On April 29, 2013, the Belgian Privacy Commission announced that it referred a data breach case involving The National Belgian Railway Company to the Brussels Public Prosecutor. The data breach, which occurred in December 2012, resulted in the 1.46 million sets of customer data being made publicly available online. The Privacy Commission investigated the case and concluded that there had been a violation of the Belgian Data Protection Act, but since the Privacy Commission does not have the authority to impose sanctions for the violation, it referred the case to the prosecutor’s office to initiate criminal proceedings. The Privacy Commission commented that this is the first time that it has referred a data breach case to the Public Prosecutor.
In the context of this and other recent data breaches, the Privacy Commission issued guidelines on how to prevent data breaches and how to provide notification of data breaches when they do occur (i.e., within 48 hours to the competent authorities).