Belgium recently experienced two significant data breaches (involving, amongst other companies, the Belgian railway operator), which resulted in the online disclosure of personal data relating to thousands of people. These events led the Belgian data protection authority (the Privacy Commission) to issue a recommendation on the security of information and data breaches.  This recommendation was published on 21 January 2013 and can be consulted on the Privacy Commission's website (www.privacycommission.be).

  1. Security guidelines

In the first part of its recommendation, the Privacy Commission provides guidance on the measures data controllers should take in order to comply with their statutory obligation to protect personal data against breaches (i.e. accidental loss or disclosure, unauthorised or unlawful processing, etc.).

The Privacy Commission recommends, amongst other things, the segregation of local networks and equipment accessible from the Internet by means of at least a firewall and DMZ (also known as a perimeter network, i.e. an additional network that protects internal networks from external access).  Further recommendations are made regarding intrusion detection and protection systems.  In this regard, the Privacy Commission emphasizes that each company should implement such measures, based on regular risk exposure analyses.  The measures should be documented and their efficacy regularly re-assessed.

  1. Notification of data breaches

The Belgian Data Protection Act of 8 December 1992 does not include a breach notification procedure. In its recommendation, the Privacy Commission provides for a new duty to notify data breaches, in accordance with the following procedure:

  • Notification of the cause of the breach and the resulting harm to the Privacy Commission within 48 hours;
  • Launch of a public information campaign by the data controller within 24 to 48 hours after the abovementioned notification to the Privacy Commission.
  1. Enforcement

The Privacy Commission's guidelines are merely recommendations.  However, the Commission notes that strict compliance is nonetheless expected.

In the event of noncompliance, the Commission will use all powers at its disposal to hold the data controller liable, including reporting the incident to the public prosecutor's office (which could result in prosecution and, if convicted, fines of up to EUR 600,000).  The Commission intends to lobby for an amendment to the Data Protection Act in order to be given direct enforcement powers.