The new Belgian Data Protection Authority: leaner and (probably) meaner

Patrick Van Eecke and Peter Craddock

On 25 May 2018, the Belgian Privacy Commission will be renamed “Belgian Data Protection Authority” (BDPA) and will gain the power to impose fines. This is part of a comprehensive reform approved by the Belgian Parliament on Thursday 16 November 2017.

Among the changes, the BDPA will be headed by 5 full-time commissioners, compared to 16 part-time commissioners currently, and still presided for the time being by Willem De Beuckelaer (the current President). Its team of 60 people will be downsized and reorganised, with the aim of making more resources available to build an investigation team and to build up digital expertise.

In addition, the BDPA will be assisted by an advisory committee on technical matters, to be composed of academics and private-sector members. This committee will keep the BDPA appraised of technological evolutions.

The Belgian Minister of Privacy, Philippe De Backer, stated that he has observed much uncertainty in Belgium with respect to the practical implementation of the General Data Protection Regulation (GDPR). As a result, he asks the BDPA to initially focus on improving awareness and understanding of the GDPR.

In accordance with the GDPR, the BDPA will also have the power to impose fines. However, following the Minister of Privacy, the BDPA’s core approach should be conciliatory. In the event of an infringement of the GDPR, the case will generally be closed if the infringing undertaking takes the necessary corrective measures rapidly. Conversely, where an investigation concludes that there are multiple infringements or a systematic disregard for the GDPR, the BDPA would have the option to impose fines directly. Fines would thus be reserved for cases where they are needed, and would not be seen as a way of filling the State treasury.

These changes are welcome, as they will allow the BDPA to be more flexible and able to tackle issues regarding the GDPR more efficiently. In particular, the position of the Minister of Privacy about “first solving, then fines” will be of some reassurance to organisations that are still in the process of getting ready for the GDPR.

For further questions, please get in touch with Patrick Van Eecke (patrick.vaneecke@dlapiper.com) or Peter Craddock (peter.craddock@dlapiper.com)