Privacy & Information Security Law Blog

On May 26, 2017, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2016 (the “Annual Report”) highlighting its main accomplishments from the past year.

In 2016, the Belgian DPA focused on the following topics:

• EU General Data Protection Regulation (“GDPR”). The GDPR was enacted in May 2016 and will come into force in May 2018. The Belgian DPA initiated a number of projects to help companies and public organizations prepare for the GDPR. Such projects include, inter alia, the publication of a 13-Step Plan, a thematic dossier and FAQs on its website, as well as guidelines and recommendations that contribute to the interpretation of the GDPR.

On May 25, 2017, the Belgian DPA issued a press release addressing companies’ concerns regarding the enforcement of the GDPR. In the press release, the Belgian DPA confirmed that its priority is to raise awareness on the GDPR and conclude clear agreements with the industry. It also stated that it will favor mediation regarding potential infringements of the GDPR, and that fines will be imposed only as a last resort where a data controller does not answer the Belgian DPA’s questions and concerns or formally refuses to comply with the GDPR.

• Cloud computing. The Belgian DPA issued an Opinion that addresses obligations related to cloud computing and provides guidelines to companies and public organizations regarding the use of cloud computing.
• Social fraud. The Belgian DPA published an Opinion on a draft bill for the systematic transmission of personal data related to citizens’ use of energy to the Federal Social Security Institutions. This bill is part of the Belgian government’s initiative to fight social fraud by using data mining and data crossing.
• Anti-terrorism. The Belgian DPA issued an Opinion on (1) the creation of a common database for “foreign terrorist fighters,” (2) the anonymity of prepaid card users and (3) existing draft bills aimed at preventing the financing of terrorism.
• Facebook case. On June 29, 2016, the Court of Appeal annulled a November 2015 judgment that had convicted Facebook in summary proceedings for the illegal collection of non-users’ personal data. The Court of Appeal ruled that the Belgian DPA had no jurisdiction over Facebook Ireland and Facebook Inc.

The Annual Report also stated that the Belgian DPA processed 4,491 requests or complaints (an increase of 299 compared to 2015), including requests for information, mediation and control. Most requests for information were related to the use of CCTV, data subjects’ rights, the right to one’s image, data processing registrations and contractual clauses.