by Stéphanie De Smedt & Valérie Verstraeten, Lawyers, Loyens & Loeff Advocaten
About one year ago, on May 25, 2018, the EU General Data Protection Regulation (GDPR) became applicable throughout Europe. The GDPR abolished and replaced the EU Privacy Directive 95/46, with the aim of modernizing the European data protection legal framework and giving citizens more control over their personal data. From start-ups and SMEs to multinationals, companies all over Europe (and far beyond, given the extraterritorial scope of application of the GDPR) were conducting compliance audits and risk assessments, updating their privacy terms and contracts and revising their internal processes.
Today, one year later, we see that the authorities are getting ready to take up their new role and to start enforcing the GDPR. In parallel, consumer organizations and NGOs are looking into the possibilities of private enforcement offered by the GDPR.
Enforcement by the Data Protection Authorities
In Belgium, the (former) Privacy Commission had no direct sanctioning powers and could only (a) refer a case to the public prosecutor, or (b) initiate cease and desist proceedings before the ordinary courts. The Privacy Commission did not often make use of these possibilities, and the only high-profile case that was ever brought to court was the case against Facebook (cease and desist procedure for the unlawful tracking of non-users of Facebook by means of cookies).
This procedure was initiated in 2015 and is still ongoing. In its ruling of May 8, 2019, the Brussels Court of Appeal decided to declare the Privacy Commission’s claims inadmissible insofar as they were directed against Facebook Inc. and Facebook Ireland (non-Belgian defendants). Only the claims against Facebook Belgium were declared admissible. The court did not, however, pronounce on the merits of the case, as it referred several questions (relating to the competence of the national data protection authorities in light of the “one-stop-shop” mechanism and the risk of conflicting decisions in different EU Member States) to the European Court of Justice for a preliminary ruling. We can expect this case (even though it is an expedited type of procedure) to last for another couple of years.
Since May 25, 2018, the European Data Protection Authorities have enhanced investigative and sanctioning powers. They have their own ‘inspection service’ (a team of investigators that can conduct ‘dawn raids’ as in competition law matters), and they can impose administrative orders enforced by penalty payments. Such orders may include orders to freeze or cease an infringing data processing activity, to delete certain data, to respond to a data subject’s request, etc. In addition, they can also impose administrative fines (up to €20,000,000 or 4% of a company’s annual global turnover) or refer a case to the public prosecutor.
To ensure that the (former) Belgian Privacy Commission would be able exercise its newly acquired powers effectively, this authority was reformed into the new Data Protection Authority. The new Belgian Data Protection Authority is composed of six new departments, each having a specific role:
- The Executive Committee is responsible for defining the general policy and the day-to-day administration of the Data Protection Authority;
- The General Secretariat has purely administrative functions (such as receipt of complaints), but also exercises more substantive powers (such as approving codes of conduct);
- The Frontline Service is the intermediary body between data subjects and the inspection and litigation bodies;
- The Knowledge Centre is the body issuing advice and recommendations on GDPR compliance;
- The Inspection Body is the investigating body of the Data Protection Authority; and
- The Dispute Chamber is the body holding the prosecution and sanctioning powers.
Activity of the Belgian Data Protection Authority
In its 2018 Annual Activity Report, the Belgian Data Protection Authority reported having submitted 70 cases to the Inspection Body, generally relating to the topics of municipal elections, camera surveillance and data processing by public authorities. One of these cases has already been submitted to the Dispute Chamber, which found a violation and issued its first GDPR fine on May 28, 2019. The case concerned a complaint about a mayor who re-used personal data received during the performance of his duties for electoral campaign purposes. The Data Protection Authority found that the mayor had infringed upon the purpose limitation principle and therefore issued a reprimand and imposed a fine of €2,000 (given the limited number of persons involved and the limited impact of the infringement). The DPA highlighted that while the fine is modest, the message is not: “all data controllers must take their responsibilities, most certainly those who have a public mandate”.
We can conclude that the Belgian Data Protection Authority is gradually taking on a more active role and will continue to do so in 2019. It is important to note that the directors of the new bodies of the Belgian Data Protection Authority were only nominated in April 2019. Between May 2018 and April 2019, the members of the former Privacy Commission continued to hold an ‘ad interim’ position, but could not really start enforcing the GDPR.
Private enforcement – class actions
On the other side of the enforcement spectrum, several cases of private enforcement under the GDPR have been initiated by NGOs and consumer rights organizations. The possibilities offered by article 80 GDPR, supplemented by relevant national law, are eagerly used in a cross-European class action procedure against Facebook. However, whether this is a trend that will continue still remains to be seen.
About the authors
Stéphanie De Smedt is Senior Associate with Loyens & Loeff and team leader for Belgium of the firm-wide Privacy & Data Protection Team. Stéphanie specializes in IP and data protection law, with a particular focus on the life sciences industry.
Valérie Verstraeten is Associate with Loyens & Loeff and member of the firm-wide Privacy & Data Protection Team. She specializes in IP and data protection law and has built a particular expertise in setting up GDPR-compliance frameworks.