On 18 July 2016, the Belgian Official Gazette published the Act of 29 May 2016 on the collection and storage of data in the electronic communication sector and amending, inter alia, Article 126 of the Act of 13 June 2005 on electronic communication, known as the Belgian Electronic Communication Act (the “BECA”).
After the CJEU’s ruling on 8 April 2014 (C-293/12 and 594/12) that quashed the EU 2006/24 Data Retention Directive (the “Directive”) for disproportionate infringement on privacy rights of EU citizens, the Belgian Constitutional Court similarly invalidated on 11 June 2015 the then current version of Article 126 that transposed the Directive into Belgian law. Consequently, the prior version of Article 126 was supposed to apply. However, according to the Belgian government, that version was not satisfactory because the retention obligation it contained was not stipulated clearly enough. So a new bill has been submitted whereby providers of publicly available electronic communications services or networks concerned must still retain certain communication data.
The applicable data retention period is, on average, twelve months and applies to: identification data, data intended to identify the means of communication, access and terminal equipment connection data, localization data including the network termination point, as well as communication data; but this period does not apply to content-related data.
Also, the technical and security measures that must be taken by those operators have been strengthened. Indeed, operators must now guarantee that the retained data are of the same quality and subject to the same security and protection as those data on the network. Moreover, the data will have to be kept within the EU, and their exploitation must be subject to an efficient traceability process.
Operators must also implement appropriate technical and organizational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorized or unlawful storage, processing, access or disclosure. In this regard, the data may be accessed by specially authorized personnel only (i.e. the socalled “Coordination Unit”), who are bound by professional secrecy. Furthermore, technological protection measures must be put in place to ensure that, as from the beginning, the retained data are made unreadable and unusable for any unauthorized individual. In addition to the Coordination Unit, a data protection officer must be appointed. He or she will, inter alia, ensure that all data processing made by the Coordination Unit comply with the law and that the operator or operators concerned collect and retain only the data that may be legally retained. Finally, the retained data must be destroyed by the operators at the end of the applicable data retention period.
The specific authorities that are entitled to access such data, upon a mere request, have been further specified. These are the judicial authorities, the intelligence and security services, any police officer of the Belgian Institute for Postal services and Telecommunications, emergency services, and the police officers from the missing persons unit and mediation department. In addition, the underlying purposes and circumstances allowing these authorities to access such data have also been set out. The providers concerned must grant these authorities unrestricted and swift access to the data retained in Belgium.
Finally, it is worth mentioning that the CJEU Advocate General, in his opinion of 19 July 2016 (C203/15 and C698/15), found that the EU legislation doesn’t preclude EU Member States from imposing on providers of electronic communications services an obligation to retain all data relating to communications effected by the users of their services if all of the following conditions are satisfied:
- the obligation and the safeguards which accompany it must be provided for in legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference;
- the obligation and the safeguards which accompany it must observe the essence of the rights recognized by Articles 7 and 8 of the Charter of Fundamental Rights;
- the obligation must be strictly necessary in the fight against serious crime, which means that no other measure or combination of measures could be as effective in the fight against serious crime while at the same time interfering to a lesser extent with the rights enshrined in Directive 2002/58 and Articles 7 and 8 of the Charter of Fundamental Rights;
- the obligation must be accompanied by all the safeguards described by the CJEU in the above mentioned judgment of 8 April 2014, in order to limit the interference with the rights enshrined in Directive 2002/58 and Articles 7 and 8 of the Charter of Fundamental Rights to what is strictly necessary; and
- the obligation must be proportionate, within a democratic society, to the objective of fighting serious crime, which means that the serious risks engendered by the obligation, in a democratic society, must not be disproportionate to the advantages that it offers in the fight against serious crime.