Public and private enforcementi Enforcement agencies
The Belgian enforcement agency with responsibility for privacy and data protection is the DPA.
The DPA's mission is, inter alia, to monitor compliance with the provisions of the GDPR and the Data Protection Act. To this end, the DPA has general power of investigation with respect to any type of processing of personal data and may file a criminal complaint with the public prosecutor. It may also institute a civil action before the president of the court of first instance. Whereas this is where the scope of authority ended for the original Privacy Commission, the reformed DPA (in light of the GDPR) is an independent administrative authority with legal personality and extensive investigative and sanctioning powers, composed of six different bodies: an executive committee, a general secretariat, a front-line service, a knowledge centre, an inspection service and a dispute chamber.
The executive committee, composed of the leaders of the five other bodies, is responsible for the adoption of the DPA's general policies and strategic plan.
A general secretariat is responsible for the reception and processing of complaints and to inform citizens about their data protection rights.
The inspection service functions as the investigating body of the DPA, with a wide array of investigative powers (e.g., interrogation of individuals).
The front-line service has a singular role in providing guidance (e.g., with regard to adequate data protection techniques under the GDPR) and supervising data controllers and processors and their compliance with data protection legislation.
Led by six experts in the field, the knowledge centre provides public decision-makers with the necessary expertise to understand the technologies likely to impact on the processing of personal data.
The dispute chamber, composed of a president and six judges, is able to impose sanctions of up to €20 million or up to 4 per cent of the total worldwide annual turnover of the infringing company.
As well as the above-mentioned bodies being established under the auspices of the reformed DPA, an independent think tank is set up to reflect society as a whole, both participants in the creation of the digital world and those affected by it, and to provide the executive committee with a broad vision and guidance as it negotiates current and future data protection challenges.
Along with natural persons, legal persons, associations or institutions are also able to lodge a complaint of an alleged data protection infringement.ii Recent enforcement cases
The most important recent enforcement case undertaken by the DPA is the one initiated against Facebook in June 2015 concerning its unlawful processing of data through hidden cookies. As mentioned above, Facebook has been condemned by the Court of First Instance. Following the appeal filed by Facebook, the Brussels Court of Appeal has decided to refer the case to the European Court of Justice.
Within the first year of the functioning of the reformed DPA following the introduction of the GDPR on 25 May 2018 only one fine has been issued yet. The case involved a mayor who, in the execution of his powers as a public official, sent out an email to a few citizens shortly prior to the municipal elections in which he campaigned for himself. The DPA concluded that the mayor had abused personal data which he received during the exercise of his function for personal purposes and issued a fine of €2,000.
In July 2019, the DPA has reproached the Ministry of Health for not responding to a request of a citizen that wished to exercise his right of access following two complaints of the citizen concerned. No fine was issued, as, under Belgian law, a state institution cannot be fined for violating the GDPR. The fact that not all of the GDPR's provisions apply equally to state institutions has been criticised by the Federation of Enterprises in Belgium (FEB), which has started a case before the Constitutional Court against what it calls a 'discrimination of enterprises'.iii Private litigation
Private plaintiffs may seek judicial redress before the civil courts on the basis of the general legal provisions related to tort or, in some cases, contractual liability. In addition, they may file a criminal complaint against the party that committed the privacy breach. Financial compensation is possible, to the extent that the plaintiff is able to prove the existence of damages as well as the causal link between the damage and the privacy breach. Under Belgian law, there is no system of punitive damages.
The Belgian DPA received 328 complaints following the entry into force of the GDPR, which mostly concerned data subject rights, camera surveillance or direct marketing. As mentioned above, only one fine has been issued until now.
Class actions were traditionally not possible under Belgian law until 1 September 2014, when a new Act on Class Actions entered into force. The Belgian consumer organisation Test-Aankoop, for instance, has launched a class action against Facebook together with sister-organisations in Spain, Italy and Portugal, demanding €200 damages per claim for abusing personal data of its users. In Belgium, 42,000 people have joined the class action, and in Europe overall 250,000 people.
In a judgment of 29 April 2016, the Supreme Court ruled in favour of the right to be forgotten. The case concerned the online disclosure of an archived database of a famous Belgian newspaper, which would result in the publication of the full name of a driver who was involved in a car accident in 1994 in which two people died. Both the Court of Appeal and the Supreme Court considered the right to be forgotten essential in this case and ruled in favour of a limitation of the right of freedom of expression.