III. Privacy topics
Internet and consumer privacy
Since 2003, the use of email for direct marketing purposes is prohibited without the prior, free, specific, and informed consent of the recipients in compliance with the EU Directive on Electronic Commerce,1 transposed by the Law of March 11, 2003,2 and with the EU Electronic Communications and Privacy Directive.3 Further spam provisions were implemented by the royal decree of April 4, 2003.4 The deadline for the implementation of the Directive expired on 31 October 2003, and subsequently the European Commission launched infringement proceedings against Belgium for failing to transpose the remaining provisions into national law. In April 2005, Belgium's failure to transpose the Directive was upheld in a judgment of the European Court of Justice. In June 2005, Belgium finally adopted its Law on Electronic Communications.5 Belgium has now fully implemented the EU Directive on Privacy and Electronic Communications of 2002.6
At end of 2000, IFPI Belgium, the recording industry trade association, started tracking people downloading and uploading music files from MP3 audio file-sharing Web sites such as Napster, Gnutella, and KaZaa. In a move that left many Belgian music fans outraged, IFPI entered into simple "gentlemen's agreements" with Internet service providers,7 outside any legal framework, to get the names and addresses of high-speed Internet connection subscribers in order to send them personalised letters threatening them with legal action if they did not stop engaging in file-sharing. In November 2001, the Privacy Commission released an initial opinion8 severely condemning the way IFPI had behaved with respect to the protection of people's privacy and stating that IFPI had violated several Belgian and European telecommunications privacy and data protection laws.9
In June 2007, the Belgian Society of Authors, Composers, and Publishers (SABAM) won a case against the ISP Scarlet Extended SA in which the court ruled that Scarlet would be required to use Audible Magic filtering technology to stop the spread of music on P2P networks.10 Scarlet was given six months to comply with the order. The Court of First Instance of Brussels ruled that such filtering would not violate user privacy nor create a general expectation of network surveillance. Scarlet appealed the decision. The Court of Appeals of Brussels, aware of the impact of filtering on fundamental rights such as privacy, confidentiality of communications, and freedom of expression, as well as the societal impact of its decision, decided to ask the European Court of Justice a few prejudicial questions before rendering its judgement. These questions bear upon whether the Copyright directives, read together with the E-commerce Directive (which refers to the principle of net neutrality), the Data Protection and e-Privacy and Electronic Communications directives, and Articles 8 (privacy) and 10 (freedom of expression) of the European Convention of Human Rights, would allow a national judge to order an ISP to implement "in abstracto," for preventive purposes, without time limit, and at the ISP's cost, a system that would filter all electronic communications to block the exchange of files protected by copyright (music, movies, or audiovisual content).11 If the European Court of Justice answered affirmatively, the Brussels Court intended to then ask whether the national judge should apply the principle of proportionality when assessing the efficiency and the deterrent effect of the measure. Whereas SABAM initially tried to use the ruling of the Court of First Instance to convince other ISPs to follow suit,12 it has now changed strategy and is pushing for the adoption of a new piece of legislation similar to the French "Hadopi"13 law14 that would legitimise Internet filtering for copyright enforcement purposes.15
The Commission has adopted guidelines to help organisations comply with their security obligations under the Law on Protection of Personal Data of 1992 (Opinion n° 48/2003). The concrete implementation of these standards, however, is left to the controller, who carries out this task on the basis of the specific needs of the company, taking into account the following aspects: the nature of the personal data processed and of the data processing; the requirements in terms of confidentiality, integrity, and availability; the specific legal requirements; the size of the entity (including the number and profile(s) of persons likely to access the data); the significance and complexity of the information systems, computer systems, and applications involved; the openness of the entity and the possibility of accessing the data from the outside; and the risks involved for the entity and the persons.16 When part of the data processing is sub-contracted, the same security obligations as those the controller's entity must meet must be included in the contract.
The standard security measures put forward by the Privacy Commission include the drafting of a security policy, the appointment of a security officer, the implementation of organisational and physical security measures, the security of networks and logical access, the logging, tracking, and monitoring of access, the follow-up of security measures, the implementation of adequate incident response and business continuity schemes, and the keeping of complete and up-to-date records on data security.17
Online behavioural marketing and search engine privacy
In September 2007, the Commission issued an opinion on profiling practices made possible by interactive TV, which includes not only on-demand TV services, but also provides access to e-government, gaming, email applications, etc. (Opinion n° 29/2007).
In February 2007, following a lawsuit brought by Copiepresse (the Belgian newspaper association) on 22 September 2006, Google was ordered18 to remove Belgian newspaper content from its search engine results and it is no longer allowed to reference to articles, pictures, or drawings.19 In July 2007, the Court of First Instance of Brussels ordered a Belgian ISP to implement technical measures in order to prohibit its users from illegally downloading music files.20 The appellate decision is pending, however, until the European Court of Justice decides upon its interpretation of the Copyright Directive in light of the E-Commerce, Data Protection, and e-Privacy and Electronic Communications directives, as well as Articles 8 and 10 of the ECHR. In July 2008, Copiepresse initiated another complaint against the European Commission (EC) claiming copyright infringement through the "NewsBrief" and "NewsExplorer" aggregation services.21 The Brussels Court, however, found that only institutions with a Europe-wide jurisdiction would have the authority to deal with the matter, and so the Court could not rule on whether the European Commission had infringed Belgian copyright rules.22
Online social networks and virtual communities
Nothing to report under this section.
Online youth safety
Nothing to report under this section.
After almost a year of negotiations, a national collective labour organisation of employers and employees' representatives (the Conseil national du travail) eventually agreed on common rules regulating electronic surveillance of workers' computers in the workplace. The collective labour agreement (called "Convention collective de travail" or CCT) entered into force on June 29, 2002 through a royal decree23 and applies to all employers and employees in the country. It determines how to apply the existing and enforceable European and Belgian general data protection regulations to the specific setting of the workplace by ensuring the workers of fairness, information, and compliance with the basic data processing principles of proportionality, purpose specification, and transparency.24 In an earlier opinion on the same topic,25 the Data Protection Authority had referred to general principles: the prohibition of the interception of telecommunications, proportionality and transparency, balance of interests, and limited storage of personal data. Another CCT was released in 1998 to regulate the surveillance of workers by video cameras.26 The Commission also issued an opinion on the use of badges and on employee tracking by means of GPS systems. The Commissioner concluded that continual surveillance of employees is disproportionate and unnecessary, particularly the use of badges that collect both geographic identifiers and biometric identifiers.27
Health and genetic privacy
In August 2002, a new law was enacted that better protects patients' privacy rights by giving them, e.g., the right to be clearly informed about the state of their health, to consent to any medical interventions, and to have access to their medical files.28 There are also laws relating to consumer credit,29 social security,30 electoral rolls,31 the national ID number,32 professional secrets,33 and employee rights.34
The Council of Ministers accepted the principle of electronic information exchange in health care in 2004. The actual development of the "eHealth-platform", however, only came into existence with the federal Law of 21 August 2008. The eHealth-platform is described as "a secured electronic exchange platform where care providers, health care organisations, collective insurance organisations, government authorities, and patients may exchange information in confidence and in full respect of their privacy". Article 6 of the Law expressly states that it does not derogate from data protection legislation, the legislation relating to patients' rights, or the legal and regulatory provisions relating to medical practice. Use of the platform is not mandatory. The idea is for the platform to provide some basic services, such as encryption of data exchanges, a system of user and access management, the encoding and anonymisation of information, time stamping, and a reference directory. The latter indicates, once the patient's consent has been obtained, where what information, about which patient, is stored, so that the system does not need to store the medical records itself. The National Registry number, the identification number used by the Social Security administration, will be used to identify most patients.35 Every communication sent to or from the platform requires the Social Security and Health Committee's authorisation. A royal decree may determine which data shall be transmitted electronically by government entities for the execution of their tasks to the platform and which data they may receive.
A labour court of appeals confirmed that a victim of an accident at work had the right to access his medical file held by the physician controlling his labour capacity.36
No developments to report under this section.
Bank secrecy is still the law in Belgium under the "Code des impà´ts sur les revenus 1992" but a 2009 bill named "Van Der Maelen-Mathot"37 intends to give more access rights to financial investigators, including to personal banking information. In March 2010, the Privacy Commission issued an opinion38 that included recommendations for improving the bill, especially clarifying the scope of investigation and the terminology used in the bill.
- 1. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in particular Electronic Commerce, in the Internal Market, available at http://www.ebu.ch/CMSimages/en/leg_ref_ec_directive_e_commerce_080600_tc....
- 2. Loi du 11 mars 2003 sur certains aspects juridiques des services de la société de l'information, Moniteur belge (Belgian State Gazette), 17 March 2003, at 12960-12970, available at http://www.droit-technologie.org/3_1.asp?legislation_id=142.
- 3. For more information, see generally Thibault Verbiest, "La loi belge enfin adoptee!," Droit et Nouvelles Technologies, 22 April 2003 http://www.droit-technologie.org/1_2.asp?actu_id=747 ; and Jos Dumortier & Mieke Loncke, "Ongevraagde Reclame langs Elektronische Post", 21 Mediarecht, Telecommunicatie en Telematica, at 43-74 (Mechelen 2003).
- 4. Royal Decree of 4 April 2003 regulating advertising by electronic mail, Moniteur belge (Belgian State Gazette), 28 May 2003.
- 5. Law of June 13, 2005 on electronic communications, Moniteur belge (Belgian State Gazette), 20 June 2005.
- 6. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31 July 2002.
- 7. Olivier Van Vaerenbergh, "L'IFPI poursuit, mais la justice renà¢cle â€“ Napster: plaintes en Belgique," Le Soir, 16 February 2000, available at http://www.lesoir.be.
- 8. Avis No. 44/2001 of 12 November 2001, Avis d'initiative concernant la compatibilité de la recherché d'infractions au droit d'auteur commises sur Internet avec les dispositions juridiques protégeant les données à caractère personnel et les télécommunications, available at http://www.privacy.fgov.be. For comments, see Etienne Wéry, "La Commision vie privée n'aime pas les manières de l'IFPI de traquer les pirates sur l'internet", 17 December 2001 http://www.droit-technologie.org/1_2_1.asp?actu_id=497.
- 9. The Commission de protection de la vie privée found that IFPI had violated Belgian data protection law of 8 December 1992, Belgian telecommunications privacy laws, and EU Directive 2000/31/EC on electronic commerce. See Avis No. 44/2001, supra.
- 10. SABAM v. SA Scarlet (formerly Tiscali), Tribunal de Première Instance de Bruxelles, 29 June 2007, available at: http://cedriclaurant.files.wordpress.com/2010/12/tpi_bruxelles-070629.pdf.
- 11. SA Scarlet Extended v. SABAM, Cour d'Appel de Bruxelles, 28 January 2010, No. RG 2007/AR/2424, available at http://cedriclaurant.files.wordpress.com/2010/12/cour_appel_bruxelles-10....
- 12. Nate Anderson, "Belgian ISP must filter P2P music; files appeal," 23 July 2007 http://arstechnica.com/news.ars/post/20070723-belgian-isp-must-filter-p2....
- 13. Acronym of "Haute autorité pour la diffusion des Å“uvres et la protection des droits sur Internet".
- 14. Loi ("Hadopi") n° 2009-669 du 12 juin 2009 favorisant la diffusion et la protection de la création sur internet, JORF n° 0135 of 13 June 2009, at 9666, available in French at http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT0000207354... ; available in English at http://www.laquadrature.net/wiki/HADOPI_full_translation.
- 15. Etienne Wery & Thibault Verbiest, "Que faire du piratage musical ? La Belgique ràªve de "son" Hadopi," Droit et Technologies, 1st February 2010 http://www.droit-technologie.org/actuality-1297/que-faire-du-piratage-mu....
- 16. Fanny Coudert & Geert Somers, International Transfers of Personal Data â€“ Treatment of Personal Data Transfers in Europe â€“ Belgium, International Privacy Guide, Vol. I, West â€“ Thomson Reuters, November 2009, at 88-106.
- 17. Ibid.
- 18. Google Inc. v. Copiepresse SCRL, High Court of Brussels (Tribunal de Première Instance de Bruxelles) of 13 February 2007, No. 06/10.928/C, available at http://cedriclaurant.files.wordpress.com/2010/12/copiepresse_google-0702....
- 19. EDRI-gram, No. 5.13, "Belgium Court Backs Decision against Google", February 2007http://www.edri.org/edrigram/number5.3/google-belgium. See generally Philippe Laurent, "Brussels High Court Confirms Google News' Ban â€“ Copiepresse SCRL v. Google Inc. - Prohibitory Injunction/Stop Order of the President of the High Court of Brussels, 13 February 2007 [opposition procedure against the first default stop order by the same President]", Computer Law & Security Report 23 (2007) 290-293, also available at http://www.crid.be/pdf/public/5512.pdf.
- 20. EDRI-gram, No. 5.14, "Belgium ISP Ordered by the Court to Filter Illicit Content", July 2007, http://www.edri.org/edrigram/number5.14/belgium-isp.
- 21. EDRI-gram, No. 5.14,,"Copiepresse Attacks EC for Copyright Infringement, but Gets Dismissed", July 2008 http://www.edri.org/edrigram/number6.14/copiepress-european-commission.
- 22. Civ. Bruxelles (cess.), 2nd October 2008, R.G. n° 2008/2443/A.
- 23. Arràªté royal rendant obligatoire la Convention Collective de Travail No. 81 du 26 avril 2002, conclue au sein du Conseil National du travail, relative à la protection de la vie privée des travailleurs à l'égard du contrà´le des données de communication électroniques en réseau, Moniteur belge (Belgian State Gazette), at 29489-29501, available at http://www.droit-technologie.org/legislation-109/arrete-royal-rendant-ob....
- 24. SeeBertrand Géradin, "La convention collective de travail relative à la protection de la vie privée des travailleurs à l'égard du contrà´le des données des communications électroniques en réseau du 26 avril 2002", 14 June 2002 http://www.droit-technologie.org/redirect.asp?type=dossier&dossier_id=77....
- 25. Privacy Commission (Commission de la protection de la vie privée), Avis d'initiative relatif à la surveillance par l'employeur de l'utilisation du système informatique sur le lieu de travail, opinion No. 10, 3rd April 2000, available at http://www.privacy.fgov.be.
- 26. Convention Collective de Travail n° 68 relative à la protection de la vie privée des travailleurs à l'égard de la surveillance par cameras sur le lieu de travail, 16 June 1998, available at http://www.privacy.fgov.be/textes_normatifs/cct-68_FR.pdf. See generally on recent developments in workplace privacy, Olivier Rijckaert, "Surveillance des travailleurs: nouveaux procédés, multiples contraintes", in Orientations, "Lâ€™employeur et la vie privée du travailleur," n° spécial 35 ans, at 41 et seq. (2005), available at http://www.droit-technologie.org/redirect.asp?type=dossier&dossier_id=14....
- 27. Ninth Annual Report of the Article 29 Working Party on Data Protection, June 2006, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual....
- 28. See Loi du 22 aoà»t 2002 relative aux droits du patient (Law on Patient's Rights of 22 August 2002), available at http://www.cass.be/cgi_loi/legislation.pl ; see also Dominique Mayerus & Pascal Staquet, Actualité en détail: "La loi du 22 aoà»t 2002 relative aux droits du patient", DroitBelge.Net, 8 October 2002 http://www.droitbelge.be/actualites.asp?display=detail&id=81.
- 29. Loi du 12 juin 1991 relative au crédit à la consommation, available at http://mineco.fgov.be/protection_consumer/Credit/law_credit_011.pdf ; l'arràªté royal du 11 janvier 1993 modifiant l'arràªté royal du 20 novembre 1992 relatif à l'enregistrement par la Banque Nationale de Belgique des défauts de paiement en matière de crédit à la consommation, available at http://www.cass.be/cgi_loi/legislation.pl.
- 30. Loi du 15 janvier 1990 relative à l'institution et à l'organisation d'une banque-carrefour de la sécurité sociale. Modified by the loi du 29 avril 1996, available at http://www.privacy.fgov.be/textes_normatifs/loicarrefour.PDF.
- 31. Loi du 30 juillet 1991, available at http://www.users.skynet.be/psetranger/moniteur.htm.
- 32. Loi du 8 aoà»t 1993: le registre national, available at http://www.privacy.fgov.be/textes_normatifs/loiregistre.PDF.
- 33. Article 458 of the Penal Code.
- 34. See Roger Blanpain, Employee Privacy Issues: Belgian Report, 17 Comp. Lab. L. 38, Fall 1995. Employers generally has no right to obtain medical information from their employees unless the information is absolutely necessary for the appropriate fulfillment of the employee's obligations under the employment contract.
- 35. See alsoPrivacy Commission (Commission de la protection de la vie privée), Opinion no. 14/2008, available at http://www.privacycommission.be.
- 36. Labour Court of Appeals, 5 March 2009, Computerrecht 2009/6, at 260.
- 37. Proposition de loi du 16 octobre 2009 modifiant certaines dispositions du Code des impà´ts sur les revenus 1992 relatives à la levée du secret bancaire, introduite par messieurs Dirk Van Der Maelen et Alain Mathot, Doc. Parl. Chambre, DOC. 52, 2205/001.
- 38. Privacy Commission (Commission de la protection de la vie privée), Opinion n° 12/2010 of 31 March 2010, Proposition de loi modifiant certaines dispositions du Code des impà´ts sur les revenus 1992 relatives à la levée du secret bancaire (A-2010-005), available at http://www.privacycommission.be/fr/docs/Commission/2010/avis_12_2010.pdf.