On September 5, 2018, the new Belgian Data Protection Act implementing the GDPR (the Belgian Act) was published and entered into force. Despite the GDPR being an EU regulation that directly applies to all EU Member States, several provisions of the GDPR explicitly allow, and even require, Member States to enact legislation which implements the law. Member States were expected to have this legislation in place by May 25, 2018, but the majority of Member States (including Belgium) did not meet the deadline. Since December 2017, however, Belgium has had in place a law implementing many of the more procedural provisions of the GDPR, namely the Act on the Establishment of the Supervisory Authority (the SA Act). The SA Act lays down the structure, powers and competence of the new Belgian Supervisory Authority, and also includes rules of procedure applicable to administrative proceedings before the Authority.
The new Belgian Act, on the other hand, focuses on the implementation of the remaining (more substantive) provisions of the GDPR, such as children’s consent, criminal data processing, and the processing of data for archiving, scientific research or statistical purposes. Belgium also chose to implement the GDPR’s provision allowing Member States to foresee additional penalties applicable to GDPR infringements, and the Belgian Act expressly provides for criminal sanctions. Below are some highlights of the Belgian Act.
- Material Scope of Application
The Belgian Act goes further than mere implementation of the GDPR, to cover data processing explicitly excluded from the scope of the GDPR. Namely, the Belgian Act covers data processing for purposes of law enforcement (transposing the EU Law Enforcement Directive), as well as data processing by intelligence agencies (which is outside the scope of EU law and therefore not subject to the GDPR). Other Member States, such as the UK, have also taken a similar comprehensive approach.
- Children’s Consent
The Belgian Act lowers the age at which a minor can lawfully consent to his or her personal data being processed in the context of information society services, to 13 years (which is the lowest age permitted by the GDPR, and is also aligned with the critical age for the U.S. Children’s Online Privacy Protection Act). If the child is younger than 13 years of age, parental or guardian’s consent must be obtained. The majority of Member States have chosen to implement the GDPR’s 13 years of age minimum, which hopefully will minimize technical implementation challenges for age verification mechanisms.
- Genetic, Biometric and Health-Related Data Processing
Additional organizational and security measures must be put in place by data controllers and/or processors that process genetic, biometric or health-related data. On the basis of the Belgian Act, they must designate specific personnel authorized to access such data, and identify their capacity in relation to the data processing. A list with this information should be compiled and kept at the disposal of the competent Supervisory Authority. In addition, they must ensure that these individuals are bound by confidentiality with regard to this data on the basis of either statutory or contractual requirements.
- Criminal Data Processing
Compared to the GDPR, the Belgian Act significantly broadens the scope for data processing related to criminal offences and convictions. It allows criminal data processing (1) by natural and legal persons where necessary to manage their own disputes; (2) by attorneys and other legal counsel in light of their client’s defense; (3) in cases where the data subject has explicitly consented or initiated publication of his/her data; and (4) where necessary for important reasons of public interest laid down by law or for scientific, historical or statistical purposes. In particular, scenarios (1) and (3) open up the possibility of criminal data processing, which under the GDPR, is otherwise only allowed “under the control of official authority.”
- Processing for Archiving, Scientific or Historical Research and Statistical Purposes
The Belgian Act expressly establishes that processing for archiving, scientific research and statistical purposes must be anonymized or pseudonymized directly after collection, and that reidentification can only take place where necessary to achieve these purposes, and subject to the advice of the Data Protection Officer. When several data controllers are involved in the process, which can typically be the case, (i.e., in a clinical trial context) the first data controller (collecting the data) must perform pseudonymization prior to the data transfer and deny any subsequent controllers access to the pseudonymization key to prevent them from reversing this process. In addition, when sensitive and criminal data are the subject of the transfer, the initial data controller must put measures in place to prevent reproduction of the data by the recipient (a requirement that can, however, be lifted with the data subject’s consent or when it can be demonstrated that the data subject made the data publicly available).
- Criminal Sanctions
In addition to administrative fines and other enforcement measures outlined in the GDPR, the Belgian Act allows for criminal sanctions. These primarily include criminal fines, although the Act does provide for imprisonment of up to six months when the criminal fine is not paid in time. Such criminal fines can only be imposed by court order (i.e., not by the Supervisory Authority itself), and are significantly lower than the highest administrative fines prescribed by the GDPR (20,000,000 versus 240,000 EUR). For this reason, it is likely that administrative fines will remain the preferred sanction mechanism for the Belgian Supervisory Authority. Notably, once an organization has been served with an administrative fine, an additional criminal fine (or other criminal sanction) can no longer be imposed.
* * *
Member State implementing legislation such as the Belgian Act illustrates how jurisdiction-specific differences can create significant hurdles for organizations seeking to develop a pan-European compliance strategy, and potentially impair the objectives of a harmonized data protection framework. Nonetheless, the new Belgian Act was the long-awaited missing puzzle piece for companies to establish their legal obligations under the Belgian framework for privacy and data protection. With this new legislation, which must be read in conjunction with the GDPR, companies active in the Belgian market can more confidently determine their compliance strategy with both the GDPR and Belgian law. At the same time, however, the chance of enforcement action has also increased, as the Belgian Supervisory Authority now has the necessary legal framework to exercise its new powers.