January 28 is “Data Privacy Day” or “Data Protection Day”. The purpose of this day is to raise awareness and promote privacy and data protection best practices. It is ‘celebrated’ in the United States, Canada, and 47 European countries.
At the occasion of “Data Protection Day 2016”, we have listed our 2015 highlights, and briefly look ahead at what to expect for 2016.
1. Data Retention
In June 2015, the Belgian Constitutional Court declared the data retention obligations for electronic communications service providers invalid. After the invalidation of Data Retention Directive 2006/24/EC by the EU Court of Justice on 8 April 2014, it was of course only a matter of time before its national implementing legislation would be directly challenged before the Belgian courts.
2. Legislative Reform
The negotiations on the General Data Protection Regulation (the “GDPR”) gradually progressed towards a consensus. On 15 December 2015, the European institutions finally agreed on a uniform wording for the GDPR.
3. Safe Harbour Invalidation
In its judgment of 6 October 2015, the EU Court of Justice declared the decision of the European Commission establishing the ‘adequacy’ of the Safe Harbour certification system for EEA-US data transfers, invalid. It also expressly confirmed that national data protection authorities may still investigate a complaint alleging that a third country does not ensure an adequate level of personal data protection and, where appropriate, suspend/prohibit the transfer of that data, notwithstanding any adequacy finding by the European Commission. Not only will a US entity’s Safe Harbour certification thus no longer be a valid ground to justify data exports to the US, also data exports to other non-EEA countries are susceptible to scrutiny by the national data protection authorities.
4. Enforcement – Facebook Case
For the first time since the adoption of the BDPA in 1992, the Belgian Privacy Commission displayed a remarkable level of activism by pursuing Facebook in court proceedings. On 9 November 2015, the President of the Brussels Court of First Instance ordered Facebook to stop tracking non-users in Belgium within 48 hours as from the service of the judgment. Facebook was also made subject to penalty payments of EUR 250,000 for each day of continued infringement.
Outlook for 2016
1. Data Retention
A draft bill reintroducing data retention requirements in the electronic communications sector has been introduced in Parliament and is expected to be adopted in 2016.
2. Legislative Reform
At national level, an amendment to the Belgian Data Protection Act is being discussed in Parliament. This amendment (cf. the amended Dutch Data Protection Act that entered into force on 1 January 2016) mainly aims at enabling the Privacy Commission to sanction infringements itself (by imposing administrative fines up to EUR 800,000) and introducing data breach notification requirements.
Also the text of the GDPR is expected to be adopted in the first quarter of 2016 (and consequently to become effective early 2018).
3. EU-US Data Transfers
On 1 February 2016, the grace period granted by the national data protection authorities of the EU Member States following the invalidation of the “Safe Harbour” regime will expire.
With the deadline approaching, and a “Safe Harbour 2.0” not likely to be agreed upon within the next couple of days/weeks, data controllers that have not yet implemented any alternative legal grounds for their data exports may find themselves confronted with a serious liability risk.
4. Facebook case – the saga continues
Facebook has appealed the judgment of the President of the Brussels Court of First Instance of 9 November 2015. At the same time, the procedure on the merits initiated by the Belgian Privacy Commission is progressing and a promises – again – an exciting year for data protection!