On 23 August 2017, a draft bill establishing a Data Protection Authority (Wetsontwerp tot oprichting van de GegevensbeschermingsautoriteitProjet de loi portant creation d’Autorité de protection de données, “DPA Bill”) was introduced before the Belgian Parliament, as required by the General Data Protection Regulation (“GDPR”).   The DPA Bill aims to reform the existing Commission for the Protection of Privacy (“Privacy Commission”) and covers the data protection authority (“DPA”)’s structural organization and competences.  In addition to the DPA Bill, a second implementing bill covering the GDPR’s data processing principles and conditions is being prepared and will be introduced in the coming months.

Privacy Commission vs. DPA: from a toothless tiger to a stern watchdog with investigative, corrective and administrative sanctioning powers


Far-reaching powers

The current Privacy Commission will be renamed DPA, creating a clear link with the GDPR and reflecting its robust enforcement powers.  These enforcement powers include a broad investigative power (following a complaint or ex officio), the ability to adopt interim measures and impose sanctions, including administrative fines up to 4% of the total worldwide annual turnover.  The difference in powers between the DPA and the Privacy Commission is striking.  Unlike the Privacy Commission, the DPA will itself be able to sanction infringements of data protection provisions by imposing fines and other administrative sanctions, without having to rely on the public prosecutor.

New organizational structure

The DPA’s structure, inspired by the Belgian Competition Authority’s composition, will be completely different from the current Privacy Commission’s structure.  To ensure it exercises its newly acquired powers effectively, the DPA will be divided into six bodies, each with specific roles and competencies. A non-exhaustive overview of these roles and competencies is provided in the table below:

DPA Body Roles and competencies
The Management Committee (Directiecomite – Comité de direction)
  • Determine the DPA’s overall policy and strategy.
The General Secretariat (Algemeen Secretariaat – Secretariat Général)
  • Carry out the DPA’s day-to-day operations.
  • Provide information to citizens and receives the complaints.
The First Response-service (Eerstelijndienst – Le service de première ligne)
  • Handle complaints and submissions made to the DPA.
  • Provide guidance to data controllers and processors.
The Knowledge Center (Kenniscentrum – Centre de connaissance)
  • Issue and publish opinions and recommendations related to the processing of personal data (ex officio or upon the government’s request).
The Investigation Department (Inspectiedienst – Service d’inspection)
  • Investigate; conduct interviews and dawn raids (without the need for authorization from an investigating judge – except in cases of dawn raids at individuals’ homes).
  • Adopt interim measures, such as suspending all data processing operations for a period of three months.
  • The inspectors will assume the capacity of officers of the judicial police.(“Officier van gerechtelijke politie, hulpofficier van de procureur des Konings – Officier de police judiciaire auxiliaire du Procureur du Roi”).
The Dispute chamber
  •  The DPA’s administrative dispute body.

The DPA will also have a Reflection board (Reflectieraad – Le Conseil de réflexion) which will be responsible for formulating non-binding opinions. The sectoral committees, currently established within the Privacy Commission will disappear upon the entry into force of the DPA Bill.  The issued authorizations, however, will maintain their validity.

New bifurcated procedure

Proceedings concerning the infringement of data protection provisions will be divided into two phases. The DPA Bill also foresees the possibility to appeal decisions.  In short, the course of the proceedings will be structured as follows:

Phase I: Investigation Department

 A written complaint or request is submitted (by a natural/ legal person or ex officio) to the General Secretariat.

  • The First Response-service assesses, enjoying a margin of discretion, the admissibility of the complaint.
  • The Investigation Department can, exercising its extensive investigative powers, request information, conduct dawn raids and adopt interim measures. The person subject to the investigation must fully cooperate.

Phase II: Dispute chamber

 Accessed following the investigation report issued by the Investigation Department or upon complaints deemed admissible by the First Responders-service.

  • The procedure before the Dispute chamber is in writing, but parties can be heard.
  • The Dispute chamber can, among other things:
    • Dismiss the case;
    • Issue a warning;
    • Impose provisional or coercive measures; or
    • Impose administrative fines up to 4% of the total worldwide annual turnover of the preceding financial year.

Appeal at the Brussels Court of Appeals

Rulings from the Dispute chamber can be appealed within 30 days after notification of the decision.This new procedure will be applicable to all cases referred to the Dispute chamber after the entry into force of the afore-mentioned DPA Bill.  Complaints filed prior to the reform, but which are still pending at the time of entry into force of the new law, will be handled according to the “old” procedure.

What is next?

The DPA Bill is still in a preliminary stage and, consequently, further changes to the content are possible.  The draft bill is currently being reviewed by the standing committee for the Belgian Ministry of Justice and a hearing is scheduled for October 30.   Once approved, the draft will be discussed and voted on in the plenary meeting of the Belgian Parliament.  The final version will become law upon receiving royal assent from the Belgian King, following which it will be published in the Belgian State Gazette.

Conclusion

The aim of the DPA Bill is to create a modern DPA with strong instruments capable of effectively controlling the processing of personal data. Notwithstanding the DPA Bill being in its early stages and modifications still being possible, the general framework as described above is likely to be maintained. The draft DPA bill serves as a useful reminder of the need for organizations to ensure compliance with the GDPR by May 25, 2018.