New Bill Amending Various Rules on Data Protection and Electronic Communications

On 5 April 2012, a new bill amending various provisions concerning Electronic Communications (the "Bill") was submitted to the Belgian Parliament. The Bill amends various provisions of the Telecommunications Law (Wet van 17 januari 2003 betreffende de rechtsmiddelen en de geschillenbehandeling naar aanleiding van de wet van 17 januari 2003 met betrekking tot het statuut van de regulator van de Belgische post- en telecommunicatiesector / Loi du 17 janvier 2003 concernant les recours et le traitement des litiges à l'occasion de la loi du 17 janvier 2003 relative au statut du régulateur des secteurs des postes et télécommunications belges). It also modifies various provisions of the Electronic Communications Law (Wet van 13 juni 2005 betreffende electronische communicatie / Loi du 13 juin 2005 relative aux communications électroniques).

As regards data protection, the Bill implements EU Directive 2009/136/EC (amending among other things the ePrivacy Directive) and EU Directive 2009/140/EC of 25 November 2009 (amending several Directives on electronic communications networks and services) and establishes new rules on: (i) data breach notification for electronic communication services; (ii) the use of cookies; and (iii) users' protection against unsolicited phone calls ("Cold Calling").

Data Breach Notification

The Bill establishes an obligation for publicly available electronic communication services (i.e., a service normally provided for remuneration which consists mainly of transmitting signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting) to report security breaches (cfr. Article 4.3 of the amended ePrivacy Directive). This includes an obligation to report breaches affecting personal data. If such a breach occurs, the electronic communication service provider must inform the Belgian Institute for Postal Services and Telecommunications (Belgisch Instituut voor Postdiensten en Telecommunicatie / Institut belge des services postaux et des télécommunications – “BIPT”). In addition, if the breach is likely to affect the privacy of the data subject negatively, the electronic communication service provider must also inform the data subject, unless it can prove that it adopted adequate security measures which make the relevant data illegible to any third party. In other words, the electronic communication service provider may be exempt from the obligation to inform data subjects if it has encrypted the data.

The Bill furthermore details which information needs to be provided to the data subject (if applicable) and to BIPT which may adopt further guidelines on the notification of data breaches.

Finally, the electronic communication service provider is required to keep a record of the data breaches.

In its opinion on the Bill’s provisions that concern data protection, the Belgian Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer / Commission de la protection de la vie privée) acknowledges the fact that data breaches must be notified to BIPT and not to the Privacy Commission. To avoid diverging interpretations of applicable data protection rules, it is of the opinion that the Bill should provide for cooperation between BIPT and the Privacy Commission.

In addition, the Privacy Commission is of the opinion that the rules contained in the Bill are insufficiently clear and requests that more detailed provisions be determined by Royal Decree.

Lastly, the Privacy Commission regrets the exemption from the obligation to inform data subjects in case the relevant data are encrypted. According to the Privacy Commission, this exemption defeats the purpose of the data breach notification obligation. However, it should be noted that the exemption for encrypted data is also contained in the amended ePrivacy Directive.


The Bill furthermore implements the rules on cookies and spyware contained in the amended Article 5.3 of EU Directive 2002/58/EC. The Bill introduces an opt-in system (i.e., the user’s consent is required to install cookies) to replace the existing opt-out system (i.e., users are deemed to consent unless they choose to opt out). However, for some cookies which have only a technical function or cookies necessary for the performance of a service, opt-in is not required.

The Privacy Commission states that the terms used in the Bill are not sufficiently clear for the average user to understand when consent is due. In addition, it is of the opinion that the rules fail to take account of the real situation, that is in particular the use of standard browser settings, the undesired effect of pop-ups requesting consent and the failure to inform the users.

To remedy these shortcomings in the Bill, the Privacy Commission calls for additional guidance.

Cold Calling

With regard to unsolicited communications, the Bill sets out the rules allowing to opt out of Cold Calling by registering on the opt-out list held by the Belgian Direct Marketing Association.

The Privacy Commission states that the Bill fails to implement the amended Article 13 of Directive 2002/58/EC. This Article provides that the Member States should take appropriate measures to ensure that Cold Calling and other unsolicited communications for the purpose of direct marketing are not allowed (i) either without the consent of the subscribers or (ii) if the users or subscribers objected to such use. The Directive therefore proposes two alternative options from which the Member States must choose one. According to the Privacy Commission, the Bill does not determine the chosen option.