The Belgian data protection authority (“Privacy Commission”) has released its annual report for the year 2015 (available in Dutch and French). The Privacy Commission provides an overview of the most important cases, projects and statistics summarising their activities in 2015.

1. Numbers

The annual report includes statistics on the Privacy Commission’s actions in 2015:

  • 5 recommendation files containing recommendations for legislative institutions or data controllers, issued upon the government’s request or on the Privacy Commission’s own initiative were initiated, the most famous recommendation being the one for Facebook, which amounted in judicial proceedings (see 2.), and 64 advice files, mostly triggered by requests for advice from legislative institutions and thus initiated only rarely on the Privacy Commission’s own initiative.
  • 6240 notifications of surveillance cameras were filed (representing an increase of 886 compared to 2014);
  • 4192 information-, mediation- and control files were treated (an increase of 366 compared to 2014): 3561 requests for information, 347 requests for mediation (i.e. complaint files, for which the Privacy Commission acts as mediator) and 284 control files (i.e. files concerning authorisation for e.g. indirect access to data, for which the Privacy Commission performs a control or investigation);

68% of the abovementioned 347 requests for mediation have already been closed in 2015. A privacy breach has been established in 64% of these finalised cases. 26% were declared to be unfounded.

The subjects which raised the most information requests concern surveillance cameras, privacy aspects at work, the right of personal portrayal, direct marketing and Internet.

 2. Important cases

The case which was granted the largest media attention in 2015 was the Belgian Facebook case (not to be confused with the European Facebook case (Maximilian Schrems v. Irish Data Protection Commissioner C-362/14)). The case concerned Facebook’s terms of use and more particularly, the use of cookies and social plug-ins to track the online behaviour of Internet users without a Facebook account. Following Facebook’s non-compliance with the recommendations addressed to it earlier by the Privacy Commission, the latter sued Facebook for breaching the Belgian Data Protection Act and the Electronic Communications Act.

It was ruled that Facebook had to stop registering these data, as Facebook had not received any authorisation to process the data of persons not disposing of an account. Facebook appealed the decision, and also reacted to the judgment by making public Facebook pages inaccessible to Belgian users who are not registered with the social network. Facebook argued that the cookies used for public pages are indispensable for access to those pages. Just recently, in June 2016, the Court of Appeal dismissed Facebook’s claim and stated that it is not competent to decide on the case. The Privacy Commission will await the judgment on the merits of the case in 2017 before deciding on which enforcement steps it can take against Facebook.

3. Projects

  • As the Privacy Commission received a growing number of queries with regard to cookies, it decided to issue a recommendation in this respect (Recommendation 01/2015 (NL/FR)). The Recommendation includes of a list of guidelines, summarising the problems and providing practical answers to questions from legal professionals, technicians and website developers with regard to the provision of information and direct marketing practices. The recommendations can proactively counter possible infringements on privacy rights.
  • The Minister of Transport asked for the advice of the Privacy Commission with regard to a draft Royal Decree concerning the use of ‘aircrafts controlled at distance’. The Privacy Commission rendered a positive advice, as the draft Royal Decree is applicable to, and subsequently makes the Privacy Act applicable to, all types ofdrones. The Royal Decree (NL/FR) entered into force on 25 April 2016.
  • Following the terrorist attacks in Paris, legislative initiatives have been taken which could have an impact on privacy. The Privacy Commission was therefore asked to issue an opinion with regard to certain anti-terrorism measures. It concerned advice 55/2015 with regard to the processing of passenger data (NL/FR), advice 57/2015 with regard to foreign terrorist fighters (NL/FR) and advice 54/2015 with regard to lifting anonymity for prepaid card users (NL/FR).
  • The Privacy Commission has published a paper with regard to the theme ‘Privacy aspects at work‘. This paper answers queries from both an employee and employer point of view on how to treat personal data in the work place in a correct and privacy friendly manner. Themes treated in the paper include geo-localisation (track and trace systems) in company cars, camera surveillance and monitoring of electronic communications.