Belgium Establishes New Data Protection Authority Ahead of GDPR Introduction

The European Union’s General Data Protection Regulation (GDPR) will become enforceable on May 25 2018. European Union Member States are in the process of implementing laws that will bring their own data protection rules and regulations in line with the new data privacy legislation.

Belgium began this process early, passing legislation on December 3 2017 aimed at implenting the GDPR ethos regarding rights and freedoms for the individual. The law, which was published in the Belgian Official Gazette on 10 January 2018, comes into force at the same time as GDPR, with the only exception to this being the appointment of the members of the Executive Committee, the Knowledge Centre and the Disputes Resolution Bodywho have already been named.

Setting up a Data Protection Authority (DPA)

One of the main requirements of GDPR is that each EU Member State must set up at least one Data Protection Authority (DPA), to manage the implementation and enforcement of the GDPR in that country. In Belgium this means that the new authority replaces the current Commission for the Protection of Privacy (CPP).

Belgium may not be considered as one of the most powerful EU member states, but it has always had a reputation for being stringent in the area of data protection. This has led to the country suing social media providers in the past.

Belgium and Facebook

An ongoing battle between Belgium and social media giant Facebook began back in 2015. The CPP took Facebook to court in relation to its tracking of Belgian nationals without explicit consent. The courts ordered Facebook to stop the process of using cookies to gather information about visitors to the site. It threatened the US company with fines. Facebook appealed the decision and it was overturned. In February 2018, the Belgian courts instructed Facebook to stop tracking Belgian citizens on third party websites. The social media company has been threatened with fines of up to €100m, if it fails to comply with this instruction.

This is just one example that depicts how Belgium has always regarded the protection of personal data as a priority. Now, as it the case with all other EU countries, Belgium is making sure that it has the laws in place to ensure that companies and organisations comply with GDPR regulations, and that action is taken if this is not the case. The introduction of GDPR is intended to bring improved consistency regarding the way that data protection is handled across the EU.

However, although all EU Member states must comply with GDPR stipulations, states like Belgium also have the freedom to implement additional regulations relating to issues such as national security.

Individual DPAs also have the right to decide on what sanctions should be imposed for non-compliance, including the level of any fines. This could be expensive for companies such as Facebook as the maximum level of fine that can be applied is €20m or 4% of annual turnover, whichever is higher.