Back to school: Brushing up on your data protection lessons

As you may recall, in January 2016, on the occasion of the international “Data Protection Day”, we sent a news update reflecting on the highlights in the field of privacy and data protection in 2015 and briefly looked ahead at what to expect for 2016.

Now that the summer holidays are over and as work, school, court cases, and legislative discussions resume, we would like to take a moment to reflect on the four topics listed in our 2016 outlook:

1.  Data Retention

In June 2015, following the invalidation of Data Retention Directive 2006/24/EC by the EU Court of Justice on 8 April 2014, the Belgian Constitutional Court declared the data retention obligations for electronic communications service providers invalid.

A draft bill reintroducing data retention requirements in the electronic communications sector was introduced in Parliament in January 2016, was been approved on 4 May 2016, and entered into force on 28 July 2016.

Among other things, the following data retention obligations have been introduced:

  • Operators must retain the following categories of data that are generated / processed by them in the frame of the services offered (including data resulting from unsuccessful call attempts):
    • Identification data relating to the end-user and the means of communication used – retention for 12 months as from the date on which the communication is for the last time available via the service used;
    • Data relating to the access by and connection of the end-user equipment with the network / service, and location of the end-user equipment – retention for 12 months as from date of the communication;
    • Communication data (excl. content of the communications) – retention for 12 months as from date of the communication;

This retention obligation does not cover the content of the communications. Only a limited list of public authorities may request access to the retained data.

  • Obligation to create a “Coordination Unit” within each operator / service provider, responsible for dealing with access requests;
  • Additional requirements including, among others, an obligation to ensure quality and security of retained data, to take appropriate technical and organisational measures to secure the retained data (including technological security (encryption) measures), to retain the data on the territory of the EU, to maintain a record of all access requests, allowing traceability of the access granted to the retained data, etc.


The negotiations on the EU General Data Protection Regulation (the “GDPR”) gradually progressed towards a consensus. On 15 December 2015, the European institutions finally agreed on a uniform wording for the GDPR. On 27 April 2016, the text of the GDPR was formally adopted.

The GDPR introduces a number of new obligations for both data controllers and data processors. Among other things, it contains data breach reporting obligations, enhanced transparency and accountability obligations, the obligation to designate a data protection officer, to carry out privacy impact assessments, to implement privacy by design andprivacy by default measures, etc.

These new obligations will become effective on 25 May 2018. Non-compliance may lead to administrative fines up to EUR 20,000,000 or 4% of the infringer’s annual global turnover.

For more information, read our monthly updates on the subject, available via the following link.

3. EU-US Data Transfers

In its judgment of 6 October 2015, the EU Court of Justice declared the European Commission’s decision that established the ‘adequacy’ of the Safe Harbour certification system for EEA-US data transfers invalid. On 1 February 2016, the grace period granted by the national data protection authorities of the EU Member States expired. In the following months, several rounds of negotiations took place regarding the successor of the Safe Harbour.

Finally, in July 2016, the “Privacy Shield” was adopted as a new legal framework to protect the fundamental rights of data subjects whose personal data are transferred from the EEA to the US. US companies who wish to receive personal data from the EEA can now apply for certification under the Privacy Shield which will – at least for now – provide adequate protection (for the transfer of) of personal data from the EEA to the US.

For more information on the Privacy Shield, click here.

4. Enforcement – The “Facebook case”

In the fall of 2015, the Belgian Privacy Commission started both summary proceedings and a procedure on the merits against Facebook, claiming that the ‘datr’ (tracking) cookie used by Facebook infringed the Belgian Data Protection Act. In November 2015, in the summary proceedings, the President of the Brussels Court of First Instance ordered Facebook to stop tracking non-users in Belgium. Facebook was also made subject to severe penalty payments.

Facebook appealed this judgment. In a judgement of 29 June 2016, the Brussels Court of Appeal declared to have no international jurisdiction over Facebook Inc. or Facebook Ireland. It found itself competent to judge only the data processing activities of the Belgian subsidiary Facebook Belgium BVBA/SPRL. However, as urgency is an essential requirement in summary proceedings, and the contested ‘datr’ cookie was in fact already in use since 2012, the Privacy Commission’s claim was deemed “not urgent” and therefore also rejected vis-à-vis Facebook Belgium.

In the meanwhile, to our knowledge, parallel proceedings on the merits are still pendingbefore the Brussels courts in which the ‘urgency’ criterion will not be an issue. The judgement in the procedure on the merits is expected in the course of 2017.