How Belgium plans to reform its data protection system

0
How Belgium plans to reform its data protection system

Like other European countries, Belgium has created a regulator for personal data protection. Initially called the Privacy Commission, this authority became the Data Protection Authority (DPA) in 2018. Mathieu Michel, Secretary of State for Privacy, recently confirmed that he is working on a reform of this Data Protection Authority law, after evaluating it.

The Data Protection Authority is a Belgian body responsible for monitoring compliance with the GDPR. It exercises its investigative powers on the basis of a 5-year action programme. The European Commission opened a procedure against Belgium for serious infringement of the General Data Protection Regulation (GDPR). This infringement procedure followed two complaints.

One concerns the Data Protection Authority (DPA) in Belgium and the appointment of four external members who also hold public office. Yet the GDPR provides that any member of a data protection authority must remain free from any external influence. The problematic DPA members were Séverine Waterbley and Nicolas Waeyaert, both heads of administration (FPS Economy and Bosa), as well as Bart Preneel (involved in the Information Security Committee) and Frank Robben. The first two resigned from their positions at the DPA last February, while Frank Robben is the general administrator of the Crossroads Bank for Social Security, the eHealth platform, the head of Smals and the main decision-maker of the Information Security Committee (ISC).

Belgium is called upon to resolve this issue before January 12, 2022 if it does not want to end up in the EU Court of Justice. The European Commission recalled:

“In March 2021, Didier Reynders, Commissioner for Justice, sent a letter to the Belgian authorities in which he expressed his concerns that the Belgian data protection authority was not independent. Some of its members cannot be considered to be free from external influence because they report to a management committee dependent on the Belgian government, participate in government projects on contact tracing in the framework of COVID-19 or are members of the Information Security Committee. The information provided in the response provided by the Belgian authorities in April 2021 did not dispel these concerns.”

Frank Robben said he“regrets” that he was “wrongly attributed with any other intentions” than to contribute independently to the proper functioning of the Data Protection Authority (DPA). However, both majority and opposition MEPs called on the Secretary of State to address the issue without delay.

A bill to this effect will be tabled in the next few weeks,” he said when presenting the “privacy” section of his general policy note. This bill will have three components:

  • strengthening the functioning of the ODA,
  • the strengthening of the collaboration with other administrative authorities that have developed an expertise on the subject (such as BIPT)
  • increased autonomy in its operation.

Mathieu Michel announced that the Management Committee would become a collegiate body, but also that the number of directors would be reduced from five to four and that the ODA would work more upstream. He stated:

“The law needs to be readable. We need more accountability of the players and more transparency in the functioning of these authorities.”

This bill is the first part of a broader work to reform data protection. Mr Mathieu Michel explained that it would take at least 2 years to achieve this and added:

“There is a lot of work. I am not going to lie to you. But the priority must be on the ODA which raises a number of questions. And we must provide an answer by 12 January. I hope that collectively we can land on that.”

The Federal Parliament needs to resolve Frank Robben’s multi-functional problem. His presence at multiple levels of designing, overseeing and controlling systems related to health data has already drawn widespread criticism. Indeed, MPs are due to vote on a bill concerning a gigantic database of Belgian health data, which could possibly be subcontracted to Smals, headed by Frank Robben.
Mathieu Michel is reassuring:

“I understand and share the questions about the issue on health data. I share the idea that we must be particularly attentive to this. This is the direction in which I intend to work.”

Translated from Comment la Belgique envisage une réforme concernant son système de protection des données