On November 16, 2017 the Belgian Senate adopted an “Act on the Establishment of the Data Protection Authority” (the “Act”). Following Austria, Germany, and the UK, Belgium is the fourth EU Member State to pass a domestic statute implementing the General Data Protection Regulation 2016/679 (“GDPR”) prior to its effective date of 25 May 2018. The new Belgian Act sets forth the structure and legal organization of the Data Protection Authority (“DPA”), which will serve as the successor of the current Belgian Privacy Commission. More importantly, the Act significantly broadens the DPA’s powers and provides for detailed set of procedural rules. As such, it opens the door to a potential increase in data protection litigation in Belgium.
A Functional Structure Inspired by Other Belgian Supervisory Authorities – The reform of the DPA’s structure is prompted by the significant increase in powers, as the DPA goes from being a predominantly advisory body to a true investigatory and corrective authority. The six newly instituted organs are structured in light of this and include an executive committee, a general secretariat, a frontline service, a knowledge center, an inspection body and a dispute resolution chamber. The inspiration for this new DPA structure was found in – as the Act refers to it – “supervisory authorities with comparable powers”, such as the Belgian Institute for Postal Services and Telecommunications, and the Belgian Competition Authority, both of which have expansive competencies when it comes to investigations, administrative fines, and penalties.
Inspection body and Dispute Resolution Chamber – The two most remarkable organs of this new structure are the inspection body (“inspectiedienst”) and dispute resolution chamber (“geschillenkamer”), which are both granted far-reaching inspection and corrective powers. The DPA inspection body, for instance, may carry out oral and written interrogations of individuals, on-site investigations, consult IT systems and copy relevant data, seize or seal assets or IT systems, and summon the identification of the subscriber or regular user (from a telecoms operator). In addition, the rights granted to individuals subjected to such an interrogation run parallel to the rights granted to defendants in criminal interrogations (notably the right to counsel, the right to obtain a free copy of interrogation transcripts, and the right to request performance of specific investigatory acts). The inspection body can also impose preliminary measures such as a temporary suspension, restriction or freezing of processing activities. The dispute resolution chamber in essence operates much like a judicial court (though officially it is not): parties will be summoned to appear before the chamber, are (in principle) free to present their arguments orally and in writing and can present evidence they deem relevant. Ultimately the chamber renders a decision which can be appealed before the Commercial Court of Appeal (“Marktenhof”), which was instituted specifically to rule on regulatory decisions coming from supervisory authorities, like the Belgian Competition Authority, the Belgian Institute for Postal Services and Telecommunications, and now also the DPA.
An example to other EU Member States – Since most EU Member States are still in the process of drafting and adopting legislation implementing the GDPR, it cannot be ruled out that they will follow Belgium’s position with regard to the specific implementation of procedural rules governing proceedings before local supervisory authorities. With this in mind, it is key for organization and companies to fully understand their legal rights and procedural options, in the investigatory as well as dispute resolution phase, so that they are ready should DPA(s) start exercising these powers.
* * *
This blog post is an extract from an Alston & Bird Privacy & Data Security Advisory. If you wish to read the full-length advisory, please click here.