Greetings from Brussels!

As reported through the European Commission Press Corner on Wednesday, the EU executive made the decision to send a letter of formal notice to Belgium for violation of Article 52 of the GDPR. This is the provision concerning a supervisory authority’s independence, which states that authorities shall act with complete independence in performing their tasks and exercising their powers in accordance with the regulation. Belgium becomes the first member state to be subject to such formal proceedings since the implementation of the GDPR. A more detailed media report can be found here.

The procedure comes on the heels of two anonymous complaints against the supervisory authority made to Didier Reynders, the EU Commissioner for Justice, who, incidentally, is a Belgian national. In March, Reynder's office sent a letter to the Belgian authorities expressing concerns that the Belgian data protection authority was not independent. The warning letter did not yield a satisfactory response in the view of the European Commission, which has now led to a formal notice.

One of the main contentions of the complaints is that four members of the Belgian DPA were simultaneously exercising public political functions reporting and/or providing opinions to national ministers on potentially "data dependent" legislative matters and therefore in breach of the independence requirement of their regulatory positions. Two of those officers have since resigned from their regulatory posts.

I will say this — it is not unusual, given the complexity of the Belgian political infrastructure, for public officials to hold two or three mandates. Moreover, according to the local media, the Belgian federal parliamentary legal services released a report this week stating there is a clear conflict of interest risk regarding the concerned regulatory officers, which could ultimately constitute an infringement of the national legal civil code. The EU executive’s formal notice should in theory elicit more information and remedy of the situation. The DPA has two months to guarantee the independence of its functions or incur additional action on the part of the EU. It will also be interesting to see how the Belgian government, and especially the parliament (which appoints and rejects the senior members of the authority), will deal with this now highly politicized affair. 

In other Belgian data protection news, the parliamentary health committee approved a federal bill this week concerning the special processing of personal data with a view to tracing and examining clusters and communities to limit the spread of COVID-19 to the workplace. This cooperation agreement will facilitate data sharing arrangements between the federal government and other national public service entities. Concretely, the national social security office will be able to collect national ID numbers, dates of screening tests, and the postal codes of citizens and residents who test positive for COVID-19. Moreover, the national social security office will have access to "passenger locator form" data of non-resident workers who carry out activity in the country. Belgian resident passenger locator forms — and additional data sets — may also be accessed by the competent national inspectors for monitoring purposes.

There has been quite some backlash from MPs and political parties expressing concern over the bill's alignment with the GDPR since its inception. The ministerial decree which effectively allows for the correlation of social security and health data was previously attacked by both the Belgian human rights league and the DPA before the Council of State, citing a lack of legal basis and clear purpose limitation specific to the nature of the data processing. Consequently, in April, the Council of Ministers adopted something equivalent to a "memorandum of understanding" which serves as the basis for the cooperation agreement. We will have to wait and see if there will be further political fallout from this legislative move by the government.