Will the national Privacy Commission be allowed to impose fines up to € 810,000 for privacy infringements?

News On 8 June 2015 the State Secretary responsible for privacy Bart Tommelein (Open VLD) stated in a press release that he intends to submit a draft act in the autumn to the Belgian House of representatives. This draft act intends to provide the national Privacy Commission with more powers to act against companies that violate the privacy rights of their customers.

1. High fines for companies that violate the privacy of their customers?

Numerous companies regularly, often unaware due to a lack of legal knowledge, commit privacy infringements when using personal data for commercial purposes.

The proposed draft act would give the Privacy Commission the authority to impose administrative fines up to € 810,000 per infringement. The amount of the fine will be determined based on multiple criteria, including the annual turnover of the company.

Not only international players, but also SME’s, banks or private persons would fall under the draft act.

Every person or company, that makes unlawful use of personal data from customers or users in databases, risks the imposition of a fine.

Unless in case of a serious breach, the Privacy Commission will first give a Recommendation so that those who violate the law have the opportunity to regularise themselves.

2. Not waiting for the EU, however in line with EU developments

With this announcement from the State Secretary, the EU is caught in speed.

At the European level, a reform initiative to replace the current Privacy Directive 95/46/EC for the now 28 EU Member States was already introduced in January 2012.

This resulted on 15 June 2015, after three and a half years of preparatory work, in a political agreement by the Council (and its 28 Member States) for the adoption of a General Data Protection Regulation.

The proposed Regulation, which shall be binding for all 28 Member States, includes provisions that will provide better tools to enforce compliance with data protection regulation. For example, there’s the possibility to obtain compensation if a company abuses personal data. Next, the Regulation provides that national supervisory authorities (in Belgium the Privacy Commission) will be able to impose a fine of up to € 1 million or 2 % of the global annual turnover of the company.

This political agreement now forms the basis to begin negotiations planned on 24 June 2015 with the European Parliament and the European Commission. The coming into force of this new Regulation is not expected earlier than eighteen months.

State Secretary Tommelein, representing Belgium during the negotiations at the European level, wants to act proactively and in line with EU developments without waiting for the entry into force of the new Regulation. By introducing a draft act, his aim is to maintain the pressure on the negotiations at the EU Level.

Statements in the aftermath of the Council gathering on 15 June 2015 indicate that  State Secretary Tommelein seeks to advance at least in the Benelux, in consultation with its Luxembourg and Dutch fellow ministers Félix Braz and Klaas Dijkhof, the alignment of legislation, in particular the imposition of administrative fines.

To be continued....