In October 2015, we reported on the invalidation by the European Court of Justice of the “Safe Harbour” regime for personal data exports from the EU to the US (click here).
Following this judgment, many companies operating internationally had to either stop sending personal data collected in the EU to the US (e.g. by moving their servers to the EU), or to implement an alternative legal basis to legitimize their data exports.
The national data protection authorities of the EU Member States agreed to grant businesses a transitional period – until 31 January 2016 – before they would take any enforcement measures. During the transitional period, many companies have opted for the signing of data transfer agreements incorporating EU-approved model clauses. Many other companies, however, have not taken any remediation measures (yet).
In Belgium, non-compliant data controllers do not only risk civil liability, a court-ordered suspension of their data exports or a general prohibition to further process any personal data, but also criminal fines up to EUR 600,000.
Even though the Belgian Privacy Commission tends to deal with non-compliance matters in a rather pragmatic manner, the President of the Privacy Commission confirmed – during a high-level Forum on the Consequences of the Schrems case held in Brussels on 18 December 2015 – that it will not hesitate persecuting infringements as from 1 February 2016.