Belgium has long been one of the low risk EU Member States in terms of data protection enforcement. Aside from the fact that pragmatism can be considered part of a Belgian’s nature, this view was also due to the fact that the Belgian DPA, the Privacy Commission, could be termed as one of those so-called ‘toothless tigers’.
As De Standaard reports, it seems this is now about to change, with the Privacy Commission set to follow the example of the Dutch DPA by adopting a more severe enforcement strategy.
Until now, the Privacy Commission did not pro-actively investigate companies or sectors, despite the fact that the Belgian Privacy Act grants them such powers. However, the Privacy Commission has recently decided to establish a team of inspectors who will actively search for companies that process personal data in a non-compliant manner. It seems the Privacy Commission is finally adopting an approach which the CNIL has been applying for a number of years, with the idea being that each year a specific sector would be subject of increased scrutiny.
In addition, anticipating the adoption of the Regulation, the Privacy Commission has called upon the Belgian legislator to grant it more robust enforcement powers. Currently, if a company is found to be in breach of the Belgian data protection laws, the Privacy Commission has a duty to inform the public prosecutor. However, in practice criminal prosecution for data protection non-compliance is virtually non-existent and leads to de facto impunity. This could drastically change if greater enforcement powers are granted to the Privacy Commission.
In the wake of the coming Regulation, this new enforcement strategy does not come as a surprise. In addition, earlier this year, Belgium faced a couple of high-profile mediatised data breach cases for the first time. Both the Ministry of Defense, the Belgian railroad company and recruting agency Jobat suffered a massive data leak. More recently, the massive hacking of Belgacom’s affiliate BICS gave rise to a lot of controversy. It would appear that these cases highlighted to the Privacy Commission the limits of its current powers .
However, if even a pragmatic DPA, such as the Privacy Commission, starts adopting a more repressive enforcement strategy, it is clear that the days of complacency are fading. Organisations processing personal data really cannot afford to wait until the Regulation becomes effective in the next few years. They will have to make sure they have done their homework immediately, as it seems the DPA’s won’t wait until the Regulation becomes effective to show their teeth.