From kitten to tiger: the new Data Protection Authority

From kitten to tiger: the new Data Protection Authority
April 11, 2017 Arne Defurne

The challenge of ensuring high levels of data protection to citizens in our increasingly digitized and globalized society has led the Europeanlegislator to recently adopt the General Data Protection Regulation (“GDPR”). Knowing that creating new rights and obligations is not sufficient, the GDPR compels Member States to reform their existing supervisory authorities to ensure the proper application of the new rules. Enter the new Belgian “Data Protection Authority”.

Under the draft legislation, the “old” Privacy Commission will be reborn as the “Data Protection Authority” (“DPA”). The rationale behind this change is twofold – to align its denomination with the GDPR’s terminology and to better reflect the actual scope of its competences. Not only will the new and independent DPA maintain the advisory role of its predecessor, it will further be vested with broad investigative and corrective powers, giving it the necessary “teeth” to ensure compliance with the GDPR.
To better enable the DPA to fulfil its newly assigned role, it will be divided into five bodies:

  • The Executive Committee will establish the general policy and strategy for the DPA and maintain up-to-date knowledge of data protection related developments.
  • The Central Secretariat will ensure the daily operations of the DPA and manage all tasks that have not been specifically attributed to another body. It is the body which will first receive all complaints filed by data subjects. Other competences of the Central Secretariat include providing advice to controllers if they require an opinion or informing data subjects on their rights.
  • The Knowledge Centre will, on request of the public authorities or of its own initiative, provide opinions and recommendations on all data protection related topics which will also be published.
  • The Inspection Service, a new body vested with the power to investigate organisations, will take up the role of an investigating officer auxiliary to the public prosecutor. The investigative powers of the service are very broad and include the ability to organise hearings, conduct on-site examinations and seize goods and documents.
  • The Litigation Chamber will act as the judicial/administrative body of the DPA.

Next to these five bodies forming the DPA, the draft law establishes an independent Reflexion Council. Although not much is yet known about its exact composition, the Reflexion Council will represent society’s different players, providing the Executive Committee with additional input used to establish the DPA’s general policy.

But what will be the impact of those key changes on the citizens and organisations? First of all, the draft law enables natural and legal persons to file complaints with the DPA. Such a complaint can trigger an investigation by the Inspection Service. Not only does the Inspection Service have very broad investigative powers, it can also take temporary measures, such as obliging the organisation to freeze all processing activities for three months and more. The report of the investigation can then be brought before the Litigation Chamber. Because of its broad competences, the Litigation Chamber can decide to classify the case, give a warning, oblige the organisation to take certain measures, impose an administrative fine and so on. However, all complaints filed before the entry into force of the reform law but still pending afterwards will be processed following the old procedures. Finally, to ensure judicial certainty, the draft law clearly states that all past processing authorizations delivered by the sectoral committees, which will be abolished, will remain valid.

With the coming of the GDPR, the entire data protection landscape will change, and with it, the Belgian Privacy Commission as we know it. The future DPA will have more competences in order to truly protect citizen’s rights and to rebuke organisations that do not uphold them.