth by starting a number of investigations (either following complaints filed or on its own initiative). The Data Protection Authority’s Litigation Chamber (which is an administrative court dealing with data protection matters and imposing the administrative sanctions foreseen in the GDPR), meanwhile, pronounced a large number of decisions. The sanctions imposed are diverse, as are the subject matters involved. Nevertheless, the Litigation Chamber was somewhat tempered in its enthusiasm by the Brussels Market Court, which decides on appeals against the Litigation Chamber’s decisions.
On 28 January 2020, the Data Protection Authority released its 2020-2025 Strategic Plan, in which it sets out its vision for the coming years, defines its priorities and strategic objectives, and lists the necessary means to achieve its objectives. The Data Protection Authority intends to raise awareness among data subjects and data controllers, and to enforce the rules effectively. In the following years, the Data Protection Authority will focus on five sectors, including telecommunications and media, government, direct marketing, education, and small and medium-sized enterprises.
In the 2020-2025 Strategic Plan, the Belgian Data Protection Authority indicated that it will focus its actions on the following aspects of the GDPR:
The Data Protection Authority also has a number of social issues high on its agenda, such as photos and cameras, online data protection and sensitive data.
Each year, the Data Protection Authority publishes a management plan in which it converts the strategic goals of the 2020-2025 Strategic Plan into concrete objectives for the coming year. The Management Plan 2021 contains objectives for each body of the Data Protection Authority. For the General Secretariat, the objectives are to optimise the existing tools for GDPR compliance, but also to familiarise itself with new tools and respond to developments. Moreover, the General Secretariat has a supporting function, both for the functioning of the Data Protection Authority and for the citizens (in particular SMEs). This supporting function is also reflected in the objectives of the First Line Service, which during 2021 will focus on raising awareness and knowledge, but also on optimising procedures, communication and co-operation. The Knowledge Centre intends to draw up advice and recommendations in the context of new legislation and developments. The Inspection Service’s plans consist of the drafting of a charter and preparing for the planned four-yearly audit. Finally, in 2021, the Litigation Chamber will focus on ensuring effective legal protection and further developing its methodology. European co-operation is also high on the agenda of the various bodies that together form the Belgian Data Protection Authority.
The Belgian legislator has further detailed the GDPR in two Acts: the GDPR Implementation Act and the DPA Act.
These two Acts are more far-reaching than the GDPR in several areas, and fill some gaps left by the GDPR with Belgian law. While the DPA Act establishes the Belgian Data Protection Authority and lays down the procedural framework before the refurbished authority, the GDPR Implementation Act is substantive law. This analysis will concentrate on what matters are different in Belgium compared to the GDPR.
The GDPR Implementation Act broadens the scope for the appointment of a DPO if the processing of data involves a high risk, mainly for companies that process personal data either (i) obtained from or on behalf of federal public authorities, or (ii) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. The former Commission for the Protection of Privacy issued guidelines on DPO and, more particularly, on incompatibilities with other functions in April 2017. The Data Protection Authority has recently published a DPO box in order to assist DPOs to perform their tasks correctly.
As regards processing for archiving, scientific research and statistical purposes, the GDPR Implementation Act provides further obligations and a derogation from data subjects’ rights. It provides for the possibility of further processing for scientific or historical research or statistical purposes, meaning for a purpose other than that for which the data was initially collected. Furthermore, the GDPR Implementation Act obliges the anonymisation or pseudonymisation of the personal data directly after collection.
The GDPR Implementation Act restricts the rights of data subjects in certain areas. It is foreseen that intelligence agencies, the Coordination Unit for Threat Analysis and other specialised police forces can process personal data without being subject to transparency obligations towards data subjects. In addition, there are exemptions from several obligations when processing is done for journalistic purposes or for the purposes of academic, artistic or literary expression, such as the prohibition on processing sensitive and judicial data, the duty to inform the data subject and the requirement to give access to the data at the data subject’s request.
Along with the vast majority of EU Member States, Belgium reduced the age of consent for information society services to 13 years instead of 16 years.
Belgian law also provides for broad protection of the National Register number. This type of data cannot be accessed or used, unless there is a legal obligation to do so or unless specific authorisation is obtained from the relevant administration. Following Regulation 2019/1157/EU, which will enter into force on 2 August 2021, Member States will be obliged to include two fingerprints in interoperable digital formats in national ID cards. Prior to this Regulation, however, Belgium already adopted a similar obligation through Article 27 of the Law of 25 November 2018 on various provisions relating to the National Register and population registers. The legality of such controversial provision was contested by many and was appealed before the Belgian Constitutional Court. However, after a balancing of interests, the Constitutional Court concluded that the inclusion of digital fingerprints on ID cards does not violate the fundamental right to respect for private life.
The Data Protection Authority does not require privacy impact analyses to be conducted in certain circumstances, but has published guidelines on the data protection impact assessment (DPIA) as well as the list of processing operations where a DPIA does or does not need to be carried out.
Other points, such as the application of “privacy by design” or “by default”, have not yet been the subject of further guidance by the Data Protection Authority, so the guidelines of the European Data Protection Board need to be taken into account.
The processing of special categories of personal data (such as union membership, sexual orientation, political or philosophical beliefs) is notably possible under the GDPR for reasons of substantial public interest. What is certainly already covered by this term is listed in the GDPR Implementation Act.
Such personal data is allowed to be processed by associations whose main statutory objective is the defence and promotion of fundamental rights and freedoms of humans, which carry out the processing for this purpose and have obtained an authorisation by Royal Decree. In addition, the foundation for missing and sexually exploited children, “Child Focus”, can always process such data. Finally, special personal data relating to sexual life can be processed by associations whose main statutory purpose is the evaluation, supervision and treatment of persons whose sexual behaviour can be qualified as a crime, and which have been recognised and subsidised for this purpose.
The GDPR Implementation Act introduces several additional requirements regarding the processing of genetic, biometric and health-related data, such as the obligation to list the types of individuals who have access to such data, and the obligation to ensure that these individuals are subject to legal, statutory or other similar confidentiality obligations. However, no specific legal grounds have been provided for. The Act of 8 October 2020 was enacted to address the processing of health sensor data; please refer to 5.1 Addressing Current Issues in Law.
The same obligations apply in relation to criminal offence data. In addition, the GDPR Implementation Act Law lists the persons that are allowed to process such data, given their specific capacity or for specific purposes. It also provides for legal grounds to process such data (eg, explicit written consent).
The Belgian legislator has provided for strict telecom secrecy in the Electronic Communications Act. Without having obtained the consent of all other persons directly or indirectly concerned, no one may disclose information, identification or data relating to electronic communications to a third party. This is also part of criminal law, with the secrecy of private communications and telecommunications being protected on the one hand by Article 314bis of the Criminal Code and, on the other hand, by Articles 90ter to 90decies of the Code of Criminal Proceedings. Only in exceptional circumstances can traffic data be retained for a maximum period of one year in the context of compliance with the obligations laid down by or pursuant to the law regarding co-operation with a number of specified authorities.
The Data Protection Authority has already expressed its views on cookies in a decision, but it had also indicated that it would issue a recommendation on this subject in the first months of 2020 (such recommendation had been finally inserted in the guidelines on direct marketing of 17 January 2020). The EU Commission intends to pass a new ePrivacy Regulation to replace the respective national legislation in the EU Member States. The ePrivacy Regulation appears to be a long-term process; drafts have been in progress since 2017, and the last one was published on 5 January 2021.
There are no specific recommendations from the Data Protection Authority regarding the other categories of personal data. However, when reading the DPIA guidelines published by the former Commission for the Protection of Privacy, it is clear that certain personal data – such as financial data, children data, location data, tracking and behavioural advertising – is considered more sensitive than other data, although, strictly speaking, it does not fall within the definition of sensitive/special categories of data.
Under the Belgian Code of Economic Law, direct marketing via electronic post (which includes email, SMS and MMS) is only authorised where the recipient specifically and freely consented to it (opt-in). Opt-out is only permitted in two specific cases:
It should be noted that, even when the recipient previously consented to the use of his/her electronic contact details for direct marketing purposes, he/she can at any time oppose the further use of his/her electronic contact details for direct marketing purposes. The restrictions apply to business-to-consumer marketing and also in a business-to-business context.
For direct marketing by telephone, there is a national opt-out register (the so-called “Do not call me List”), which businesses carrying out direct marketing by telephone are required to check in advance.
Direct marketing by post does not require the prior consent of the addressee but can be carried out on an opt-out basis. A national opt-out register has been put in place for direct marketing (on a personalised basis) by post, but it is only mandatory for businesses that are members of the Belgian Direct Marketing Association. For non-personalised advertising by post, anyone can ask to be provided with “Stop-Pub” stickers to stick on their mailbox.
For marketing by fax or via automated calling machines without human intervention, the prior consent of the recipient is required (opt-in).
The Data Protection Authority published its new guidelines on direct marketing on 17 January 2020, using a broad definition of "(direct) marketing".
The protection of employees' privacy and personal data in Belgium is guaranteed in various ways. Besides the application of the general data protection rules, there are specific protection mechanisms in place that apply to employees. Several collective bargaining agreements (CBAs) have been concluded to provide specific privacy protection for employees. First of all, CBA No 68 of 16 June 1998 lays down the conditions and principles with regard to camera surveillance in the workplace. Secondly, CBA No 81 of 26 April 2002 sets out a specific regime concerning electronic monitoring of internet use and emails.
Under Belgian law, the employee’s privacy right is not absolute. The monitoring of employees, therefore, always requires a balance between the employees’ right to privacy embedded in Belgian legislation and the employer’s legitimate interests to protect the business or comply with its own obligations. As part of the authority of the employer, there might be legitimate interests to monitor employees as far as the processing is relevant and proportionate.
The monitoring of electronic communications is only permitted under Belgian law for one of the exhaustively listed purposes of CBA No 81. Permanent monitoring cannot be justified in any case, as it is considered disproportionate. Monitoring is particularly permitted for the following purposes:
Camera surveillance in the workplace is only permitted to attain the objectives specifically stipulated in CBA No 68, and only if the employer has informed the employees of such surveillance. The objectives relate to health and safety, the protection of the company's goods, the monitoring of the production process or the monitoring of the employee's work. Only in the first three cases can the monitoring be continuous, provided that the monitoring of the production process relates to the monitoring of machinery.
Currently, no specific obligation or legislation exists on whistle-blowing hotlines in Belgium. However, a whistle-blowing hotline must comply with Belgian data protection rules, according to a recommendation of the Belgian Data Protection Authority of 29 November 2006.
In principle, class actions are not permitted under Belgian law as the Judicial Code requires personal interest in order for a claim to be admissible. The Code of Economic Law, however, allows for actions for collective redress/class actions, but such actions are rather rare. Please refer to 1.5 Major NGOs and Self-Regulatory Organisations regarding the entities entitled to introduce such actions.
Furthermore, the DPA Act provides that anyone can submit a written, dated and signed complaint or request to the Data Protection Authority, not just interested parties. However, the majority of cases are instigated by stakeholders.
The Litigation Chamber of the Data Protection Authority has the power to do the following:
The European Directive of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, repealing Council Framework Decision 2008/977/JHA (the Data Protection Law Enforcement Directive), was implemented by the GDPR Implementation Act.
The Belgian Code of Criminal Proceedings permits the accessing of personal data necessary for the prevention, investigation and prosecution of criminal offences and the execution of sanctions. During the investigation, the judicial authorities will collect data as evidence. The way data is collected is subject to strict rules under the Belgian Code of Criminal Proceedings.
When someone is convicted of a crime by the court, that conviction is entered in the criminal record. The criminal record thus provides an overview of every conviction a person has already received.
Police forces, however, do not have access to the criminal record. Police forces work together and exchange data, using the General National Database, in which data on persons, organisations, places, events, vehicles, objects and numbers is registered by police entities. The database is managed by both the federal and local police, for both their administrative and judicial police tasks.
Following several terrorist attacks in Europe, the Belgian legislator has modified criminal law in order to optimise the fight against terrorism. Since the so-called Terro I Act, telephone tapping has been possible for all terrorist offences from Book II, Title I ter of the Criminal Code. This means that the interception of private communications is possible not only for all current terrorist offences, but also for all future terrorist offences. A second law, the Terro II Act, provided for a new dynamic database to ensure efficient co-operation between the various police services and State Security, and to collect data on so-called Foreign Terrorist Fighters. This common database was created to aggregate personal data and other information held by different public services in their databases. The Data Protection Authority exercises indirect supervision. If a person believes that he/she is included in the database, he/she can contact the Data Protection Authority with the request to consult the data concerning him/her. The Data Protection Authority will carry out the necessary checks and verify whether the conditions for inclusion in the database have been complied with. If necessary, the Data Protection Authority will ask for the necessary changes to be made. The person concerned will then be informed that the verification has been carried out, without revealing its content.
At present, there is no specific legal basis in Belgian law for private companies to collect and/or directly transfer personal data from Belgium in response to a request from foreign governments.
The American CLOUD Act (Clarifying Overseas Use of Data Act) explicitly empowers US enforcement authorities to order providers of certain communication and cloud services to provide the data of their users, even if they are on servers located abroad. The CLOUD Act gives foreign governments the opportunity to conclude a bilateral agreement with the United States, the conditions of which should ensure robust protection of privacy, freedom of expression and other fundamental rights.
Under the CLOUD Act, access to personal data in Europe will constitute a violation of the GDPR. In Recital 115, the GDPR literally states that the legislation of third countries that make an extraterritorial application with direct regulation of data transfer is contrary to international law and constitutes an obstacle to the protection of individuals guaranteed in the GDPR. The GDPR does provide for possibilities of transfer to third countries, but these possibilities are applied very strictly. Under Article 48 of the GDPR, only mutual legal assistance treaties (so-called MLATs) or comparable international agreements provide a permissible basis for the extraterritorial transfer of personal data. Therefore, the CLOUD Act does not constitute a legal basis for transferring data to the United States, and is considered illegal.
In order to implement European Regulation 2019/1157, which came into force on 2 August 2019, Belgium will soon start the systematic registration of fingerprints on identity cards. The federal government put the procedure for this on paper at the end of 2019, in the long-awaited implementing decree by the Act of 25 November 2018, which contains the legal basis for the inclusion of fingerprints on the chip of the e-ID. The introduction of fingerprints on identity cards was opposed by many. The Data Protection Authority was not a fan and rejected the initial draft because of a disproportionate restriction of the right to privacy and protection of personal data.
The principle of free movement of personal data exists within the EU, with the consequence that no specific measures need to be taken with regard to cross-border data transfers.
Data transfers to other jurisdictions outside the European Economic Area (EEA) can only take place in the following circumstances:
On 25 May 2018, the EDPB set out in its Guidelines (2/2018) that a “layered approach” should be taken with respect to these transfer mechanisms. If no adequacy decision is applicable, the data exporter should first explore the possibility of implementing one of the safeguards provided for in the GDPR before relying on a derogation.
The GDPR Implementation Act does not foresee any specific requirements for international data transfers.
Under the GDPR, transfers are only allowed to countries that provide an adequate level of protection, or under one of the other provisions of Chapter 5 of the GDPR.
The European Commission has compiled a list of third countries that are deemed to offer an adequate level of protection, and it is permitted to transfer personal data to countries that fall under an adequacy decision. Currently, the following countries have been white listed by the European Commission: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay (and maybe the UK in the near future).
Since the recent Schrems II Decision of the CJEU, the United States no longer benefits from the Privacy Shield mechanism.
In the case of transfers that are not subject to an adequacy decision, undertakings must ensure that there are appropriate safeguards on the data transfer, as prescribed by the GDPR.
SCCs are standard sets of contractual terms and conditions drafted by the EU Commission which can be used for international data transfers outside the EEA. These contractual obligations warrant compliance with the GDPR’s requirements, and extend the scope of these rules to territories that are not considered to offer adequate protection to the rights and freedoms of data subjects. SCCs are currently under revision – a new draft of sets was published in November 2020 by the EU Commission and submitted to the public for consultation. International data transfers may also take place on the basis of contracts agreed between the data exporter and data importer, provided that they conform to the protections outlined in the GDPR and have prior approval from the relevant Supervisory Authority.
Another option for international data transfers within a group of companies is the adoption of Binding Corporate Rules. All employees and entities within the group must comply with this internal code of conduct. Binding Corporate Rules will always need approval from the relevant Supervisory Authority. Most importantly, Binding Corporate Rules need to include a mechanism to ensure they are legally binding and enforced by every member in the group of undertakings. Among other things, Binding Corporate Rules require an explanation on the group structure of the businesses, the proposed data transfers and their purpose, the rights of data subjects, the mechanisms that will be implemented to ensure compliance with the GDPR and the relevant complaint procedures.
It is likely that international data transfers will require prior approval from the relevant Supervisory Authority, unless they have already established a GDPR-compliant mechanism for such transfers, as set out in 4.2 Mechanisms That Apply to International Data Transfers.
In any case, most of the safeguards outlined in the GDPR need initial approval from the relevant Supervisory Authority, such as the establishment of Binding Corporate Rules.
Under Belgian law, there have been no specific data localisation requirements since the entry into force of the GDPR, as well as EU Regulation 2018/1807 of 28 November 2018 on the free flow of non-personal data, which has been applicable since 28 May 2019 and aims to remove obstacles to the free movement of non-personal data across Member States and IT systems in Europe.
In Belgium, companies are not obliged to communicate their use of specific technical equipment or software, nor the source code, to the government or the Belgian Data Protection Authority.
Please refer to 3.3 Invoking Foreign Government Obligations.
The Regulation of 22 November 1996 protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom, known as the EU Blocking Regulation, which was amended in 2018, prohibits European businesses from complying with certain US extraterritorial sanctions and export controls targeting Iran and Cuba. The EU Blocking Regulation was implemented in Belgium by the Act of 2 May 2019, which imposes administrative fines of up to 10% of a company’s turnover for a breach of the EU Blocking Regulation.
When it comes to facial recognition, the GDPR and Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, repealing Council Framework Decision 2008/977/JHA, should be taken into account.
Where the processing of personal data (in this case visual images) entails risks, a data impact assessment is necessary and, where the nature of the processing "in particular when using new technologies" entails a high risk for the rights and freedoms of data subjects, a consultation of the supervisory authority is necessary. In Belgium, in the case of police camera surveillance, one should also take into account the Law on the Police Force of 5 August 1992 and possibly the Camera Act of 21 March 2007. This tangle of laws ensures that there is no unanimity on this subject.
The further use of data from facial recognition cameras is, in principle, possible today when people are travelling in cars: the photo of the driver and passenger of the vehicle being scanned with Automatic Number Plate Recognition (ANPR) may be processed in the ANPR technical database. The Belgian legislator has not yet provided any clarification, and it is therefore not currently used in Belgium.
Drones are regulated in Belgium by the Royal Decree of 10 April 2016 on the use of remotely controlled aircrafts in the Belgian airspace. Since the Royal Decree, anyone wishing to fly a drone for private use is only allowed to do so above private property, at a maximum height of 10 m above the ground and in accordance with privacy and data protection laws, as drones can collect a wide range of information. For example, not only can a drone receive video images or photographs but, depending on the technology with which it is equipped, it can also eavesdrop on communication signals, detect faces, track and identify objects and people, record their movements or signal movements that are considered abnormal. Given this large number of possibilities, it is important that drones are used in accordance with data protection legislation.
The Belgian legislator acknowledged the importance of this, as it is included in the training for drone operators. In order to avoid various inconveniences, the European legislator has chosen to harmonise the rules. This will, for example, allow a licence in one Member State to apply in other Member States. In this regard, the Commission Delegated Regulation (EU) 2019/945 of 12 March 2019 on unmanned aircraft systems and on third-country operators of unmanned aircraft systems was published on 11 June 2019. This Regulation lays down the requirements for the design and manufacture of drones and the rules to be complied with by non-European operators when flying a drone in Europe.
The Commission Implementing Regulation (EU) 2019/947 of 24 May 2019 on the rules and procedures for the operation of unmanned aircraft lays down the rules and procedures for the operation of drones in Europe. The new rules will replace the existing national rules relating to drones from 1 July 2021. In other words, Member States will have two years to prepare for this transition. The Belgian legislator has not published any new legislation so far.
Internet of things (IoT), Automated Decision-Making, Profiling or Artificial Intelligence
On 8 October 2020, the Belgian legislator approved an Act prohibiting life and health insurers from processing health sensor data. The Belgian legislator intends to prevent insurers from providing discounts to the “healthy ones”, even if the insurers have their policy-holders’ consent. The law ensures that the policyholder cannot be refused insurance nor be subjected to higher charges simply because he does not purchase or use a connected device that processes his/her health data. Moreover, no difference may be made in terms of the underwriting, pricing and/or scope of coverage based on the condition that the applicant insured agrees to purchase or use a connected device that collects personal information about his lifestyle or health, agrees to share information collected by such a connected device, or based on the insurer's use of such information.
Organisations in Belgium have not yet established any protocols for digital governance or fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies.
Please refer to 1.7 Key Developments.
A due diligence investigation involves a large amount of data, including personal data. For example, employment contracts or contracts with suppliers will often contain personal data. These contracts are made available in a data room in order for a prospective buyer to gain better insight into the company.
The Belgian Data Protection Authority decided in 2016 that the processing of personal data is possible in the context of the acquisition of a company. It indicated that the legal basis for processing is the legitimate interest in making this information available to a prospective buyer. It must, of course, be ensured that the processing remains proportionate and that no unnecessary personal data is processed. In addition, efforts should be made to make the data anonymous where possible. Confidentiality clauses (NDAs) should be foreseen with regard to persons having access to the data room. It may also be recommended that the data rooms are protected by technical limitations such as not being able to download documents, thereby protecting personal data.
It goes without saying that, in the event of a due diligence investigation, the data subjects must be informed that their personal data will be processed. This possibility can be provided for contractually in advance.
As far as data rooms are concerned, recourse is often made to an external virtual data room, which will therefore act as processor. This requires the conclusion of a processing contract between the company and the service provider, and the processor will have to provide for security measures to prevent data breaches.
Belgium does not currently have any non-privacy/data protection-specific laws that mandate disclosure of an organisation’s cybersecurity risk profile or experience.
There are no further significant issues.
Priorities of the Belgian Data Protection Authority (2020–2025)
On 28 January 2020, the Data Protection Authority released its 2020–2025 Strategic Plan, in which it sets out its vision for the coming years, defines its priorities and strategic objectives, and lists the necessary means to achieve its objectives. The Data Protection Authority intends to raise awareness among data subjects and data controllers, and to enforce the rules effectively. In the next five years, the Belgian Data Protection Authority will focus on five sectors:
The main items on the radar of the Belgian Data Protection Authority are the role of the Data Protection Officer (DPO), the legitimacy of the processing of personal data, and data subject rights. Finally, the Data Protection Authority will also focus on a number of social themes, including the processing of images (still and live), online data protection and the processing of sensitive data.
The 2020-2025 Strategic Plan is converted into practice each year through a yearly management plan, in which the Belgian Data Protection Authority formulates concrete objectives for the coming year.
The Management Plan 2021 contains objectives for each body of the Belgian Data Protection Authority. For the General Secretariat, the objectives are to optimise the existing tools for GDPR compliance, but also to familiarise itself with new tools and respond to developments. Moreover, the General Secretariat has a supporting function, both for the functioning of the Data Protection Authority and for the citizens (in particular SMEs). This supporting function is also reflected in the objectives of the First Line Service, which during 2021 will focus on raising awareness and knowledge, but also on optimising procedures, communication and cooperation. The Knowledge Centre intends to draw up advice and recommendations in the context of new legislation and developments. The Inspection Service’s plans mainly consist of the drafting of a charter and preparing for the planned four-yearly audit. Finally, in 2021, the Litigation Chamber will focus on ensuring effective legal protection and further developing its methodology. European co-operation is also high on the agenda of the various bodies that together form the Belgian Data Protection Authority.
Procedural Rules of the DPA’s Litigation Chamber
Even though the basic framework for the proceedings was established by the law of 3 December 2017 on the establishment of the Belgian Data Protection Authority, the Belgian Data Protection Authority felt the need to further fine-tune and/or clarify those procedural rules at the end of 2020. As an administrative disputes body, the Litigation Chamber (which is an administrative court dealing with data protection matters and imposing the administrative sanctions foreseen in the GDPR) is not subject to the general procedural rules described in either the Code of Civil Proceedings or the administrative legislation. Because of the unique position of the Litigation Chamber, at the end of 2020 and the beginning of 2021 it issued three guidelines with respect to the following:
Recent Case Law of the DPA’s Litigation Chamber
The Data Protection Authority’s Litigation Chamber has already pronounced a substantial number of decisions. The sanctions imposed are diverse, as are the subject matters involved. The Belgian Data Protection Authority has most definitely shown its teeth in recent years, with the Litigation Chamber issuing multiple fines. The highest fine was imposed on Google (EUR600,000), while other fines vary between EUR1,000 and EUR50,000, depending on the severity of the infringements and the so-called "exemplary role" of the defendant.
The Litigation Chamber’s case law sheds light on how the Belgian Data Protection Authority interprets and applies the GDPR. Undertakings operating in Belgium can learn the following from the most notable decisions.
The Litigation Chamber was somewhat tempered in its enthusiasm to sanction non-compliance controllers and processors by the Brussels Market Court, a separate chamber within the Brussels Court of Appeal, which has exclusive competence for complex litigation against regulators, and which has already reversed a number of decisions of the Litigation Chamber. Indeed, undertakings always have the possibility to have their decision revised by lodging an appeal before such Court.
In recent months, part of the focus of the Supervisory Authorities has been on the COVID-19 health crisis. The EU Commission, the European Data Protection Board (EDPB) and some Data Protection Authorities, including the Belgian Data Protection Authority, have published guidance regarding the legal framework of tracing apps as one of the tools of a broader set of measures for fighting the virus. General obligations for controllers in the GDPR, such as transparency and integrity, will have to be complied with. Health public authorities and employers must always have a legal ground for the processing of personal data.
In an employment context, the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject, such as obligations relating to health and safety at the workplace, or relating to the public interest, such as the control of diseases and other threats to health. The employer may ask employees to undergo a medical examination (eg, temperature check), but not on a general or systematic basis and only when required for health and safety (eg, for employees returning from risk areas).
As regards vaccination, it should be noted that in Belgium vaccination is voluntary. Whether or not a person has been vaccinated constitutes health data within the meaning of the GDPR and is therefore granted additional protection. Requesting and registering this vaccination status is, in principle, prohibited, unless the controller can rely on one of the exceptions set out in Article 9 (2) GDPR, such as the explicit consent of the data subject or based on the law of a Member State. In any case, there is currently no such legislation in Belgium that allows – for the purpose of protecting against the further spread of COVID-19 – the vaccination status of a person to be requested and for such health data to consequently be processed. Currently, the only available legal ground is the data subject’s explicit consent, which must of course be freely given. It will therefore not be possible for an event organiser or airline company to refuse a service if no vaccination certificate is provided, nor may an employer ask employees to provide such vaccination certificate.
International Transfers of Personal Data
The impact of the Court of Justice of the European Union (CJEU) on the data protection landscape in the past year cannot be underestimated. In a game-changing decision in Data Protection Commissioner v. Facebook Ireland Limited, Max Schrems (C-311/18, the Schrems II Case), the CJEU declared the Commission Implementing Decision 2016/1250 (the Privacy Shield Decision) invalid as it fails to protect people’s rights to privacy, data protection and access to remedy. On the other hand, the CJEU declared that examination of Decision 2010/87 on Standard Contractual Clauses (SCCs Decision) in light of the Charter of Fundamental Rights (the Charter) has disclosed nothing to affect the validity of that decision, but nevertheless questioned the SCC’s validity for transfers to the US and other third countries. Therefore, organisations needed to re-evaluate their data transfers to third countries if based on SCCs. Whether the SCCs (which are under revision) are still a sufficient safeguard for transfers to certain third countries will require further examination. For instance, in the US, it is hard to see how the concerns raised by the CJEU regarding the Privacy Shield would not apply when the SCCs are at issue.
On 1 January 2021, the transition period that followed the United Kingdom’s exit from the European Union on 31 January 2020 came to an end. This had a major impact on data transfers between Member States and the United Kingdom. On 24 December 2020, the United Kingdom and the European Union agreed on the EU-UK Trade and Cooperation Agreement, which amongst other matters addresses the issue of transfers of personal data. The agreement is applicable as of 1 January 2021. It does not provide for a final solution on data transfers, but provides for a new transition period. The agreement indeed establishes the free flow of personal data between the European Union and the United Kingdom for a specified period, meaning until an adequacy decision is taken by the EU Commission in accordance with Article 36(3) of the Data Protection Law Enforcement Directive ((EU) 2016/680) and Article 45(3) of the GDPR, or a maximum period of six months.
If no adequacy decision is taken by 1 July 2021, the transfer of personal data between the United Kingdom and a Member State will be considered a transfer of data to a third country. Consequently, any controller that continues to transfer data to the United Kingdom after that date without being able to invoke one of the four alternative mechanisms of transfer would risk being prosecuted for violating the GDPR.
It is nevertheless expected that an adequacy decision will be taken within the transition period specified above.