Data Protection and Privacy Update – March 2018

There have been several relevant developments in Belgium in the month of March: A new law on surveillance cameras has been adopted. The Privacy Commission published a recommendation on Data Protection Impact Assessments. It also published a GDPR-brochure for SME’s (NL/FR). On 16 March, the Council of Ministers adopted a preliminary proposal of law on personal data protection (implementing amongst others the GPDR). We will update you on the latter issue when more information is made available to the public. 

New law on surveillance camera’s

On 8 March 2018, the Parliament adopted the new law on surveillance cameras, replacing the law of 2007. The primary goal is to create a more adequate legal framework for the use of surveillance cameras. Whilst the law has not been published in the official journal yet, it is scheduled to enter into force on 25 May 2018.

The use of surveillance cameras by police or intelligence services will fall under the respective laws regulation them. Use of surveillance cameras governed by specific legislation (such as surveillance at the workplace) remains excluded from the new law.

The camera law of 2018 will thus regulate the use by other public authorities (such as the communities and cities) and by private individuals or entities. If surveillance cameras cover different needs (other than surveillance), the camera law prevails in case of a conflict of law.

Furthermore, use of surveillance cameras is subject to a Data Protection Impact Assessment (DPIA). If you make changes to your existing surveillance activities or are starting a new one, you will be required to perform a data protection impact assessment. Each controller will have to inform data subjects of the use of surveillance cameras using the well-known sign/pictogram. In accordance with the GDPR, the controller needs to maintain a register of camera use. This register has to be made available to the Data Protection Authority upon request. In addition to this, the use of surveillance cameras has to be notified to the local police authority (the previous law required notification to the Privacy Commission). Again in line with the GDPR, surveillance cameras used for purely household or domestic purposes are exempt from the law.

A new element is that in the vicinity of a surveillance camera, a screen can show the real-time video feed of that camera. This practice was contested until now, but has now been legitimized.

Recommendation on Data Protection Impact Assessments of the Privacy Commission (NL / FR)

In preparation of the implementation date of the GDPR coming 25 May, the Privacy Commission has published a recommendation on DPIAs.

The DPIA is a novelty of the GDPR (even though risk assessments are commonplace in today’s business processes) but the text of the GDPR arguably left much to be desired. Similarly, the Opinions of the Article 29 Working party (WP29) also did not fully eliminate uncertainty on this issue.

A primary issue is the question of when a DPIA is triggered. The GDPR states that a DPIA is required when (modifications to) a personal data processing operation under consideration presents a potential high risk for the rights and freedoms of the data subject. But what constitutes a high risk? The Privacy Commission has tried to answer that question by defining 9 criteria that could imply a risk:

  • Evaluation of scoring
  • Automated decision making with legal consequences
  • Structured monitoring
  • Processing of sensitive data or data of a highly personal nature
  • Large-scale processing
  • Matching or combining of datasets
  • Data on vulnerable persons
  • Innovative use or application of new technologies or organizational applications
  • Data subjects would be denied execution of their rights or would not be able to benefit from a service or contract

Any combination of two or more of these criteria requires a DPIA to be carried out. For some processing operations, one of the criteria can trigger a DPIA as well.

The Privacy Commission also describes the required elements of a DPIA but it refrains from defining a methodology. For the latter it refers to existing risk analysis methodologies. It also addresses the notification requirement of a DPIA under the GDPR, which it considers is also required if the outcome of a DPIA suggest a high risk to the rights and freedoms of the data subject, despite the risk mitigating measures put in place.  In other words, the residual risk triggers the notification.

The Recommendation also addresses finer details such as the different parties and their respective roles in a DPIA, criteria for exemption from the DPIA requirement, and their maintenance. On this last element, the Privacy Commission considers that DPIAs must be reviewed at least every three years and that changes to processing operations existing on 25 May 2018 require a complete DPIA of the processing operation and not just in relation to the modifications.

The recommendation concludes with annexes concerning data processing activities which always require a DPIA as well as processing activities that are exempt from this requirement. These annexes are subject to the adoption by the Data Protection Authority.

While the Recommendation does not put an end to all discussions, it does provide welcome clarification on the DPIA process. It will be interesting to see if the Data Protection Authority will adopt the annexes and / or will add any modifications.