Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

Surveillance of communications is regulated under the Law of 30 June 1994.1 Prior to its enactment, there was no specific law on this subject. The law requires permission of a juge d'instruction before wiretapping can take place. Orders are limited to a period of one month. There were 114 orders issued in 1996,2 and reportedly around 1,000 in 2002.3 The law was amended in 1997 to remove restrictions on the use of encryption.4 The Parliament also amended the law in 19985 to force telecommunications carriers to provide greater assistance and to give the juge d'instruction and the Attorney General (Procureur du Roi) more powers. The juge d'instruction now has the authority to request the cooperation of experts or network managers to help decrypt telecommunications messages that have been intercepted. The experts, network managers, etc., risk criminal sanctions if they attempt to refuse to cooperate.

Almost unnoticed, a law enacted in December 2001 bans anonymity for subscribers and users of telecommunications network operators and service providers, although the application of the law is subject to a proportionality requirement. A royal decree may prohibit the exploitation of telecommunications services if they render it impossible to identify the caller or make it otherwise difficult to track, monitor, wiretap, or record communications. With this new rule, the government can now prohibit any telecommunications service that hinders the application of wiretapping laws.6

In 2003, a new royal decree was enacted to implement the 10 June 1998 Law to provide more details about the practical and technical measures that telecommunications network and service providers have to comply with in order to cooperate with law enforcement authorities.7

The Electronic Communications Act also requires telecommunications network operators and service providers to record and store traffic and identification data of their end users for various law enforcement purposes.8 A recent Act covering the data-gathering methods of intelligence services9 has enabled those services to access and use this data for carrying out their mission (Art. 126 of the Electronic Communications Act).The data should be stored for a minimum period of 12 months and a maximum of 36 months.. The Belgian police are officially in favour of a three-year general retention policy.10 However, the implementing royal decree has not been approved yet, despite the obligation for Belgium to transpose the Data Retention Directive by June 2009. First, the Commission issued a negative opinion on the text. The text was then modified accordingly by the government, after which the Commission issued a second, favourable, opinion (Advice n° 20/2009). The approval of the Commission is, however, subject to the introduction of additional safeguards such as limiting the maximum retention period to 12 months, deleting the data at the expiration of the retention period, and defining the concept of "exceptional circumstances". The government has modified the text again but the decree is still pending approval.

In 2009, the number of legal wiretapping increased by 20 percent (from 4,386 to 5,265 requests granted) compared to the previous year as reported by the Ministry of Justice.11

National security legislation

In 2005, the Commission issued an opinion about a draft bill (avant-projet de loi) regarding "Threat Analysis" (Opinion n° 8/2005). The purpose of the bill is to improve the gathering, use, and analysis of information useful for assessing terrorist and extremist threats likely to harm national security, Belgian assets, or the safety of Belgian citizens abroad. To this end, the bill creates a new institution, the Coordination Agency for the Analysis of Threat (Organe de coordination pour l'analyse de la menace, or OCAM). Its job is to coordinate the collection of that information from various security and intelligence government agencies, and evaluate it. The Commission emphasises that this new type of data collection and analysis by law enforcement is highly sensitive due to the grounds on which it is justified (likelihood and probability) and because it operates unbeknownst to the persons concerned. Although it welcomes the government's project because it provides at least a legal basis for this new data processing, the Commission has reservations about the project's compliance with the provisions of the Law on Protection of Personal Data. In this regard, the Commission recommends that the language of the bill be modified so that it specifies more detail (rather than only for "threat analysis") about the purposes for which personal data will be transferred between partner security and police agencies and the OCAM; the bill should determine the criteria to be used to decide whether to proceed with this transfer and better implement the security safeguards surrounding the processing of data; and the bill should also establish guarantees to protect international data transfers among foreign authorities.12 The bill became law in July 200613 and entered into force on 1st December 2006.

Data retention

The Electronic Communications Act currently mandates that telecommunications network operators and service providers store traffic and identification data of their end users for various law enforcement purposes for between 12 and 36 months, including allowing intelligence services to access and gather that type of data in order to carry out their mission.14 The implementing royal decree has not been approved yet, despite the June 2009 deadline by which Belgium was required to transpose the EU Data Retention Directive. The Commission made approval of the Decree subject to the introduction of additional safeguards such as limiting the maximum retention period to 12 months, deleting the data at the end of that period, defining the concept of "exceptional circumstances", and Parliament's completing its assessment of the draft bill and draft royal decree.15 The Belgium ISP Association stated that a period of six months would be enough and asked the government to support the costs for a longer period, saying that failing to do so would raise subscription costs for their customers. The Decree16 is still awaiting approval.17

National databases for law enforcement and security purposes

In the last few years, several cities and municipalities have authorised private companies to collect parking fines for vehicles parked in the street. Before then, only the police had the authority to collect those fines. In order to identify vehicle owners, the private companies required access to a central database that matches licence plates with car owners, access that the courts have considered illegal in several cases. The Constitutional Court voided an attempt by the federal legislator to provide a valid legal basis, after which the Flemish legislator introduced new draft legislation.18

A new law dated 19 May 2010 created a reference database for vehicles19 that indicates which organisation maintains the vehicles' data. The new legislation guarantees the traceability of vehicles on Belgian territory. Its stated objectives include: the development of a mobility plan; the investigation, prosecution, and execution of criminal penalties; the imposition of taxes and indemnities relating both to the registration and to the use, parking, and seizure of vehicles, technical control, and emergency help. In all, 29 reasons are listed.

National and international data disclosure agreements

Alerted by a complaint filed by Privacy International alleging the secret disclosure of millions of records of European citizens undertaken without regard to legal process under data protection law, the Commission began an investigation into the SWIFT case.20 SWIFT is a multinational service provider in the financial sector and its headquarters are established in La Hulpe, Belgium.21 At the request of the US Department of the Treasury, SWIFT systematically transmitted information concerning the financial transactions of millions of European bank clients. It appeared that the US Department of the Treasury periodically addressed warrants to SWIFT in the US. In its opinion of 27 September 2006, the Commission expressed astonishment about the export of information about Belgian citizens to the US and its revelation to the US authorities each time an individual performs an international payment transaction.22 The Commission stated that these practices violate basic provisions of Belgian and European data protection legislation. This opinion was later confirmed by an opinion of the Article 29 Working Party.23 This incident also led the European Parliament to encourage the European Central Bank (ECB) to state its plans for protecting the privacy of wire transfers. In reply, the ECB said that it was not governed by EU law on the protection of personal data (94/46/EC), but by Regulation (EC) No. 45/2001 on the processing of personal data inside EU entities.24

In November 2006, the Commission received a letter from the Belgian Prime Minister requesting advice about a possible agreement with the US covering the transfer of SWIFT data to the US Department of the Treasury. In its second opinion (n° 47/2006), the Commission reminded the Belgian government of the essential principles with regard to transfers of personal data between Europe and the US and suggested a series of possible actions. In June 2007, the Council of Europe and the US reached an agreement on the transfer of personal financial information from SWIFT to the US.25 The agreement stipulates that the US will only obtain information for terrorism investigations; the US will periodically review the information received and delete any unnecessary information from its system; and no information will be kept by the US for longer than five years.26 The Commission issued another decision about SWIFT in December 200827 in which it determined that the company complied with Belgian data protection laws and operated as a delegate ("délégué de fait") for the financial community.28 The Privacy Commission considered that it was the controller who should make sure that adequate safeguards are installed before transferring the data. The Privacy Commission gave credit to SWIFT's attitude, in that it had entered into negotiations with the US government in order to provide safeguards with regard to the quality of data processing. These safeguards included control mechanisms (designation of control officers from SWIFT), limitations on accessed data, the banning of "fishing expeditions", and limitations on further use of such data by US authorities for the purposes of combating terrorism. The Commission considered that SWIFT had acted diligently, and now points to it as a reference for further similar cases.29 It recommends that companies contact the specific Contact Group established between the US and EU authorities to deal with difficult cases.

Cybercrime

In November 2000, the Belgian Parliament enacted a Computer Crime Law.30 The law creates four new crimes: computer forgery ("faux en informatique"), computer fraud ("fraude informatique"), hacking, and sabotage of computer data ("sabotage de données informatiques"). Recent case law tends to temper the harshness of some of the provisions of the new law.31

In December 1999, the Commission issued an opinion on the Computer Crime Bill in which it raised serious concerns about its potential negative impact on the protection of privacy. It recommended certain amendments to the Bill including the establishment of a "police monitoring system", which would report back to the Commission, and a three-year review provision.32 These suggestions were not included in the law, and the data retention provision even goes against the Commission's official opinion. However, the law makes it mandatory to get the Privacy Commission's opinion before any royal decree is enacted on the issue of data retention.

In March 2009, Yahoo! was fined for not disclosing the personal data of individuals involved in a cybercrime investigation.33 A Belgian court rejected Yahoo!'s argument that it was inappropriate for investigators to request the disclosure of personal data from a commercial entity.34 Yahoo! argued further that if the Belgian authorities had contacted the United States government first, as required by the treaty between Belgium and the United States, Yahoo! would not have objected to the order for Yahoo! to release the information.35 The Belgian court held that Yahoo!'s business operations in Belgium required the company to adhere to Belgian laws.36 Yahoo! appealed and was cleared by the Court of Appeals of Ghent. The Court found no basis under Belgian law to compel email service providers to turn over users' data.37

Critical infrastructure

No update to report under this section.

Territorial privacy

Video surveillance

A new law regulates the use of camera surveillance. Enacted on 21 March 2007, it came into force, after a transition period, on 10 June 2010. Several proposals to modify the law have already been introduced,38 and modifications were adopted through the Law of 12 November 2009.39 These modifications aim at regulating police use of mobile cameras.

Location privacy (gps, mobile phones, location based services, etc.)

Nothing to report under this section.

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

Belgium began a test programme in May 2004 that made it the second country in the world (after Malaysia) to issue passports with an embedded computer chip designed to store personal information.40 The government began issuing these RFID41 passports to the public on 30 January 2005. Passports issued since August 2007 are in full compliance with the European, US, and ICAO[82] standards and recommendations for biometric-based e-passports.42 The RFID chip is currently used to store basic information, such as name, date, and place of birth, passport number, date, and place of issuance, digital photo, and signature. It also supports the ability to store fingerprints, an iris scan, and other biometrics.43 Although the Belgian passport received "the world's most secure passport" award from Interpol in 2003,44 now that it is equipped with an RFID chip it may present new privacy and security risks, including the unauthorised reading of its data.45

In January 2010, the Privacy Commission issued an opinion about the European and US agreement concerning Passenger Name Records (PNRs).46 The Commission regretted that its opinion was not requested until two years after the 2007 PNR agreement, even though the Council of the EU adopted the proposal on 23 July 2007.47 The Commission retains the right to make a further analysis of the execution of the PNR agreement, and requires that it be notified in case of any modification.

National ID and smart cards

Belgium was the first European country to roll out smart ID cards supporting digital signatures at a national level.48 The Belgian electronic identity ("eID") card project, originally called "BELPIC" (which stood for “Belgian Personal Identity Card”), started in 2000. In 2001, the Belgian Council of Ministers (Conseil des ministres) decided to proceed with the further development of an electronic identity card for all Belgian citizens.49 In February 2003, the Belgian Federal Parliament approved the issuance and testing of the proposed eID cards in 11 municipalities (communes). After a positive evaluation of this pilot phase, the federal government decided to roll out eID cards to the rest of the Belgian population.50 The nationwide roll-out started in September 2004. Since September 2005, practically all newly issued ID cards have been eID cards. By the end of 2009, all Belgian citizens had been issued with the new card.

With its eID card, Belgium has created a means by which cardholders can identify and authenticate themselves, as well as provide a qualified electronic signature within the meaning of Directive 1999/93/EC.51 The Belgian eID card is a classic smartcard integrating traditional public key technologies. The card's chip contains a total of five X.509v3 certificates, two of which are tied specifically to the citizen/cardholder.52 The first of these certificates, also referred to as the "authentication certificate," allows cardholders to authenticate themselves online. The second certificate, also known as the "non-repudiation certificate," can be used to produce qualified electronic signatures. The use of both functionalities is protected with a single personal identification number (PIN) that consists of four to six digits that citizens can change themselves.53 Both certificates contain the cardholder's full name and National Registry number.54 One should note that this number acts as a single unique identifier within the Belgian government: save for a limited number of exceptions, the National Registry number is the identifier that is used by all governmental agencies to identify any citizen, regardless of context or sector.

In addition to supporting remote authentication and electronic signatures, the Belgian eID card contains an "identity file" and an "address file". The identify file holds, inter alia, the citizen's name, first names, gender, national registry number, and nationality, as well as the date and location of birth. The address file contains the citizen's last known official address.55 Accessing the content of these files remotely (e.g., in the context of an online transaction) requires both the physical presence of the eID card and specific software on the citizen's computer. When the card is accessed locally, both files are freely accessible (i.e. publicly readable) using standard software tools provided by the government.

Belgium currently issues three types of electronic identity cards: eID cards for Belgian citizens of age 12 or older, "Kids-ID cards", and foreigners' eID cards. A Kids-ID card is issued upon request by the parent or legal guardian of a child younger than 12.56 The Kids-ID was introduced to improve the security of identity and travel documents (as compared to paper certificates). A Kids-ID is valid for three years (a classic eID card is valid for five or ten years). Children older than six can use the Kids-ID to authenticate themselves, e.g. when accessing a chat Web site. The nationwide roll-out of the KidS-ID started on 16 March 2009, following the Ministerial Decree of 3 March 2009.57 As of January 2010, all Belgian municipalities only issue Kids-IDs for Belgian citizens younger than age 12. The foreigner's eID card can be issued to any foreigner with a residence permit. Practically all features of the foreigners' eID cards are identical to those of the classic Belgian eID card. The only difference lies in the fact that the identity file of the foreigner's eID card indicates the nationality of the holder.58

The introduction of the Belgian eID card triggered reactions from both the Belgian Privacy Commission and civil liberties organisations. The Commission expressed multiple concerns, inter alia the potential disclosure of the national number to entities that have not been authorised to process it (Opinion n° 19/2002); the inclusion of a digital picture that can be easily copied (Opinion n° 19/2002); the likelihood of excessive registration of the information stored on the eID card, both because it's likely that citizens will be asked increasingly often to present their eID card and because registration of the information stored on the card is easy enough to make it likely that registration will take place even when not strictly necessary (Opinion n° 8/2003); and access to the identity file by the private sector (Opinion n° 8/2003).

Other critics complained that the e-commerce identity of Internet users should not be linked to day-to-day authentication; that the integration of data has the potential to damage users' integrity and rights, and that the fact that the Belgian government handed the operational aspects of the project over to a private company59 jeopardises citizens' privacy rights.60

In 2009, the SNCB (Belgium's national railway company) introduced the ability to use the eID as a virtual train ticket61 by linking the citizen's National Registry number with the ticket number, despite users' privacy concerns.62

Rfid

In 2009, the Commission for the Protection of Privacy (the Commission) issued an opinion clarifying the application of Data Protection Law to RFID systems processing personal data.63

The Brussels public transportation company, the STIB (Société des Transports Intercommunaux de Bruxelles), launched the "MoBIB" card in 2008. The new card uses radio frequency identification technology and in the course of 2011 is scheduled to replace all magnetic cards currently in use. It is also expected to be adopted soon by other Belgian mass transit companies (SNCB, DeLijn, and TEC). RFID technology experts64 and at least one human rights organisation, the Human Rights League (Ligue des droits de l'Homme), have criticised the way the MoBIB RFID system has been implemented, asserting that it violates the Data Protection Law, while the Commission has emphasised the importance of the compliance of public transportation companies using RFID systems with technical and security measures, rather than implementing a processing system that would allow tracking of their customers.65 The critics assert that the MoBIB system violates Belgian data protection law: STIB customers have no option of travelling anonymously; MoBIB users have no opportunity to withhold consent to tracking; the technical and security measures used so far have proved inadequate; and there is a lack of proportionality between the personal data collected and further processed, and the purposes for which they are used.66 STIB's answer rejected all these arguments.67

Bodily privacy

No updates to report under this section.

Footnotes

  • 1. Loi du 30 juin 1994 relative à la protection de la vie privée contre les écoutes, la prise de connaissance et l'enregistrement de communications et de télécommunications privées, available at http://www.cass.be/cgi_loi/legislation.pl.
  • 2. "Ecoutes: une pratique décevante et flamande ! Le résultat judiciaire des écoutes téléphoniques est médiocre. La Chambre va modifier la donne", Le Soir, 12 December 1997, available at http://www.lesoir.be.
  • 3. The increase in wiretaps is partly due to the higher number of types of communications that the police are now able to intercept, from regular landline telephones, to mobile phones, SMS messages, facsimiles, satellite communications, emails, chat sessions, etc. Filip Verhoest, "'Meest geavanceerde' telefoontapkamer van Europa in gebruik genomen. Boeven afluisteren in stereo," 13 May 2003, De Standaard; see also Ricardo Gutiérrez, "La Belgique se dote de grandes oreilles," Le Soir, 12 May 2003, available at http://www.lesoir.be/articles/a_03E4C3.asp.
  • 4. Chapitre 17, Loi modifiant la loi du 21 mars 1991 portant réforme de certaines entreprises publiques économiques afin d'adapter le cadre réglementaire aux obligations en matière de libre concurrence et d'harmonisation sur le marché des télécommunications découlant des décisions de l'Union européenne, 19 December 1997, available at http://www.cass.be/cgi_loi/legislation.pl.
  • 5. Loi du 10 juin 1998 (adding Art. 88bis, 90ter et seq. to the Code of Criminal Procedure (Code d'instruction criminelle)), modifiant la loi du 30 juin 1994 relative à la protection de la vie privée contre les écoutes, la prise de connaissance et l'enregistrement de communications et de télécommunications privées, 10 June 1998, available at http://www.cass.be/cgi_loi/legislation.pl ; see "Le GSM en toute sécurité ? Pas sà»r", Le Soir, 20 February 1998, available at http://www.lesoir.be.
  • 6. The wording of the law is so vague that a decree might prohibit any kind of anonymisation software and the use of proxies by ISPs, since they all make the identification or tracking of communications "difficult," Etienne Wéry, "Surfer anonymement devient illégal en Belgique", 18 March 2002 http://www.droit-technologie.org/actuality-527/surfer-anonymement-devien....
  • 7. Arràªté royal du 9 janvier 2003 portant exécution des articles 46bis, § 2, alinéa 1er, 88bis, § 2, alinéas 1er et 3, et 90quater, § 2, alinéa 3, du Code d'instruction criminelle ainsi que de l'article 109ter, E, § 2, de la loi du 21 mars 1991 portant réforme de certaines entreprises publiques économiques, available at http://www.just.fgov.be/cgi/article_body.pl?language=fr&caller=summary&p.... For more information, see generally Patrick Van Eecke & Jos Dumortier, Elektronische Handel (Die Keure, Brugge 2003).
  • 8. Such as the pursuit and repression of criminal offences, criminal investigations, the fight against malevolent calls to emergency services, and investigations carried out by the Telecommunication Mediation Service in cases related to malevolent uses of electronic communication networks or services.
  • 9. Act of 4 February 2010 (Loi du 4 février 2010 relative aux méthodes de recueil des données par les services de renseignement et de sécurité), Moniteur belge (Belgian State Gazette), 10 March 2010.
  • 10. The European Commission made strong critiques of the law before its enactment. However, most of its critiques were not addressed, and most of them rejected without adequate motivation. Some of the European Commission's critiques mentioned that the law was too vague and could not be considered a "law" pursuant to current case law of the European Court of Human Rights (ECHR). The European institution also specified that the law, by not restricting the strictures within which the government has to implement data retention measures, is too vague and gives the government carte blanche to act in a discretionary fashion. According to the European Commission, the data retention provision of the Belgian law is also disproportionate with respect to the Court of Justice of the European Community's case law. One has to note that, even though the new EU Directive on Privacy and Electronic Communications allows EU Member States to allow data retention for a reasonable period, the Belgian law, as it is now written, could be considered in violation of current ECHR's case law. For more information, see European Commission, Opinion regarding Belgian bill on computer crime ("Notification 2000/151/B – Projet de loi relatif à la criminalité informatique – Emission d'un avis circonstancié au sens de l'article 9, paragraphe 2 de la Directive 98/34/CE du 22 juin 1998 – Emission d'observations au sens de l'article 8, paragraphe 2 de la directive 98/34/CE"), June 2000, appended to the Parliamentary report of the Justice Commission, Chamber of Representatives of the Belgian Parliament, 19 October 2000, DOC 50 0213/011.
  • 11. "Les écoutes téléphoniques en hausse de 20%", La Libre, 11 May 2010, available at http://www.lalibre.be/actu/belgique/article/582071/les-ecoutes-telephoni....
  • 12. Id.
  • 13. Act of 10 July 2006 concerning threat analysis, Moniteur belge (Belgian State Gazette), 20 July 2006. The Act has been completed by a royal decree approved on 28 November 2006, Moniteur belge (Belgian State Gazette), 1st December 2006.
  • 14. Act of 4 February 2010 (Loi du 4 février 2010 relative aux méthodes de recueil des données par les services de renseignement et de sécurité), Moniteur belge (Belgian State Gazette), 10 March 2010.
  • 15. The Commission also claimed that a public report needs to be made public each year, in order to assess if data retention is necessary and in what conditions it had been used, and commented on the text itself to clarify the "exceptional circumstances" when the data can be kept more than 24 months. See Opinion n° 20/2009 of 1st July 2009, demande d'avis relatif à l’avant-projet de loi et au projet d’arràªté royal en matière de rétention de données et au projet d'arràªté royal relatif à l'obligation de collaboration (A/09/012), available in French at http://www.privacycommission.be/fr/docs/Commission/2009/avis_20_2009.pdf.
  • 16. Draft Law on Data Retention of 27 August 2009, available in French and Flemish at http://bewaarjeprivacy.be/sites/bewaarjeprivacy.be/files/20090827_MvT__V....
  • 17. Maartje De Schutter, "Update on the Belgian Transposition of the Data Retention Directive", EDRi-gram, No. 8.3, 10 February 2010, http://www.edri.org/edrigram/number8.3/belgium-data-retention-draft-law.
  • 18. See Constitutional Court n° 59/2010, 27 May 2010. See also Opinion n° 37/2008 of 29 November 2008 relating to the previous draft legislation of the Privacy Commission.
  • 19. Law of 19 May 2010 establishing a reference database for vehicles, Moniteur belge (Belgian State Gazette), 28 June 2010 (2nd ed.).
  • 20. Privacy International, "PI Launches Campaign to Suspend Unlawful Activities of Finance Giant", 28 June 2006 http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-538985.
  • 21. http://www.swift.com.
  • 22. Decision Nr. 37/2006, available in French and Dutch at www.privacycommission.be. See also Privacy International, "Belgian Prime Minister Condemns SWIFT Data Transfers to US as 'Illegal'", 28 September 2006 http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-543789.
  • 23. Opinion of 22 November 2006, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp128_en.pdf.
  • 24. Reply of European Central Bank, January 30, 2007, available at http://www.europarl.europa.eu/comparl/econ/questions_ecb/econ_january.pdf.
  • 25. Processing and protection of personal data subpoenaed by the Treasury Department from the US based operation centre of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), 28 June 2007, available at http://www.epic.org/privacy/pdf/swift-agmt-2007.pdf.
  • 26. Id.
  • 27. Décision, "Contrà´le et procédure de recommandation initiés à l'égard de la société SWIFT scrl", 9 December 2008, available at http://www.privacycommission.be/fr/static/pdf/cbpl-documents/swift---pro....
  • 28. The decision finds in first instance that it is the financial community and the banks that are liable for compliance with most data protection rules. "Belgium Privacy Commission Publishes Decision on 'SWIFT Case,'" supra. The Privacy Commission recalled that whereas the transfer of personal data from SWIFT's EU-based to US-based offices could benefit from the certification of SWIFT under the Safe Harbor framework, this regime could not apply to the transfer of personal data to US law enforcement authorities for national security purposes since the transfer fell outside the scope of application of the Data Protection Directive (95/46/EC). In this specific case, the Belgian Privacy Act remained, however, applicable to data processing for national security purposes.
  • 29. Fanny Coudert & Geert Somers, International Transfers of Personal Data – Treatment of Personal Data Transfers in Europe – Belgium, International Privacy Guide, Vol. I, West - Thomson Reuters, November 2009, at 88-106.
  • 30. Loi du 28 novembre 2000 relative à la criminalité informatique, Moniteur belge (Belgian State Gazette), 3rd February 2001, available at http://www.cass.be/cgi_loi/legislation.pl.
  • 31. SeeJeoffrey Vigneron, "Pour la première fois, un juge belge applique la "nouvelle" loi sur la cybercriminalité", 26 January 2004 http://www.droit-technologie.org/1_2.asp?actu_id=881.
  • 32. Opinion n° 33/99 by the Belgian Privacy Commission (Commission de la protection de la vie privée), available in French at http://www.privacy.fgov.be /">http://www.privacy.fgov.be /.
  • 33. EDRI-gram, No. 7.5, "Yahoo Penalised in Belgium for not Disclosing Personal Data," 11 March 2009 http://www.edri.org/edri-gram/number7.5/belgium-decision.
  • 34. Id.
  • 35. Id.
  • 36. Id.
  • 37. "Gand: Yahoo! acquitté en appel de ne pas avoir transmis des données à la justice", Le Vif L’Express, 30 June 2010, available at http://levif.rnews.be/fr/news/belga-generique/gand-yahoo-acquitte-en-app....
  • 38. See proposal approved in the Senate in June 2009, and proposal n° 2076/004 thereafter introduced in the Chamber.
  • 39. Law of 12 November 2009 modifying the law of 21 March 2007 for the position and the use of surveillance cameras, Moniteur belge (Belgian State Gazette), 18 December 2009 (and erratum 26 March 2010).
  • 40. BBC Worldwide Monitoring, "Passport Acquires Chip", 19 May 2004.
  • 41. Radio frequency identification.
  • 42. Rudi Veestraeten, Oversight Hearing on "October 2005 Statutory Deadline for Visa Waiver Program Countries to Produce Security Passports: Why It Matters to Homeland Security", Committee on the Judiciary, US House of Representatives, 20 April 2005, available at http://commdocs.house.gov/committees/judiciary/hju20711.000/hju20711_0f.htm.
  • 43. Id.
  • 44. Id.
  • 45. Jim Waldo, Alan Ramos, Weina Scott, William Scott, Doug Lloyd & Katherine O'Leary, "A Threat Analysis of RFID Passports – Do RFID Passports Make Us Vulnerable to Identity Theft?”, ACM Queue, 1 October 2009. See also Ari Juels, David Molnar & David Wagner, "Security and Privacy Issues in E-Passports," IEEE SecureComm 2005, available at http://www.cs.berkeley.edu/~dmolnar/papers/RFID-passports.pdf.
  • 46. Avis n° 01/2010 du 13 janvier 2010, avis d’initiative relatif au projet de loi portant assentiment à l'Accord entre l'Union européenne et les à‰tats-Unis d'Amérique sur le traitement et le transfert de données des dossiers passagers (données PNR) par les transporteurs aériens au Ministère américain de la sécurité intérieure (DHS) (Accord PNR 2007), fait à Bruxelles le 23 juillet 2007 et à Washington le 26 juillet 2007, available at http://www.privacycommission.be/fr/docs/Commission/2010/avis_01_2010.pdf.
  • 47. Agreement between the United States of America and the European Union on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), 23 July 2007, available at http://www.dhs.gov/xlibrary/assets/pnr-2007agreement-usversion.pdf.
  • 48. "Belgium Plans Digital ID Cards," "Belgium Plans Digital ID Cards," BBC News Online, 4 October 2003 http://news.bbc.co.uk/2/hi/technology/2295433.stm and TB6/SINCE Interoperability Group, Open Smart Cards Infrastructure for Europe, eESC Common Specifications v2; Volume – Part 3, 18 February 2004, available at http://www.eurosmart.com/Update/Download/February04/SINCE_survey.pdf.
  • 49. "Documents d'identité" http://www.elections.fgov.be/index.php?id=2589&no_cache=1&L=0&no_cache=1....
  • 50. Arràªté royal du 1er septembre 2004 portant la décision de procéder à l’introduction généralisée de la carte d’identité électronique, Moniteur belge (Belgian State Gazette), 15 September 2004, at 67.527, available at http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=.... See also "La Belgique adopte la carte d'identité électronique," NetEconomie.com, 7 September 2004 http://www.neteco.com/49483-la-belgique-adopte-la-carte-d-identite-elect... ; Etienne Wéry & Sébastien Mélardy, "La Belgique généralise la carte d'identité pour l'ensemble de la population," 21 September 2004 http://www.droit-technologie.org/actuality-814/la-belgique-generalise-la....
  • 51. See Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community Framework for electronic signatures, O.J., L 13, 19 January 2000, at 12. (Brendan Van Alsenoy & Danny De Cock, "Due Processing of Personal Data in eGovernment? A Case Study of the Belgian Electronic Identity Card", Datenschutz und Datensicherheit, March 2008, at 178, available at http://www .fidis.net/fileadmin/fidis/publications/2008/DuD-2008-03-Due-processing-of-personal-data-in-eGove rnment.pdf.
  • 52. Danny De Cock, Koen Simoens & Bart Preneel, "Insights on Identity Documents Based on the Belgian Case Study", Information Security Technical Report, 2008, at 56.
  • 53. Brendan Van Alsenoy & Danny De Cock, supra at 178, and Danny De Cock, Koen Simoens & Bart Preneel, supra, at 56. The remaining three certificates can be used to check the validity of the address file, the identity file, as well as the two citizen certificates.
  • 54. This number can be characterised as a "meaningful" identifier because two of its three components refer to personal attributes of the citizen in question: the first six digits refer to the citizen’s date of birth, the following three refer to a sequence number (whereby odd values refer to males, even to females); the last two digits form a checksum to detect typing errors. Art. 1-3 of the Royal Decree of 3 April 1984, Moniteur belge (Belgian State Gazette), 21 April 1984. See also Brendan Van Alsenoy & Danny De Cock, supra, at 179.
  • 55. For a complete overview of information contained in the identity file of the Belgian electronic eID card see Danny De Cock, Koen Simoens & Bart Preneel, supra, at 56.
  • 56. The Royal Decree of 18 October 2006, Moniteur belge (Belgian State Gazette), 31 October 2006) sets the scene of the electronic identification document for children below the age of 12 years, and changes the Royal Decree of 10 December 1996 regarding identity documents and identity proofs for children below the age of 12 years. The most recent decree replaces for children the paper identity documents with their electronic equivalent.
  • 57. This ministerial decree was published in Moniteur belge (Belgian State Gazette), 11 March 2009.
  • 58. Children of foreigners younger than age 12 cannot be issued a Kids-ID card, even if their parent (or other legal guardian) has a Belgian residence permit. They can only be issued a paper-based identification document from the municipality in which they are registered.
  • 59. Security firm Ubizen, acquired by Cybertrust and more recently by Verizon Business.
  • 60. "Belgium Plans Digital ID Cards," supra.
  • 61. http://mobile.b-rail.be/en/Novelties/Use-your-Belgian-e-ID-as-ticket.
  • 62. "Lancement de la campagne sur la carte d'identité électronique", La Libre, 22 April 2009http://www.lalibre.be/actu/belgique/article/497217/lancement-de-la-campa....
  • 63. Commission de la protection de la vie privée (Commission for the Protection of Privacy), Avis d'initiative relatif à la RFID n° 27/2009 du 28 octobre 2009 (A/2009/003), 28 October 2009, available at http://www.dice.ucl.ac.be/~fstandae/mobib/CPVP_RFID_2009.pdf.
  • 64. Franà§ois-Xavier Standaert http://www.dice.ucl.ac.be/~fstandae/mobib/ [contains a list of the key documents about MoBIB and related legal and security considerations].
  • 65. Commission de la protection de la vie privée (Commission for the Protection of Privacy), Recommandation n° 01/2010 du 17 mars 2010 relative aux principes de base à respecter dans le cadre de l’utilisation de la télébilletique par les sociétés publiques de transport en commun (A-2010-003), 17 March 2010, available at http://www.dice.ucl.ac.be/~fstandae/mobib/CPVP_e-tickets_2010.pdf.
  • 66. Franà§ois-Xavier Standaert, Franck Dumortier, Franà§ois Koeune & Antoinette Rouvroy, "Carte MoBIB – Un bon exemple de mauvaise mise en Å“uvre", available at http://www.dice.ucl.ac.be/~fstandae/mobib/IEB_2010.pdf ; Ligue des droits de l'Homme, "Carte MOBIB: ma vie privée ne voyage pas en commun", September 2010 http://www.liguedh.be/index.php?option=com_content&view=category&layout=....
  • 67. STIB, "MOBIB respecte la vie privée" http://www.stib.be/corporate.html?l=fr&news_rid=/STIB-MIVB/INTERNET/ACTU....