A little less than a month ago, the Belgian House of Representatives appointed the new commissioner and directors of the Belgian Data Protection Authority (DPA), as we explained in our blogpost here.
Today, little less than eleven months after the establishment of the DPA, the new commissioner, Mr David Stevens, and the new directors are finally taking the oath. While Mr Stevens expects that it will still take some time to get the Belgian DPA running at full speed (the 60 people working for the DPA still need to be dispatched among the five different entities making up the Belgian DPA), his message is crystal clear: the era of “sitting back and relaxing” is over. The revamped DPA will now take a more active stance, and not just “keep the machine running”.
To illustrate the need of a new approach, Mr Stevens pointed to the comparatively low amount of data breach notifications in Belgium (442 as of January 2019 in Belgium, compared with 21.000 in Netherlands in 2018). From now on, the Belgian DPA wants to be a modern supervisor, he added, a supervisor that will come out and make clear to the sectors and companies what is expected from them, but at the same time expecting companies to meet them halfway.
According to Mr Stevens, the lack of an Executive Committee certainly led some companies to procrastinate their compliance with the new European data protection rules. While recalling that the Belgian DPA has the competence to issue fines of up to 20 million euros or 4% of total worldwide annual turnover (whichever is higher), the new commissioner signalled that, if necessary, the Belgian DPA would not hesitate to issue fines to those not playing by the rules. It seems the new appointments finally gave the Belgian DPA the teeth it needed, and judging from Mr Stevens’ comments, it is prepared to use them.