On April 25, 2019, the new chairman and the four directors of the new Belgian data protection authority were sworn in before the Belgian Parliament. This marks a new era for data protection law in Belgium.
Background
Following the effective date of the General Data Protection Regulation (GDPR) on May 25, 2018, the Belgian Privacy Commission was restructured into a Supervisory Authority under the GDPR, thus becoming the Belgian Data Protection Authority. It was given new enforcement powers, including the ability to impose fines up to €20 million or 4 percent of total worldwide annual turnover (whichever is higher).
A Slow Start…
Now, almost a year after the Belgian Data Protection Authority was established, the executive board (i.e., the chairman and four directors) has finally been appointed. Presumably, the delay is partly due to strict language requirements (i.e., fluency in all official languages: Dutch, French, and German).
Without a board to lead it and resources to pursue GDPR enforcement, the Data Protection Authority essentially appeared to be a “paper tiger,” or that is at least the impression of the newly appointed chairman, David Stevens, as reported by some local media. In a recent interview with Belgian newspaper De Tijd, Stevens stated that “Belgian companies have been procrastinating in implementing the European data protection rules, because the authority was lacking a management committee.”
…However, Increased GDPR Enforcement to Be Expected in 2019
Stevens also stated in the De Tijd interview that “the era of sit back and relax when it comes to the GDPR is over and that the DPA is going to go the extra mile to ensure companies’ compliance with the European Privacy Rules (GDPR).” Although he states in a recent IAPP interview that “we [the Belgian Data Protection Authority] need to make up our minds to see how to apply [the GDPR], because if we apply it to the full and to the letter, we could easily kill a lot of data processing going on, and that’s not the objective,” he adds in that interview that his private sector experience as a Data Protection Officer (DPO) has taught him that financial sanctions can be an important deterrent for bad actors.
Stevens also indicated in the IAPP interview that he looks forward to the Belgian Data Protection Authority participating in more high-profile investigations, such as the 2015 Facebook investigation by the former Belgian Privacy Commission. However, he noted that he would like such investigations to be carried out in a more efficient way at the European level. He also said that the Data Protection Authority still needs to operationalize its new structure, which is likely to take time and resources.
Composition of the Data Protection Authority
The Data Protection Authority’s strategy and enforcement priorities will be determined by its executive board, which is composed of:
- David Stevens (chairman and director of the general secretariat), who previously worked as a corporate lawyer and DPO at The Nielsen Company (an U.S. information, data, and measurement company) and Telenet (the largest provider of cable broadband services in Belgium);
- Alexandra Jaspar (director of the knowledge center), who served as the DPO of Bpost (Belgium’s national postal mail provider). Prior to joining Bpost, she obtained a master’s degree from Northwestern University School of Law and worked as an attorney focusing on intellectual property and information technology at Linklaters;
- Hielke Hijmans (chairman of the litigation chamber), who has long-standing experience in the public administration and has worked in advisory and management functions for the European Data Protection Supervisor, the European Court of Justice, and the Ministry of Justice in The Hague;
- Charlotte Dereppe (director of the front office, which serves as a first line for complaint handling), who was previously a counselor to the Belgian Secretary of State for Privacy; and
- Peter Van den Eynde (inspector-general of the inspectorate), who served as a legal advisor to the former Belgian Privacy Commission.
Conclusion: A Practical Data Protection Authority with Clear Enforcement Plans
The new chairman’s message to the world is clear: the Belgian Data Protection Authority will fully exercise its powers under the GDPR.
The new chairman’s experience as a DPO in the private sector may positively impact the way the Data Protection Authority deals and communicates with companies. In the IAPP interview, Stevens stated that he wants the Data Protection Authority to be “young, flexible, [and] dynamic. We want to be open and listen to public and private actors.” He added that the Data Protection Authority will issue guidance to clarify for different sectors and companies what its expectations are in terms of compliance.
At the same time, Stevens warns and notes in his message that businesses should take responsibility for their processing activities and GDPR compliance, as the Belgian Data Protection Authority will not hesitate to enforce against those who do not play by the rules.