I. Legal framework
Constitutional privacy and data protection framework
The Belgian Constitution recognises the right of privacy and private communications Article 22 prohibits government infringement on the private life of individuals by stating that, "Everyone has the right to the respect of his private and family life, except in the cases and conditions determined by law...1
The Constitution protects the confidentiality of letters (Article 29). This article does not, however, apply to electronic communications. The secrecy of electronic communications is explicitly protected under the Electronic Communication Act.2
The Constitution also contains a provision protecting the freedom of the press. Article 25 states that "The press is free; censorship can never be established; a surety bond from authors, publishers, or printers cannot be demanded."
Privacy and data protection laws and regulations
The Law on Protection of Personal Data of 1992 (or 'Data Protection Act') governs the processing and use of personal information in Belgium. Amending legislation to update the 1992 Act and make it consistent with the European Union (EU) Data Protection Directive was approved by the Parliament in December 1998.3 It received a royal decree (Arràªté royal) and was adopted in February 2001; it entered into force in September of the same year, further implementing the Data Protection Act.4 The royal decree specifies the conditions under which personal data can be further processed for historical, statistical, or scientific purposes; sets additional requirements for the processing of sensitive data and the processing of data not collected directly from the individual; specifies the modalities of individuals' rights (access, rectification, deletion); and further explains notification obligations. The royal decree also sets out penalties ranging from fines (Articles 37-39), publication of a judgment in a newspaper after conviction (Article 40), confiscation of filing systems, and orders to erase data (Article 41).
See below under the relevant thematic sections.
Data protection authority
The Commission for the Protection of Privacy (Commission de la protection de la vie privée, or Commission) oversees the application of the Data Protection Act and reports directly to the Parliament.5 The Commission investigates complaints, issues opinions, and maintains the registry of personal files.6 In 2008, the Commission answered 363 complaints and 2,096 requests for information.7 Complaints give way to a mediation by the Commission. In 2008, 44 percent of mediations have focused on consumer credit contracts and the related registration in the central credit database (Centrale des crédits aux particuliers) held by the National Bank. Requests for information have mainly concerned video surveillance (14 percent), marketing software for financial and commercial actors (12 percent), public authorities and privacy (12 percent), data protection in work relationships (11 percent), and credit files (9 percent). The number of public requests for information also increased from about 6,200 in 1999 to about 7,400 in 2001, and 2,096 in 20088. As of June 2010, there are 55 permanent members of staff,9 compared to 34 in 2004, 19 in 2001, and 28 in 2000.10
Sector committees have been established within the Commission by Belgian law, either the general Privacy Act or sector-specific acts. Each Committee is charged with overseeing privacy practices in a specific sector and is made up of Commission members and experts familiar with the sector in question. There are currently six sector committees, one for each of: the National Registry; the Social Security and Health; the Federal Authorities; the Crossroads Bank of Enterprises ("Banque-Carrefour des Entreprises"), the central database that contains all relevant information about enterprises); the Phenix Sector Oversight Committee, which supervises privacy in the judiciary; and the Statistical Oversight Committee.
The Commission has issued a number of recommendations11 relating inter alia to workplace privacy (Opinion n° 10/2000), video surveillance (Opinions n° 34/99, n° 3/2000, n° 4/2004, n° 10/2005, n° 31/2006, n° 22/2007), the compatibility of the census survey (conducted every ten years) with Belgian privacy regulations (Opinion n° 37/2001), the protection of privacy in the context of electronic commerce (Opinion n° 34/2000), the regulation of direct marketing under the data protection legal framework (Recommendation n° 4/2009),12 the recording by banks of their customers' telephone communications (Recommendation n° 01/2002), the use of electronic communications for electoral advertising purposes (Opinion n° 7/2003), the project of royal decree regarding the model contract on matrimonial brokerage, publication of facial images (particularly in a school context) (Opinion no 33/2007), user and access management in e-government (Recommendation n° 1/2008), the processing of biometric data (Opinion n° 17/2008), information collected from candidates for house rentals (Recommendation n° 1/2009), draft legislation relating to the use of biological material (Opinions n° 10/2009, n° 16/2009 and n° 17/2009), and e-ticketing (Recommendation n° 1/2010), etc.13
In 2009, the Commission began releasing recommendations for rules regarding the secondary use of information gathered for different public purposes. For example, a sociologist completing a study of gender and class in the criminal justice system will only be able to make use of a public database that collects the names of individuals working in the criminal justice system for the purpose of maintaining employee records if the researcher follows the Commission's recommendations.14
Major privacy and data protection case law
In March 2009, Yahoo! was fined by a Belgian court for not disclosing the personal data of people involved in a cybercrime investigation.15 Yahoo! argued that investigators could not legally make this request and that Belgian authorities should have contacted the US government first, as required by a treaty between both countries. In late 2010, an appeals court overturned the decision, holding that the US email service provider could not be compelled under law to provide users' data to Belgian law enforcement authorities.16
- 1. Article 22 was added to the Belgian Constitution in 1994. Prior to this constitutional amendment, the Supreme Court (Cour de cassation) had already held that Article 8 of the European Convention of Human Rights found direct application in the Belgian legal system. Cour de cassation, 26 September 1978.
- 2. Act of 13 June 2005 on Electronic Communications, Moniteur belge (Belgian State Gazette), 20 June 2005, at 28.070.
- 3. Act concerning the Protection of Privacy with regard to the Treatment of Personal Data Files, December 8, 1992 (Loi relative à la protection des données à caractère personnel du 8 décembre 1992) as amended by the Act of 11 December 1998 transposing EU Directive 95/46/EC of 24 October 1995, available at http://www.law.kuleuven.ac.be/icri/itl/12privacylaw.php.
- 4. Royal Decree of 13 February 2001, Moniteur belge (Belgian State Gazette), 13 March 2001, at 7839-7919.
- 5. Privacy Commission (Commission de la protection de la vie privée) homepage http://www.privacycommission.be/.
- 6. As of 30 June 2004, there were 23,883 records in the Commission's registry. Email from An Machtens, Conseiller POMIS, Commission de la protection de la vie privée, to Cédric Laurant, Policy Counsel, Electronic Privacy Information Center (EPIC), 12 July 2004 (on file with EPIC).
- 7. Privacy Commission (Commission de la protection de la vie privée), Annual Report for 2008, available at http://www.privacycommission.be/fr/static/pdf/annual-reports/rapport-ann....
- 8. Id.
- 9. Email from An Machtens, supra.
- 10. Emails from Hannelore Dekeyser and Anne-Christine Lacoste, supra.
- 11. All opinions of the Commission are available in Dutch and French at http://www. privacycommission.be. In this report we refer to the number of the advice and the year so you can easily retrieve the document from the Web site.
- 12. See also SPF Economie, "Le spamming en 24 questions et réponses", http://economie.fgov.be/fr/binaries/spamming_brochure_fr_tcm326-31741.pdf.
- 13. These recommendations and opinions can be found at the Web site of the Privacy Commission (in French and Dutch) at http://www.privacycommission.be/nl/decisions/.
- 14. "La Commission de la protection de la vie privée formule des recommandations dans le cadre de traitements ultérieurs", available at http://www.privacycommission.be/fr/decisions/commission/processing_recom....
- 15. EDRI-gram, No. 7.5, "Yahoo Penalised in Belgium for not Disclosing Personal Data," 11 March 2009 http://www.edri.org/edri-gram/number7.5/belgium-decision.
- 16. "Gand: Yahoo! acquitté en appel de ne pas avoir transmis des données à la justice", Le Vif Lâ€™Express, 30 June 2010, available at http://levif.rnews.be/fr/news/belga-generique/gand-yahoo-acquitte-en-app....