MORE ENFORCEMENT POWERS FOR BELGIAN PRIVACY COMMISSION

By Patrick Van Eecke and Julie De Bruyn (DLA Piper – Brussels)

The quietness in the privacy landscape in Belgium is about to drastically change. Reason for the change of pace are the recent major data breaches that were published by the media. The Privacy Commission announced it will establish a dedicated task force to carry out proactive audits focusing on different sectors, such as financial and insurance institutions, hospitals and other health providers, and telecom operators.

Draft Belgian legislation will grant the Privacy Commission the power to independently impose monetary fines and other sanctions, such as the blocking of access to certain databases by non-compliant companies, or the withdrawal of the permits to make use of such (public) databases. The expansion of powers would transform the Privacy Commission from passive bystander to an actual ‘Privacy Police’.

1. Context of enforcement

In Belgium, the Privacy Commission is tasked with supervising compliance with the Privacy Act of 8 December 1992 by companies and individuals processing personal data. Contrary to neighbouring countries however, such as France or the UK where the data protection authorities (the CNIL and ICO respectively) are not hesitant to impose fines of EUR 200,000 and more for non-compliance with applicable privacy legislation, the Privacy Commission has little enforcement powers to effectively perform its tasks. Consequently, many breaches of law so far only resulted in warnings or friendly requests from the Privacy Commission to act in compliance.

2. Biting instead of barking

The quietness in the privacy landscape in Belgium is about to drastically change. Reason for the change of pace are the recent major data breaches that were published by the media. A bill dated 26 May 2011, which foresees inter alia to provide the Belgian privacy watchdog with ‘teeth’ and actual power to ‘bite’ in case of infringements, has been the subject of recent debates on the enforcement powers of the Privacy Commission. In October last year, there was a hearing in the House of Representatives (Justice Committee) where the bill was further discussed. The expansion of enforcement authority is also included in the proposal reforming the current European Data Protection Directive, which foresees the possibility of sanctions up to EUR 1 million or 2% of the yearly global company turnover. More recently, the president of the Privacy Commission publicly confirmed the planned modifications in an interview.

By way of preparation, the Privacy Commission has sent two of its employees to France to monitor their local colleagues and the level of enforcement, and plans to send more employees on similar trainings to the Netherlands, Germany and the United Kingdom. The intention of the Commission is to be much more actively involved in the field, instead of merely focusing on its legal tasks such as the publication of guidance.

3. Sectors of interest

In line with its intentions, the Privacy Commission has announced that in the future it will no longer passively await complaints by individuals affected by the processing of their personal data and having to refer founded complaints to the public prosecutor. Instead, it will establish a dedicated task force to carry out proactive audits focusing on different sectors, such as financial and insurance institutions, hospitals and other health providers, and telecom operators.

Apart from these initially targeted sectors, the Commission’s intention is to target a new sector every year. Additionally, the Privacy Commission shared in a recent interview that a focus on customer loyalty cards will also be on its priority list. Possible breaches of the law include the processing of personal data for purposes other than those communicated to the individual concerned, selling personal data to third parties, data security breaches following lack of adequate security measures, and transfer of sensitive data (such as health data) to other countries without a legal basis being in place for such transfer.

4. Privacy Police

Upon enactment of the Belgian bill, the Privacy Commission will be granted with a power to independently impose monetary fines and other sanctions, such as the blocking of access to certain databases by non-compliant companies, or the withdrawal of the permits to make use of such (public) databases. The expansion of powers would transform the Privacy Commission from passive bystander to an actual ‘Privacy Police’.

In view of these changes to come, more than ever it is recommended to take privacy seriously and ensure that you process personal data of your employees, customers, suppliers, website visitors or other persons in line with legal requirements.

For more information, please contact Patrick Van Eecke (Patrick.vaneecke@dlapiper.com) or Julie De Bruyn (julie.debruyn@dlapiper.com) .