The Belgian Constitution recognizes the right of privacy and private communications.[661] Article 22 states, "Everyone has the right to the respect of his private and family life, except in the cases and conditions determined by law...The laws, decrees, and rulings alluded to in Article 134 guarantee the protection of this right." Article 29 states, "The confidentiality of letters is inviolable... The law determines which nominated representatives can violate the confidentiality of letters entrusted to the postal service." Article 22 was added to the Belgian Constitution in 1994. Prior to the constitutional amendment, the Cour de cassation ruled that Article 8 of the European Convention applied directly to the law and prohibited government infringement on the private life of individuals.[662]
The Data Protection Act of 1992 governs the processing and use of personal information in Belgium. Amending legislation to update the 1992 Act and make it consistent with the European Union (EU) Data Protection Directive was approved by the Parliament in December 1998.[663]A Royal Decree (Arrêté royal) to implement the Act was approved in July 2000. The Decree, as a whole, broadens the scope of application of the law by extending the definition of 'processing,' determines how special categories of data may be processed, and reinforces data subjects' rights. The Decree was finally adopted in February 2001, and the law came into effect in September 2001. Two months after the entry into force of the new data protection regime, the government announced that it had put in place an Observatoire des droits de l'Internet (the Internet Rights Observatory)[664] in order to better assess and analyze the impact of the Internet on the economy and consumer protection. The Observatory aims, through its composition, at being an open forum for all Internet stakeholders, and will issue advisory opinions and annual reports, organize a dialogue between economic actors, and inform the public.[665] A recent survey found out that, while ninety percent of Belgian web sites collect personal data, fifty-five percent of them display a privacy policy, although some of those policies are unclear, incomplete and hard to find on the site.[666]
The Commission de la protection de la vie privée (the Commission) oversees the law.[667] The Commission investigates complaints, issues opinions and maintains the registry of personal files.[668] In 1999 and 2000, the Commission answered approximately 800 complaints and requests for information per year.[669] In 2001, this number increased to reach almost 1,100. The number of public requests also increased from about 6,200 in 1999 to about 7,400 in 2001. The Commission has issued in the last four years a number of recommendations relating to workplace privacy,[670] video surveillance,[671] the compatibility of the ten-yearly census survey with the Belgian privacy regulations,[672] the protection of privacy in the context of electronic commerce,[673] the regulation of direct marketing under the data protection legal framework,[674] the recording by banks of their customers' telephone communications,[675] the use of electronic communications for electoral advertising purposes,[676] etc. As of 2001, there are only 19 permanent staff members compared to 28 in 2000.[677]
In 2002, the Commission was asked to assess whether the upload on the Internet of a 'black list' of renters[678] by the Syndicat National des Propriétaires (National Association of Property Owners) was legal. In its opinion, the data protection authority found the database illegal under the 1998 Data Protection Act, and that it required prior legislative action to authorize it - if it were to be authorized - and determine the conditions of access.[679]
After opening a "boîte à spam" (spam mailbox) for three months at the end of 2002 to store the unsolicited commercial e-mails spontaneously forwarded by Belgian Internet users, the Commission released a study on 'spam' in July 2003 which assesses the phenomenon of spam in Belgium. The Commission found out that most of the e-mails come from abroad - mainly from the United States - and details the measures it has taken to combat illegal spam. The report also outlines spammers' obligations under the Data Protection Act of 1998 and provides legal and practical advice for data subjects receiving unsolicited commercial e-mails.[680]
Surveillance of communications is regulated under a 1994 law.[681] Prior to its enactment, there was no specific law. The law requires permission of a juge d'instruction before wiretapping can take place. Orders are limited to a period of one month. There were 114 orders issued in 1996,[682] and, reportedly, around 1,000 in 2002.[683] The law was amended in 1997 to remove restrictions on encryption.[684] The Parliament also amended the law in 1998[685] to require greater assistance from telecommunications carriers and to give the juge d'instruction and the Attorney General ('Procureur du Roi') more powers. The juge d'instruction now has the authority to request the cooperation of experts or network managers to help decrypt telecommunications messages which have been intercepted. The experts, network managers, etc. cannot refuse providing cooperation; criminal sanctions are possible in cases of refusal. The law also provides that telecommunications network operators and telecommunications service providers have to record and store calling data ('données d'appel') and telecommunications services subscribers' identification data for future law enforcement authorities' needs during a minimum period of twelve months. The law is very vague as to the duration of data retention ("a certain time") and would not prevent an implementing decree from increasing this period for much longer. The Belgian police are officially in favor of a three-year general retention policy.[686] That decree is still being drafted by the Ministry of Justice and Telecommunications and would implement some of the provisions of the recent European Union Directive on Privacy and Electronic Communications (2002/58/EC).[687] In 2003, a new royal decree was enacted to implement the June 10, 1998 Law to provide more details about the practical and technical measures that telecommunications network and service providers have to comply with to cooperate with law enforcement authorities.[688] In 1995, the Belgian Government admitted spying on the peace and environmental movements.[689]
In November 2000, the Belgian Parliament enacted a Computer Crime Law.[690] The law creates four new crimes computer forgery ('faux en informatique'), computer fraud ('fraude informatique'), hacking, and sabotage of computer data ('sabotage de données informatiques'),
In December 1999 the Commission de la protection de la vie privée had issued an opinion on the Computer Crime Bill, in which it raised serious concerns about its potential negative impact on the protection of privacy. It recommended certain amendments to the Bill including the establishment of a "police monitoring system," which would report back to the Commission, and a three-year review provision.[691] These suggestions were not included in the law, and the data retention provision even goes against the Commission's official opinion. However, the law provides that the Privacy Commission's opinion is mandatory before any royal decree is enacted on the issue of data retention.
Almost unnoticed, a law, enacted in December 2001, bans anonymity for subscribers and users of telecommunications network operators and services providers, while the application of the law is, however, subject to a proportionality requirement. A royal decree may prohibit the exploitation of telecommunications services if they render the identification of the caller impossible, or otherwise make it difficult to track, monitor, wiretap, or record communications. With this new rule, the government can now prohibit any telecommunications service that hinders the application of the wiretapping laws.[692]
After almost a year of negotiations, a national collective labor organization of employers and employees' representatives (the Conseil national du travail) could eventually agree on common rules regulating the electronic surveillance of workers' computers in the workplace. The common agreement (called convention collective de travail or CCT) has entered into force on June 29, 2002 through a royal decree[693] and applies to all employers and employees in the country. It provides for rules implementing to the specific setting of the workplace the already existing and enforceable European and Belgian general data protection regulations, by ensuring the workers of fairness, information, and compliance with the basic data processing principles of proportionality, purpose specification, and transparency.[694] The data protection authority had released earlier an opinion[695] on the same topic in which it refers to the general principles applicable: a general prohibition of the interception of telecommunications, proportionality and transparency, balance of the interests and limited storage of personal data. Also in the field of workplace privacy, another CCT was released in 1998 to regulate the surveillance of workers by video surveillance cameras.[696]
In August 2002, a new law was enacted that better protects patients' privacy rights by giving them, e.g., the right to be clearly informed about their health state, to consent to any medical interventions, and to have access to their medical files.[697]
There are also laws relating to consumer credit,[698] social security,[699] electoral rolls,[700] the national ID number,[701] professional secrets,[702] and employee rights.[703]The Constitution recognizes that "everyone has the right to consult any administrative document and to have a copy made, except in the cases and conditions stipulated by the laws, decrees, or [regional council decrees].[704] There are Freedom of Information laws, implementing this constitutional right, on the right of access to administrative documents on the national,[705] regional,[706] and community levels.[707] The basic exemptions to the general rule of access are public security, the protection of fundamental rights, international interests, public order, security or defense, confidentiality, privacy, etc. Each jurisdiction has a Commission d'Accès aux Documents Administratifs which oversees the act.
From the end of 2000, IFPI Belgium, the recording industry trade association, started tracking people downloading and uploading music files from MP3 audio file-sharing web sites such as Napster, Gnutella or KaZaa. In a move that left many Belgian music fans outraged, IFPI collaborated by simple 'gentlemen's agreements'[708], and outside any legal framework, with Internet service providers (ISPs) to get the names and addresses of high-speed Internet connection subscribers in order to send them personalized letters threatening them with legal action if they did not stop their file-sharing practices. In November 2001, the Privacy Commission released an initiative opinion[709] severely condemning the way IFPI had behaved with respect to the protection of people's privacy, noticing that they were violating several Belgian and European telecommunications privacy and data protection laws.[710]
In October 2002, the Belgian government decided to create a digital identity card (BELPIC or Belgian Personal Identity Card) with a digital certificate embedded on it, that will, according to the government, allow Belgians to communicate online and conduct secure transactions with government agencies and perform e-banking. Under the plan, every Belgian citizen would have to get an identification card with his or her name, photograph and two digital certificates. One would be used for authentication, the other as a signature.[711] Belgium is the first country in Europe to embed a digital signature in an ID card.[712] In February 2003, the Parliament approved the introduction of BELPIC and the new chipcards are currently being tested in eleven municipalities (communes) until September 2003.[713] The new ID card has been criticized by the Commission[714] and civil liberties organizations as presenting a serious threat to individuals' privacy.[715]
Belgium has implemented the EU Directive on Electronic Commerce (2000/31/EC)[716] by a Law of March 11, 2003.[717] This law adopts the principle of 'opt-in' for the sending of unsolicited e-mails and SMS messages.[718]
Belgium is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[719] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[720] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The government signed, but has not ratified, the Council of Europe Cyber-crime Convention in November 2001.