Sept. 5, 2018, Belgium published the law implementing the EU General Data Protection Regulation’s substantive aspects in Belgium. In particular, the law addresses the various areas of national divergence allowed by the GDPR. As a result, the Belgian legal framework for data protection is now complete and is essentially composed of the following:

• The “Institutional Law” (Law of 3 December 2017 establishing the Data Protection Authority);
• The “Substantive Law” (Law of 30 July 2018 on the protection of natural persons with regard to the processing of their personal data);
• The “Collective Redress Law” (Law of 30 July 2018 with various provisions on economic matters, which introduces collective redress action);
• The “Information Security Law” (Law of 5 September 2018 the creation of an Information Security Committee); and
• The “Camera Law” (Law of 21 March 2018 modifying the Law of 21 March 2017 on the installation and use of cameras).

For private practitioners, the following points are most relevant regarding the impact of this Belgian legal framework, although it is not possible here to review the full framework in detail.

A complex institutional framework and new powers.

The institutional design under Belgium’s data protection framework is multipronged and complex:

• The DPA is composed of no less than six different bodies: an executive board, a secretariat general for daily management, a knowledge center entrusted with advisory powers, an investigative body, a litigation court tasked with a sanctioning power, and a think-tank. The power to impose fines is now given to the DPA under the Institutional Law, in accordance with Article 58 and 83 of the GDPR. The previous Privacy Commission did not have such power.
• An Information Security Committee has been set up to take over the role of certain sectoral committees previously established under the DPA. This Committee’s task is essentially to determine the data that can be shared and under what security conditions for matters relating to federal authorities and as concerns public welfare and health matters.
• Regional bodies to monitor processing by regional authorities have also been established by some (but not all) regional entities, as Belgium is a federal state.
• Other specific authorities are in charge of monitoring the GDPR compliance of certain public authorities (like intelligence and law enforcement authorities, etcetera).

Thus, in practice, controllers and processors will need to navigate an elaborate institutional framework, for example, in the event of a compliance investigation. Other national specificities, such as Belgium’s multilingual nature, which triggers specific rules on the use of languages by the public authorities, will add to that complexity.

Territorial scope. The reach of the Substantive Law mirrors Article 3 of the GDPR on territorial scope. In this respect, the Substantive Law applies to the activities of a controller or processor established (i) in Belgium, or (ii) outside the European Union but that processes data relating to individuals located in Belgium (provided it also offers goods or services or does profiling in Belgium).

Applying national exceptions under the GDPR. The Substantive Law, furthermore, reflects national exceptions foreseen under the GDPR. These exceptions range from lighter to more restrictive measures, and in particular:

• Age of consent for minors (Article 8 GDPR): The age of consent for information society services is reduced to 13 years, which is the lowest so far within the EU (along with the UK).
• DPO designation requirement (Article 37 GDPR): For the most part, the Substantive Law does not extend the obligation to appoint data protection officers beyond the cases foreseen by the GDPR. The notable exceptions to the appointment of DPOs concern companies that process personal data either (i) obtained from or on behalf of federal public authorities, or (ii) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (provided that such companies intend to limit the rights of data subjects). In both cases, the DPO requirement reflects the concern that such types of processing pose high risks to the rights and freedom of individuals.
• Handling of genetic, biometric, and health-related data (Article 9(4) GDPR): The Substantive Law introduces additional requirements for processing genetic, biometric, and health-related data, including requirements to (i) list the types of individuals who have access to such data; and (ii) ensure that these individuals are subject to legal, statutory or other similar confidentiality obligations.
• Exceptions regarding criminal convictions (Article 10 GDPR): The Substantive Law lists the limited cases where the GDPR prohibition does not apply to processing of personal data relating to criminal convictions and offenses.
• Processing by public authorities in relation to certain offenses (Article 83.7 GDPR): The Substantive Law also implements Directive 2016/680/EU on data processing in relation to criminal offense and thereby regulates the processing of personal data by public authorities such as law enforcement and custom authorities. It also exempts all public authorities from fines imposed by the DPA. In addition, restrictions under the IFC Law are placed on the extent of data subject rights in relation to public authorities carrying out investigations (tax, trade, etc.).
• Regulating archiving and processing for research and statistical purposes (Article 89 (2) GDPR). The Substantive Law regulates processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes when controllers wish to limit the rights of data subjects as foreseen in Art. 89 §2 and §3 GDPR.
• Flexibility for academic, artistic and literary expression purposes (Article 85 GDPR). The Substantive Law further foresees broad derogations when processing is carried out for the purposes of academic, artistic and literary expression.
• Retaining strict protection of national registry number (Article 87 GDPR). The limitations on access and use of national registry number, as foreseen in the Law of 8 August 1983 on the national registry, remains applicable. Typically, such numbers cannot be accessed or used, unless there is a legal obligation to do so, or a specific authorization is obtained from the relevant administration.

International transfers. As a result of the GDPR and the Substantive Law, the following important procedural hurdles to international transfers are lifted: the obligation (i) to notify Standard Contractual Clauses to the data protection authority and (ii) to obtain authorization by Royal Decree for Binding Corporate Rules.

Collective redress and injunctions. The Collective Redress Law implements an opt-out system, whereby collective action can be brought for categories of persons affected by GDPR violations, even without any express assignment on their part. However, moral and physical damages require an assignment of such claims. Importantly, collective actions in Belgium are open not only to consumers but also to small- and medium-sized undertakings. In both cases, the representative must be well-established (i.e., no “ad hoc” litigation vehicles). Collective actions are likely to focus on data breaches, illicit processing (e.g., absence of consent), and unfair terms and conditions for consumers. To the extent that B2B activities are also implicated, other class actions could emerge, e.g., in relation to processor/controller relationships, such as cloud services.

In addition, the Substantive Law introduces the ability for data subject to obtain an injunction from the Court of First Instance, under an expedited procedure, to mandate the respect of their GDPR rights as well as the termination of any GDPR violations. Nonprofit entities active in data protection for at least three years can represent data subjects in such proceedings as well as before the DPA.

Installation and use of cameras. The Camera Law, as modified in 2018, transferred the obligation to notify the use and installation of cameras from the DPA to law enforcement authorities (via the site www.declarationcamera.be). Additionally, in accordance with GDPR requirements, the Camera Law implements the obligations to maintain a registry, conduct an impact assessment, designate a DPO, and respect the rights of data subjects.