09/12/22

Looking ahead to the Belgian Data Protection Authority’s priorities for 2023

With the end of 2022 in sight, it’s time to look ahead to 2023. The new Executive Committee of the Belgian Data Protection Authority (“Belgian DPA”) communicated its major priorities for 2023 on 15 November 2022. Most of the Belgian DPA's efforts will focus on cookies and data processing officers (“DPOs”). Provided adequate resources are available, the Belgian DPA will examine data protection rules in the context of smart cities. The Inspectorate and the Litigation Chamber will also continue their monitoring actions regarding "data brokers". CMS looks at these key priorities, by putting them in the context of some past and future initiatives in Belgium and the EU.

Key priorities

To carry out its tasks, the Belgian DPA must strike a balance between, on the one hand, good information on the applicable rules (i.e. prevention/awareness-raising) and, on the other hand, their enforcement (i.e. control/sanctions).

Subject to sufficient resources, the following will be the key priorities of the Belgian DPA in 2023:

  • Cookies: Since a harmonized position at European level on this issue is currently lacking, the Belgian DPA will strive to make its position on cookies even more explicit.
    • This comes as no surprise, given how the Court of Justice of the European Union (“CJEU”) Planet49 decision (Case C-673/17) of 1 October 2019 on transparency and cookie consent fuelled data protection authorities across the EU to address the patchwork of guidance in terms of cookies decisions. This was quickly followed by the Belgian DPA fine of 17 December 2019 (regarding a website for legal news) and recent decisions imposing fines on large media companies, such as the decisions of 25 May 2022 and 16 June 2022.
    • The recent wave of cookie decisions, also gave rise to an interesting development: On 21 October 2022, the Belgian DPA issued its first settlement decisions for alleged cookie infringements (Cases 150/2022 and 151/2022 of 21 October 2022), settling for EUR 10.000 per case.
    • In light of the EU-wide initiative and positions of DPAs this year (such as the Austrian DPA, French CNIL, Italian Garante and Danish Datatilsynet) regarding illegal transfers of analytic tools to the US, the Belgian DPA might also speak out about the (illegal) use of these tools and possible additional measures (if any). This currently affects a lot of companies, while we await a ratification of the US commitments. In particular, the Executive Order of 7 October 2022 to implement the EU-US Data Privacy Framework and replacing the invalidated Privacy Shield, which is anticipated for Spring 2023.
    • The IAB Europe saga has not yet finished. The Belgian DPA concluded on 2 February 2022, that IAB Europe was responsible for processing personal data under the Transparency and Consent Framework (“TCF”), a widespread mechanism that facilitates the management of user preferences for online personalized ads. IAB Europe has since appealed the DPA decision 21/2022 before the Market Court (part of the Court of Appeal). Before ruling on the case, the Market Court decided on 7 September 2022 to refer a number of preliminary questions to the CJEU (C-604/22). Further clarifications are expected regarding definitions of personal data and joint controllers.
  • The DPOs: Given that the DPO is the DPA's “ally on the ground”, the DPA will continue to support this crucial role, both in terms of preventive actions (in particular, through highlighting the DPO's role in exercising the rights of complainants), and in terms of monitoring (for example, the Inspectorate will examine the place of the DPO in organizations that are the subject of an investigation).
    • In terms of support for the DPO, on 21 September 2021 the DPO-Connect platform was launched, a collaboration between the Belgian DPA, the Research Group LSTS of the VUB and DPO-pro (the professional federation for Belgian DPOs). This platform is intended to support the DPOs, allow them to participate on the discussion forum, consult documents and request specific advice.
    • The European Data Protection Board has chosen DPO-appointments for its second coordinated enforcement action. This illustrates that examining the role of the designated DPOs is a priority topic for data protection authorities across Europe.
    • In terms of monitoring the place of the DPO, the Belgian DPA fine of 28 April 2020 regarding the position of the DPO previously already dealt with a conflict of interest for a DPO as head of compliance, risk and audit.
  • Smart cities: The DPA would also like to develop preventive actions and enter into dialogue with local actors in the field of "smart cities" (e.g. intelligent transport).
    • It is likely that the Belgian DPA will look into this in light of possible Business to Government (“B2G”) sharing in the smart city context according to the provisions on mandatory data sharing in the Proposal for a Data Act (its trilogue negotiations are not expected to be finalized before Spring 2023).
    • Intelligent Transport Systems (“ITS”) may raise privacy risks arising from the exchange of data between vehicles that can entail the interplay of GDPR, the e-Privacy Directive,ITS legislation (such as the ITS Directive) and the (Proposal) Data Act.  
  • Data Brokers:
    • The Belgian DPA will look at data brokers especially in the context of young people and awareness of their data being sold by such data brokers.
    • Already included in its Direct Marketing Guidance nr.01-2020 (NL / FR), the Belgian DPA has formulated a “check list” for companies using data brokers, urging companies to check:
      • whether the data was collected directly or indirectly from the data subjects;
      • by whom and on the basis of what legal grounds the data was collected;
      • if on the basis of consent, request proof of how and when this consent was obtained; and
      • whether the data subjects were informed and what they were told (i.e. check whether the transfer of their data to your organization or organizations of your category was clearly arranged for your intended use and purposes), how and by whom?
  • Adequate resources for the DPA and possible reform
    • These key priorities for 2023 are carefully formulated in the context of the Belgian DPA’s (and new Executive Committee) budget request for 2023 and therefore on the condition adequate resources will be made available to the Belgian DPA.
    • These priorities are still broadly speaking in line with the previous Strategic Plan for 2020 – 2025 of the Belgian DPA (NL / FR) that focuses on prioritized sectors (Telecom & Media, Government, Direct Marketing, Education and SMEs), prioritized GDPR topics (role of the DPO, legitimacy of processing, data subject rights for citizens) and social themes (photos and cameras, online data protection and sensitive data).
    • On 16 November 2022, the Belgian DPA also published its Annual Report 2021 (NL / FR), specifically addressing that 2021 was a record year in terms of workload for the DPA. The number of incoming files increased dramatically, with 279 requests for advice (+87.25% compared with 2020) and 1928 complaints (+181.46%), the highest number since the creation of the DPA. However, it comes as no surprise that as in 2020, 2021 was also dominated by the Covid-19 crisis, including DPA sanctions for pandemic-related files.
    • The call for more resources comes after a turbulent year in terms of the organization within the Belgian DPA. A draft bill to reform the Belgian DPA was recently referred for advice to the Belgian Council of State on 1 December 2022. The proposal aims to strengthen the functioning of the Belgian DPA, its independence and its capacity for expertise. It further aims to transform the Executive Committee into a collegiate body and to clarify its powers and functioning and to help the Belgian DPA to further monitor compliance with the GDPR.

Tom De Cordier
Partner, Brussels

Deven Dobbelaere
Associate, Brussels

dotted_texture