Belgian Privacy Commission becomes 'Belgian Data Protection Authority'
The General Data Protection Regulation (EU) 2016/679 creates a new privacy regime immediately applicable across the EU as from 25 May 2018. Under the GDPR, national supervisory authorities will have a strengthened role and increased enforcement powers.
Reform of the Belgian Privacy Commission
In order to meet GDPR requirements, the Belgian legislator has adopted a law reforming the current Belgian Privacy Commission. The law was submitted in the Chamber of Representatives on 23 August 2017 and was approved by the Parliament in plenary meeting on 16 November 2017.
The main purpose of the new law is to reform the existing Privacy Commission (“Commissie voor de Bescherming van de Persoonlijke Levenssfeer” – “Commission de la Protection de la Vie Privée”) to ensure that it can fulfil its tasks in accordance with the GDPR as from 25 May 2018. Unlike the current Privacy Commission, which has limited prosecutorial and no direct sanctioning powers, the new “Data Protection Authority” is to become a real investigative and sanctioning authority.
The name of the new authority will be “Gegevensbeschermingsautoriteit” in Dutch and “Autorité pour la protection des données” in French.
Composition of the reformed Authority
The law provides for a structural change of the composition of the current Belgian Privacy Commission. The existing sector committees (responsible for controlling the lawfulness of sector-specific data processing activities) will be replaced by six new bodies:
- An Executive Committee (“Directiecomité” – “Comité de Direction”) responsible for defining the general policy of the Authority, including the use of the annual budget;
- A General Secretariat (“Algemeen Secretariaat” – “Secrétariat general”) taking care of the daily operations of the Authority (e.g. providing advice on Data Protection Impact Assessments, creation of an accreditation system for certification bodies, adoption of standard contractual clauses, etc.);
- A Front-line Service (“Eerstelijnsdienst” – “Service de première ligne”): the intermediary player between data subjects and the inspection and litigation bodies. This body receives requests and complaints, starts mediation procedures, provides information and makes efforts to raise awareness;
- A Knowledge Center (“Kenniscentrum” – “Centre de Connaissance”) issuing advice and recommendations on GDPR compliance;
- An Inspection Body (“Inspectiedienst” – “Service d’inspection”): the investigating body of the Data Protection Authority having an extensive range of investigative powers; and
- A Dispute Chamber (“Geschillenkamer” – “Chambre contentieuse”): a legal and administrative body holding the prosecution and sanctioning powers. Appeals against the decisions of the Dispute Chamber will be dealt with by the Market Court (“Marktenhof” – “Cour des Marchés”) of the Brussels Court of Appeal.
These six bodies may be assisted by experts in the exercise of their tasks. The experts may come from different sectors (academic, private and public sector, civil society, etc.). Their advice will not be binding.
The Data Protection Authority will also regularly consult a Reflection Council, who reflects the society in its entirety and who will be providing non-binding advice to the Authority.
Powers of the reformed Authority
The powers of the Data Protection Authority may be summarised into four categories, in order of priority:
- Providing information and advice to individuals, controllers, processors and policy makers to enforce or comply with data protection legislation;
- Assisting controllers and processors to make maximum use of the prevention tools provided for in the GDPR, such as certification, adherence to codes of conduct, appointment of a Data Protection Officer (DPO), etc.;
- Monitoring of controllers and processors, and carrying out investigations, through the Inspection Body.
- Imposing sanctions, ranging from a simple warning to administrative fines amounting up to 20 million EUR or 4% of the total worldwide annual turnover of the infringing undertaking, whichever is higher.
The Data Protection Authority shall collaborate with other players on a national and international level:
- The new law foresees that the Authority shall collaborate with all national private and public actorsconcerned with the protection of fundamental rights and freedoms of data subjects (e.g. the Belgian Competition Authority or the Financial Services and Markets Authority), with regard to the processing and free flow of personal data;
- In addition, the Data Protection Authority shall collaborate with data protection bodies/authorities from other member states.
How will this work in practice?
Any person, including physical and legal persons and associations or institutions, can file a complaint with the Data Protection Authority. The new law sets out the procedural rules for handling complaints and the decision-making process. In this respect, the Data Protection Authority is granted a range of enforcement powers. It can carry out investigations and issue a warning or a binding order (such as an order to stop certain infringing data processing activities, an order to delete certain data, an order to make a public announcement, an order to comply with data subjects’ requests, an order to suspend cross-border transfers, etc.) and can impose administrative fines. The Authority also preserves the possibility to bring cases before the Belgian courts.
The Draft Act of the Chamber of Representatives of 23 August 2017: in Dutch and French.
Amendments to the Draft Act of the Chamber of Representatives of 11 October 2017: in Dutch and French.
StéphanieDe SmedtSenior associate Attorney at Law
Stéphanie De Smedt is senior associate within the Litigation & Risk Management Practice Group of our Brussels office.
She is head of the IP/IT & Data Protection Team in Belgium and is team leader of the firm-wide Healthcare and Life Sciences Team.