The Belgian data protection framework

The publication on 5 September 2018 of the Act of 30 July 2018 on the protection of natural persons with regard to the processing of their personal data marked the completion of the Belgian data protection framework. In this blog, we provide an overview of this national framework and point out the main particularities of the four consisting acts.

I. Belgian data protection framework: overview and particularities

Following the adoption at EU level of the Data Protection Reform Package in 2016, Belgium has reshaped its national data protection framework by transposing (i.e. of the Data Protection Directive for Police and Criminal Justice Authorities[1]) and executing or clarifying (i.e. of the General Data Protection Regulation[2] or "GDPR") EU data protection law in national law.

Since the publication on 5 September 2018 of the final part of the national legislative framework (i.e. the Privacy Act), the Belgian data protection framework is complete and consists of the following acts:

1. The Act of 30 July 2018 on the protection of natural persons with regard to the processing of their personal data ("Privacy Act");

2. The Act of 21 March 2018 modifying the act on the installation and use of cameras ("Camera Act");

3. The Act of 5 September 2018 on the creation of an Information Security Committee ("Information Security Committee Act");

4. The Act of 3 December 2017 establishing the Data Protection Authority ("Data Protection Authority Act").

 

 

1. The Privacy Act

The Privacy Act both transposes the Directive for Police and Criminal Justice Authorities in Belgian law and supplements or specifies some specific provisions of the GDPR. The result is a comprehensive act that touches upon many aspects of data protection in Belgium.

(i) The Privacy Act transposes the Data Protection Directive for Police and Criminal Justice Authorities, which goal is to balance:

- On the one hand, the increased protection of individuals' personal data when it is processed by police and criminal justice authorities[1], e.g.:

• The explicit requirement to comply with the principles of lawfulness under the EU data protection law (i.e. the processing must be lawful and fair; the data may only be collected for specified, explicit and legitimate purposes and may only processed in line with these purposes; the data must be adequate, relevant and not excessive in relation to the purpose for which they are processed etc.);

• The explicit requirement to establish time limits for erasure of personal data or for the review of the need to store such data are determined by the applicable specific law, decree or ordonnance (e.g. for the processing of personal data by intelligence and surveillance services the retention period are determined by article 21 of the Act regulating intelligence and security services);

 

• The principle requirement to provide data subjects with specific information on the processing of his/her personal data.

 

- On the other hand, the need to cooperate in the fight against terrorism and cross border crime in the EU by facilitating investigations and protection, as well as the information exchange necessary for investigations[2], e.g.:

• The limitation of data subject's rights (incl. the right to information) for purposes of general interest (e.g. protection of public or national security, preventing negative consequences for the detection, research and prosecution of criminal offences or the execution of sanctions etc.);

• Exceptions to the prohibition of processing of special categories of personal data or personal data relating to criminal convictions or offences;

• The creation of a national framework for the transfer of personal data to third countries or international organisations.

   

   

   

   

   

(ii) The Privacy Act also implements and specifies the General Data Protection Regulation, by e.g.:

• Lowering the age of lawful consent for minors in the context of information society services to the legal minimum of 13 years of age.

• Determining specific requirements when processing genetic, biometric or health data, such as the requirement for the controller (or if applicable the processor) to indicate the categories of persons that have access to the personal data and to provide a detailed description of their capacity with regard to the processing of such data;

• Determining conditions where the processing of criminal convictions and offences or related security measures are authorised, e.g. by natural or legal persons to the extent this is necessary for the management of their own disputes or in case the data subject has provided explicit written consent for one or more specific purposes and the processing is limited to such purposes;

• Limiting data subject rights for specific processing in the context of intelligence and surveillance services or threat analysis;

• Regulating the processing for the purpose of archiving, research and statistical purposes and the conditions for derogations to data subject rights in this context;

• Establishing broad derogations for academic, artistic and literary expression purposes.

 

 

2. Data Protection Authority Act

The Data Protection Authority Act establishes the Belgian Data Protection Authority ("DPA"),to supervise and enforce the compliance with the principles on the protection of personal data. To this extent the DPA is granted the authority to inform judicial authorities of infringements and, where appropriate, to autonomously initiate legal proceedings to enforce the principles of data protection.

The DPA is composed of the following 6 internal bodies: 1) an executive committee entrusted with top-level management including finances; 2) a general secretariat for general management and support of the DPA; 3) a first-line service for requests or complaints and to boost awareness about data protection; 4) a knowledge centre with advisory powers; 5) an inspection/investigative body and 6) a disputes chamber with the power to impose sanctions. Finally, the Data Protection Authority Act also establishes an external reflection board that may draft non-binding advice to the DPA on all matters regarding the protection of personal data.

 

 

3. Camera Act

In parallel with the Privacy Act, the Camera Act intends to allow technical evolution in the tracing and detection of criminality while at the same time aiming for an enhanced protection of data subjects and emphasizing the accountability of the controller[1]. Although the Camera Act still applies to "camera surveillance and supervision", the use of cameras by police authorities is now out of scope of the Camera Act, as the legislator argued that this required a specific legal framework[2].

 

The following provisions of the Camera Act require attention:

 

(i) Notification to police authorities

The prior notification of camera use to the Privacy Commission has been removed from the Camera Act and is replaced by a notification to the police authorities using a standard form. The formalities of this notification to the police authorities have been established by Royal Decree.

 

(ii) Additional requirements for camera surveillance icons

In parallel with the broad information obligations stipulated in the GDPR, the Royal Decree of 28 May 2018 extends the information to be provided on (or with) the existing mandatory camera surveillance icons. This includes, if applicable, the information of the Data Protection Officer and the website of the controller that provides all information on the data processing by use of surveillance cameras. The Royal Decree of 28 May extends this broadened information obligation to mobile surveillance cameras.

 

 (iii) Obligation to hold a camera image processing register

The controller is obliged to hold a register with the image processing activities performed by use of cameras under its responsibility. Upon request, this register will have to be provided to the Data Processing Authority and police authorities. The content, modalities and retention period of this register are determined by Royal Decree.

 

(iv) Data minimisation in determining the perimeter of surveillance

Generally the controller must ensure that the camera surveillance is not focused specifically on locations for which it is not the data controller. In case of surveillance of an entrance of a not publically accessible enclosed location, the surveillance must in principle be focused so as to ensure the image recording is limited to the absolute minimum.

 

(v) Extended "real time" viewing options

The possibility to view camera images of fixed cameras in unenclosed locations in real-time is extended from solely police authorities to surveillance agents acting under supervision of police authorities.

For enclosed locations accessible to the public (e.g. shops), the Camera Act holds the possibility to manage control screens that publically broadcast real time images.

The Camera Act also allows for real time camera image viewing for other authorities than police authorities (e.g. national crisis bodies, the Minister of foreign affairs, the Body for Coordination and Analysis of Threat ("OCAD") etc.) to coordinate safety at important events that may impact the public order and security and to follow up on the evolution of emergency situations and to coordinate the management.

 

(vi) New rules on mobile surveillance cameras

In unenclosed locations mobile surveillance cameras may only be used in view of automatic number plate recognition (ANPR) for the purpose of

• prevention, detection or tracing nuisance;

• verifying compliance with the municipal and parking regulations.

 

In enclosed locations mobile surveillance camera's is only allowed:

• for the purpose of managing private and special security (e.g. at nuclear sites or military domains);

• where no person is supposed to be present;

• by a natural person for personal or household use, in enclosed locations not accessible to the public (e.g. private home).

 

(vii) New rules on intelligent surveillance cameras connected to personal data registers

The use of intelligent surveillance cameras connected to registers or files with personal data is only allowed for the purpose of automatic number plate recognition, provided that the controller processes the personal data in compliance with the GDPR.

 

(viii) Retention period

By default, camera images can only be retained for a period of one month. If the camera image contribute to evidence a crime, damage or if they identify a perpetrator, disturber of public order, witness or victim, they can be retained longer.. The default retention period may be extended to 3 months for specific locations that pose a particular security risk.

 

(ix) Exceptions for house hold use in a private home

The camera use by a natural person for house hold use in a private home, is exempted from the following requirements:

• prior notification to the police authorities;

• showing an icon informing about the camera surveillance;

• keeping a camera image processing register.

 

(x) Higher fines

The criminal fines in the amended Camera Act are significantly higher and can go up to 20 000 EUR for breaches of article 9 (i.e. provisions on access to and transfer of the images) and 10 (i.e. sensitive categories of personal data); and up to 10 000 EUR for breaches to articles 5, 6, 7 and 8 (i.e. procedure and secret use)[1]. It is important to keep in mind that where an infringement of the Camera Act is also an infringement of the GDPR, the sanctions stipulated in the GDPR may be applicable in addition to those of the Camera Act. This may be the case for example where the surveillance camera images of a supermarket are held beyond their retention period and are further processed for unlawful or incompatible purposes (e.g. if they would be sold to a marketing company for commercial purposes).

 

 

4. Information Security Committee Act

The Information Security Committee Act establishes an Information Security Committee as a separate body (previously its functions were taken up by sectoral committees that were part of the Data Protection Authority) to determine the general principles of information security and the protection of privacy that must be observed when exchanging personal data between various federal authorities and concerning public welfare and health related matters[1]. The creation of the Committee is intended as a measure to give concrete form to the GDPR's basic principles of "privacy by design" and "privacy by default".

 

Secondly, the Information Security Committee Act also amends several other acts in the context of data protection (e.g. the act establishing and organising the crossroad bank of social security, the act on the establishment of the eHealth-platform etc.).

 

 

II. Final Remarks

Although Belgium now has an extensive legal framework for data protection, in practice the Data Protection Authority has not yet been very active, whether in terms of providing guidance or in terms of enforcement. This is mainly due to the fact that the Belgian Parliament still has to formally appoint the Direction Committee, the Knowledge Committee and the Dispute Chamber of the Data Protection Authority. By way of transition, the members of the (previous) Privacy Commission have been temporarily mandated with these tasks. It may be expected that the Data Protection Authority will start to play a more active role once the Direction Committee will have been formally appointed. More than 4 months after the GDPR became effective, one can only hope that this will happen sooner than later.

 

[1] Belgische Kamer van Volksvertegenwoordigers, Wetsontwerp van 20 juni 2018 tot oprichting van het informatieveiligheidscomité en tot wijziging

van diverse wetten betreffende de uitvoering van Verordening (EU) 2016/679 van 27 april 2016 van het Europees Parlement en de Raad betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens en betreffende het vrije verkeer van die gegevens

en tot intrekking van Richtlijn 95/46/EG, Doc 54 3185/001, http://www.dekamer.be.

[1] From 1 January 2017 criminal fines have to be increased by the multiplicator 8 to address inflation.

[1] Belgische Kamer van Volksvertegenwoordigers, Memorie Van Toelichting bij het Wetsontwerp tot wijziging van de wet op het politieambt om het gebruik van camera's door de politiediensten te regelen, en tot wijziging van de wet van 21 maart 2007 tot regeling van de plaatsing en het gebruik van bewakingscamera's, van de wet van 30 november 1998 houdende regeling van de inlichtingen- en veiligheidsdiensten en van de wet van 2 oktober 2017 tot regeling van de private en bijzondere veiligheid, Doc 54 2855/001, http://www.dekamer.be.

[2] The provisions on the use of cameras by police authorities have been transferred to the Act of 5 August 1992 on the Police Function (as amended by the Camera Act).

[1] European Parliament and the Council, Protecting personal data when being used by police and criminal justice authorities (from 2018) – Summary of Directive, https://eur-lex.europa.eu.

[2] European Parliament and the Council, Protecting personal data when being used by police and criminal justice authorities (from 2018) – Summary of Directive, https://eur-lex.europa.eu.

[1] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, https://eur-lex.europa.eu.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1, 4.5.2016, https://eur-lex.europa.eu.