The Belgian Privacy Commission (Belgian Data Protection Authority) has no power to impose administrative fines, sanctions or measures in case of violations of the Data Protection Act yet (it being noted that a legislate change is expected in the near future to allow the Privacy Commission to impose sanctions). It has, however, the power to investigate cases (including requesting documents and making on-the-spot investigations), handle complaints and carry out mediation procedures, issue non-binding advice, and submit civil cases to the Court of First In-stance and criminal cases to the public prosecutor.
Individuals can file claims with the President of the Court of First Instance to obtain injunctive relief (e.g. suspension of processing) and actual damages. A data controller is liable for any damage caused by an act in violation of the Data Protection Act, unless it can prove that it did not cause the damage. An individual may also file criminal claims.
Fines of between €600 and €600,000 and/or same fines and imprisonment from 3 months to 2 years (in case of second offences) depending on the violation. In addition, Belgian courts may, as the case may arise, order publication of their decisions in whole or by excerpt in one or more newspapers, as well as the seizure of any privacy infringing equipment or data, and rectification or destruction of personal data; courts may also prohibit the controller from processing any personal data for up to 2 years. Legal entities may face criminal sanctions up to, and including, their forced winding up.
Under Belgian law, both legal entities and individuals can be prosecuted for criminal offenses. Company officials and other employees can potentially be held criminally liable for acts of the company if they have personally participated in the act or omission that violated the law. In practice, non-compliance with the Data Protection Act creates concerns for an employer because it may be difficult or even impossible (although case law is evolving in that respect) to make use of the data gathered in violation of the Data Protection Act to dismiss and/or prosecute an employee. Certain labor courts, notably in the frame of cases of alleged abusive dismissal of employees, have granted indemnities to employees whose privacy rights had been infringed by their employer (see notably the Labor Court of Gand, Decision of October 14, 2011, where the Court granted an indemnity evaluated ex aequo et bono at €1).
Selected Enforcement Actions / General Comments
Some examples of recent enforcement action in Belgium include: In 2007, the Belgian Privacy Commission and the Article 29 Working Party opened an investigation against SWIFT, a Belgian-based financial payment provider, with respect to data transfer and sharing activities with the US government. SWIFT was subjected to 2 years of investigations, and eventually settled the dispute by agreeing to join the US-EU Safe Harbor Privacy Agreement, establishing new information technology infrastructure for European transactions in Switzerland, and taking other steps. In November 2013, the Belgian Privacy Commission launched a new investigation, together with the Dutch Data Protection Authority, on the security measures implemented by SWIFT. In May 2014, the Belgian and Dutch data protection authorities indicated that they had not recorded any violation of legal security requirements by SWIFT. Over the last three years, the Belgian Privacy Commission appears to have taken a more aggressive stand vis-à-vis potential privacy violations and seeks to impose out-of-court pecuniary settlement on alleged infringers through the public prosecutor’s office. For instance, in January 2011, the federal public prosecutor’s office opened an investigation at the suggestion of the Belgian Privacy Commission regarding personal data transmitted by wireless devices that were arguably illegally intercepted. In August 2011, the firm concerned received an offer for an out-of-court settlement subject to the payment of €150,000 from the Belgian federal prosecutor. In a recommendation of January 2013 on information security, the Privacy Commission indicated that, in case of noncompliance with its recommendations in that respect, it would make its best efforts and use all legal means to have data controllers held liable, including through criminal prosecution by referring the case to the public prosecutor. In April 2013, for the first time, the Belgian Privacy Commission announced that it referred a security breach case to the Brussels Public Prosecutor to initiate criminal proceedings. This case concerned the National Belgian Railway Company. At the end of 2014, the chairman of the Belgian Privacy Commission told the press that one of the biggest cases they had been working on involved a pharmaceutical company. He also announced the creation of a new investigation department within the Privacy Commission, that will actively investigate violations of the data protection legislation and will focus on controllers processing sensitive data such as insurers and hospitals ; this could thus also concern pharmaceutical and/or cosmetic companies handling health-related data. In June 2015, after a recommendation issued in May, the Belgian Privacy Commission initiated legal action before the Court of First Instance against a social network company. The case is pending and should be pleaded in September 2015. It is worth noting that not being privacy/data protection compliant generally may result in having to deal with the Belgian Privacy Commission, which is particularly relentless in the pursuit of its demands. Bad press coverage is generally the most common sanction that companies will face in Belgium. Criminal sanctions are rare and have been so far reserved to material violations or reckless ignorance of the data protection law.