The deadline for the entry into force of the General Regulation on Data Protection (“GDPR”) on 25 May 2018 is fast approaching and it is becoming increasingly urgent to adopt the necessary measures to comply with it.
New texts specify how fines will have to be precisely calculated, on the one hand, and how infringements will be prosecuted, on the other.
I. Draft law establishing the Belgian Data Protection Authority
On 23 August 2017, a bill creating the Belgian Data Protection Authority was introduced before the Parliament. Once adopted, the law will transform the current Commission for the Protection of Privacy into a national reference authority for the protection of personal data within the meaning of Article 51 of the GDPR. Its new structure has been designed in particular on the basis of the operating model of other independent administrative authorities, such as the Belgian Competition Authority.
In concrete terms, the bill amends the structure of the Commission by establishing six main bodies: a steering committee, a general secretariat, a front-line service, a knowledge centre, an inspection service and a litigation chamber. The steering committee will be composed of the executives of the other five bodies, who will be appointed by the Parliament. In addition, a reflection council, independent of the authority, will also be set up and will issue non-binding opinions on all subjects relating to the protection of personal data.
The Authority’s objectives will be to inform and advise data subjects and controllers, to assist them and their subcontractors in the performance of their tasks, to monitor them via an inspection service and to punish them for non-compliance with the provisions of the GDPR.
This power of sanction is probably the most important new feature of the bill. As the Commission currently has only a power of opinion and recommendation, it will soon be given the power to impose sanctions, which until now had been entirely devolved to the judicial authorities. The litigation chamber will be able to pronounce various sanctions, ranging from a decision to close the case to the transfer of the case to the Public Prosecutor’s Office, warnings, reprimands, penalties, administrative fines and multiple and varied injunctions. An appeal against the decisions of the litigation chamber will also be possible before a specialised chamber of the Brussels Court of Appeal called “Cour des marchés”.
II. Guidelines on the application and setting of administrative fines
The “Article 29 Data Protection Working Party”, considered to be the European Data Protection Committee (“EDPB”), aims to communicate guidelines in order to ensure a uniform and equivalent understanding between Member States of the provisions of the GDPR. Since the adoption of the Regulation in April 2016, Article 29 WP has issued a series of guidelines on certain articles of the GDPR. Those already published relate to the right to data portability, the appointment of a Data Protection Officer and the lead supervisory authority.
On 3 October, new guidelines on the application and setting of administrative fines that may be imposed on a data controller or data processor in the event of a breach of a provision of the GDPR were published. As a reminder, Article 83 of the Regulation provides that these fines may amount to up to EUR 10 million (if it is a company, up to 2% of its annual worldwide turnover) or EUR 20 million (if it is a company, up to 4% of its annual worldwide turnover) depending on the type of infringement.
In these guidelines, Article 29 WP recalls the general principles for setting the administrative fines, namely that it must be adequate, proportionate and dissuasive and that it must be determined on a case-by-case basis. In making this assessment, the supervisory authority will have to take into account several criteria, including the nature, duration and seriousness of the offence, the number of persons who are the subject of the offence, the purpose of the processing of their data, the possible damage suffered by those persons, the manner in which the offence was revealed, the degree of cooperation of the controller with the supervisory authority, the possible situation of “recidivism”, the categories of data, etc., and the nature, duration and severity of the offence.In making this assessment, the supervisory authority will have to take into account several criteria, including the nature, duration and seriousness of the offence, the number of persons who are the subject of the offence, the purpose of the processing of their data, the possible damage suffered by those persons, the manner in which the offence was revealed, the degree of cooperation of the controller with the supervisory authority, the possible situation of “recidivism”, the categories of data, the measures taken by the data controller to minimize the negative consequences for the data subject, etc.
In the event of a breach of one of the provisions of the GDPR, it is recommended that controllers and their processors keep evidence of concrete measures taken to comply with the obligations arising from the GDPR. Since the level of liability of the controller or processor can also be taken into account in determining the amount of the fine, the latter must, in the event of an infringement, provide proof that all measures which might have prevented the infringement had been taken internally.
Grégory Sorreaux (Partner) & Catherine Thiry (Associate)