The draft act on "the creation of the Data Protection Authority" was adopted by the Chamber of Representatives in its plenary session on 16 November 2017. The act aims to bring the current Belgian Privacy Commission in line with the General Data Protection Regulation.
As of 25 May 2018, companies that process personal data must comply with the General Data Protection Regulation ("GDPR"). The penalties for non-compliance, including significant fines of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of a company, are already well known (Article 83 of the GDPR).
On 23 August 2017, the Government submitted a draft act which converts the Privacy Commission into a Data Protection Authority ("DPA") with the necessary powers (among other things) to enforce these sanctions (see the Explanatory Memorandum in Dutch and French). On 16 November 2017, this draft act was adopted in the plenary session of the Chamber of Representatives (see the adopted text in Dutch and French).
While the current Privacy Commission focuses on its advisory role, the new DPA will be a true supervisory authority, with full powers in the field of investigation and prosecution. Giving advice and providing information to individuals, companies and policymakers on how to comply with data protection legislation remains a priority competence of the DPA. If, however, the legislation is not complied with, the DPA can start an investigation and carry out inspections which can lead to corrective measures and ultimately to administrative fines.
In order to be able to carry out these new tasks in an efficient manner, the act provides for a particular structure for the Data Protection Authority. From now on, the DPA will be composed of six internal bodies:
- The executive committee determines the general policy and the priorities of the DPA.
- The general secretariat manages the daily support tasks.
- The first line service receives and deals with complaints and requests, and examines their admissibility.
- The knowledge centre provides advice and recommendations with regard to technological developments that may have an impact on the processing of personal data.
- The inspection service is responsible for investigation and has extensive investigative powers (hearings, on-site investigation, consultation of computer systems, seizure, etc.).
- The dispute chamber will act as the administrative body of the DPA and is empowered, among other things, to impose administrative fines. Decisions of the dispute chamber can be appealed before the Market Chamber of the Brussels Court of Appeal.
In addition to these bodies forming the DPA, the draft act provides for the establishment of an independent reflection council, consisting of representatives of the business world, professional federations, consumer organisations and the academic world. If necessary, the reflection council will be consulted by the DPA and will provide non-binding advice on all issues regarding the protection of personal data.
Finally, the new DPA will no longer host sectoral committees granting prior authorisations. These committees granted authorisations for access to personal data in certain databases or for the exchange of personal data between databases. All processing authorisations previously granted by the sectoral committees will nonetheless remain valid, without prejudice to the potential supervisory powers of the DPA.
The Data Protection Authority is scheduled to be in operation by 25 May 2018. However, various aspects of its functioning still need to be regulated in more detail, so it remains to be seen whether that deadline will be met.