Background to the Bill
As all businesses will no doubt be aware, the General Data Protection Regulation 2016/679 (the GDPR) will create a single set of rules immediately applicable across all EU Member States from 25 May 2018. However, the GDPR leaves to the Member States some margin of discretion and allows them to introduce derogations. By way of example:
- In the context of processing personal data of minor data subjects, based on their consent, Member States are free to lower the age at which such processing is lawful from 16 years old to 13 years old;
- Member States may keep or provide additional conditions, including restrictions, than the one provided under article 9 of GDPR – for the processing of sensitive data and more precisely genetic, biometric and health data.
Unlike other Member States that already have a data protection supervisory authority, with real investigative and judiciary powers, the current Belgian Privacy Commission (BPC) has limited recommendation and advising powers, and no prosecutorial power. In Belgium, the focus will be, for example, on reforming the BPC. This reform implies that the existing Privacy Act of 8 December 1992 will, at least in part, have to be repealed.
Against that background, the Belgian legislator has passed a new Bill establishing the Data Protection Authority (DPA) on 23 August 2017 (available here in French and Dutch). The DPA will replace the existing BPC. Yet, the Bill repeals only part of the Privacy Act, while the remainder will be repealed by another Bill, (to what extent remains unknown), which will also implement the Directive 2016/680 on “criminal purposes” into Belgian law.
What is new?
The brand new DPA will be entrusted with the task of ensuring compliance with the GDPR. In order to ensure the authority’s success:
A. the composition of the existing BPC will be modified: the existing sector committees (responsible for controlling the lawfulness of sector-specific data processing activities) will give way to six new bodies:
- Executive Committee (Comité de Direction – Directiecomité) responsible for the annual budget and for the control of technological and commercial developments relating to data protection;
- Central Secretariat (Secrétariat général – Algemeen secretariat) responsible for the daily operations of the DPA (e.g. processing requiring a Data Protection Impact Assessment, conduct codes, standard contractual clauses);
- First Line Service (Service de première ligne – Eerstelijnsdienst): the intermediary player between data subjects and the investigation and litigation bodies;
- Knowledge Centre (Centre de connaissance – Kenniscentrum) responsible for providing advice and recommendations regarding any data processing-related questions;
- Inspection Service (Service d’inspection – Inspectiedienst): the investigating authority, which is a totally new function for the Belgian DPA;
- Litigation Chamber (Chambre contentieuse – Geschillenkamer): the legal body, which is also a totally new function for the Belgian DPA. As provided under the litigation scenario scheme set out below, the power of the Litigation Chamber is far broader than the one of the BPC and is closer to the one delegated to Belgian courts. The Litigation Chamber is independent from the judicial system but at some point may result in an action before the courts and tribunals either from the data subject’s initiative to obtain a remedy for an infringement or from the initiative of the DPA. Furthermore, the decisions of the DPA could be appealed before a specific chamber of the Court of Appeal of Brussels.
B. the DPA will have to collaborate with other local players on a national and international level:
- According to the new Bill, the DPA will have to collaborate with all national, private and public actors concerned with policies for the protection of the fundamental rights and freedoms of data subjects, with regard to the processing and free flow of personal data.
- The DPA will also need to collaborate with data protection bodies/authorities from other Member states. This means: (i) the creation of expertise units; (ii) exchange of information; (iii) mutual assistance for control measures; and (iv) human and financial resources sharing.
C. the DPA is vested with investigative and control powers, including the power to bring any GDPR breach before the judicial authorities and, where applicable, go to court to establish whether the GDPR’s provisions apply.
Ok, but how will it work in practice?
These enhanced powers of the DPA can be summarized through the following two scenarios:
(1) If a natural or legal person introduces a mediation request and this mediation does not result in the conclusion of an agreement, the First Line Service will refer the case to the Litigation Chamber, where the plaintiff has consent and there is a serious indication of a practice likely to give rise to an infringement of the fundamental principles of data protection.
(2) The Investigation Service’s skills are very broad and invest the DPA with similar power as the one delegated to judiciary entities, including to:
- hear witnesses;
- conduct a written inquiry;
- conduct field examinations;
- review and take a copy of computer systems and the data they contain;
- seize or seal goods or computer systems; or
- take interim measures, such as freezing/suspending of data processing activities.
Data protection impact assessment scenario
Another scenario where the DPA will be competent is in helping the data controller and/or processor to conduct a Data Protection Impact Assessment (DPIA). A DPIA has to be carried out by a data controller/processor when the data processing is likely to create a high risk for the rights and freedoms of the data subjects (e.g. the data subject’s privacy). This risk is not systematic with every data processing activity but may result from an innovation in the data processing, for example, the use of a new technology, profiling, etc.
The purpose of a DPIA is to assess the risks associated with the data processing and to determine the measures that must be taken to mitigate these risks (organizational and security measures, policies, etc.). The DPA will help in assessing such risks as follows:
What’s to be expected?
This new Bill still has to be debated in the House (la Chambre – de Kamer).
The GDPR goes hand in hand with the national data protection reform. The future of the Belgian data protection landscape seems to offer more protection and courses of action for the Belgian citizen and greater risks of legal prosecution for organisations processing personal data.
It remains uncertain whether the DPA will conduct unplanned dawn raids at the organisations’ headquarters. The GDPR is drafted on a cooperation basis between the data controller, data protection officer and supervisory authorities. The DPA’s effectiveness in using its new powers will also depend on the budget allocated to this new DPA – although this has not yet been fixed. However, we believe that the risk of dawn raids cannot be excluded. In any event, the data controller and processor should prepare themselves to be GDPR compliant as from 25 May 2018.