Belgian Privacy Commission changes enforcement attitude as fining powers are announced
Belgium has long been one of the less active of the EU member states in terms of data protection enforcement. Aside from the fact that pragmatism can be considered part of a Belgian’s nature, this view was also due to the fact that the Belgian Data Protection Authority (DPA), the Privacy Commission, could justifiably be termed as a so-called "toothless tiger."
Currently, if a company is found to be in breach of the Belgian data protection laws, the Privacy Commission has a duty to inform the public prosecutor. However, in practice, criminal prosecution for data protection noncompliance is virtually nonexistent and leads to de facto impunity.
In 2013, anticipating the adoption of the new EU Data Protection Regulation, the Privacy Commission had called upon the Belgian government to grant it more robust enforcement powers. It seems that the message was well-received. When the new Belgian federal government was sworn in last October, it was the first one ever to have a state secretary for privacy, a member of the cabinet who is assigned and reports to one of the ministers.
The coalition agreement also contained specific chapters on the protection of privacy and on cybersecurity in which a reform of the Privacy Commission was announced. Although the agreement remained silent as to whether the Privacy Commission would be vested with fining powers, it indicated that appropriate sanctions must be applied in cases of infringement of data protection laws.
In a recent interview with Belgian newspaper De Morgen, State Secretary for Privacy Bart Tommelein confirmed that the Privacy Commission will be vested with fining powers, if possible by the end of this year. Tommelein did not yet want to comment on the extent of the fining power they are to be given, but Privacy Commission President Willem Debeuckelaere mooted fines between 250 and 20,000 euro, akin to those that can be imposed by Belgian energy and telecom regulators.
This announcement is the latest in a series of recent events that demonstrate that Belgium is strengthening its stance with regard to data protection enforcement.
An initial but significant step was taken in 2011, when Google agreed to pay 150,000 euros as part of a criminal settlement with the public prosecutor following an investigation of the Privacy Commission into Google Street View. The settlement was an enforcement milestone in terms of the amount and also showed that the Belgian authorities were not afraid to take on a global behemoth.
In recent months, in addition to investigating purely Belgian cases, which mostly remain unreported, investigations were also started against tech companies including Snapchat and Uber. The Facebook case is, however, the best example to date of this changed attitude toward enforcement. Instead of following the example of other DPAs in Europe—like it did in the Street View case—the Privacy Commission is now leading the investigation into Facebook's tracking and data processing activities together with Dutch and German regulators.
It can be expected that the Privacy Commission will become even more assertive and self-conscious once it can impose fines or order administrative sanctions itself. In this context it is also noteworthy that, in 2014, the Privacy Commission started preparing to perform audits. A specific team of inspectors was established and will actively search for companies that process personal data in a noncompliant manner.
It is obviously true that the amounts of the fines that were quoted by the president of the Privacy Commission are unlikely to be of grave concern to most companies processing personal data. They are significantly lower than the maximum criminal fine of 600,000 euro that companies currently face in the unlikely event of prosecution, and they are nowhere near the size of potential fines that are envisaged in the context of the regulation.
The Privacy Commission, like many of its European counterparts, has insufficient resources. The state secretary for privacy will definitely lobby to increase those resources. However, the federal government is still very much in an austerity mode, and most departments are seeing their budgets cut rather than increased. The Privacy Commission may therefore struggle to play the role it would like to play and difficult choices will have to be made regarding how it uses its resources.
Nonetheless, the ability of the Privacy Commission to impose fines, together with the risk for companies of being audited, will most likely create a major shift in the way companies approach data protection compliance in Belgium.
Looking at the bigger picture, if even a pragmatic DPA, such as the Privacy Commission, starts adopting a more stringent enforcement strategy, it is clear that the days of data protection complacency are fading. Organisations processing personal data really cannot afford to wait until the regulation becomes effective in the next few years.
DPAs throughout Europe are gearing up for the regulation, and they expect organisations to comply with certain principles from the regulation that are today not yet in the black letter of the law.
For example, in the context of data breach notifications, the Privacy Commission already expects all organisations to notify data breaches as a matter of best practice and irrespective of the fact that Belgium currently does not have such a general notification requirement. It means that organisations will have to make sure they do their homework now, as it seems the DPAs will not wait until the regulation is effective to show their teeth.
This article was first published in the IAPP's Privacy Advisor.