The decision was expected today : the European Commission sent a letter of formal notice to Belgium for violation of Article 52 of the General Data Protection Regulation (GDPR). Article referring in particular to the fact that the supervisory authority (in Belgium, it is the Data Protection Authority, the DPA) must be able to exercise “independently the missions and powers with which it is vested“, or that “the members of each supervisory authority remain free from any external influence, whether direct or indirect, and do not seek or accept instructions from anyone“. And this is explained by the missions of the DPA, which must verify that the flow of data (for example our data for the tax declaration, family allowances, etc.) is carried out with respect for the rights and freedoms of individuals.
In its formal notice, the European Commission explains that last March, Didier Reynders, Commissioner for Justice, sent a letter to the Belgian authorities to express his concerns about the Authority’s lack of independence. of data protection in Belgium. “Some of its members cannot be considered free from outside influence because they report to a management committee under the Belgian government, they participate in government projects on the tracing of Covid-19 contacts or they are members of the committee. information security“.
Didier Reynders explains to us today that he has not received a satisfactory answer from Belgium. The Commission is giving Belgium two months to get in order: “to explain what measure we are going to take so that structurally the authority responsible for protecting the personal data of citizens is truly independent of the government or any body linked to the government“. The European commissioner specifies that in the Belgian architecture there are today concerns about certain functions occupied by people who could be at the same time controlled and controllers.”What is being asked now is that the government and possibly Parliament look at the matter again and take action to address it.“.
In other words, the Commission asks Belgium to come into line with European rules and resolve the problems which are pointed out, otherwise it could bring him before the Court of Justice of the European Union. “At that point, we risk a very clear condemnation, there will be a judgment European Commission against Belgium“, explains Elise Degrave, Professor at the Faculty of Law of the University of Namur and Director of Research at NADI (Namur Digital Institute) and CRIDS (Information, Law and Society Research Center).
►►► Read also : A slap in the face of Belgium
If Belgium was condemned, it would be the first European state in this case, since the application of the GDPR in 2018, but three other countries have already been condemned under a previous directive.
For Elise Degrave, such a conviction for non-compliance with the GDPR “would be a shame for Belgium“given that the independence or neutrality of the Data Protection Authority is really the basic principle that has been strengthened in the GDPR (compared to the European directive that existed before the GDPR: editor’s note).”We couldn’t ignore that it was important“.
Remember that the members of the DPA cannot be subject to any external influence. That is, not to be influenced by the people who are controlled, but also that there should not be a risk of anticipated obedience. The case law of the European Court of Justice also indicates that it is a question of being careful that there is no influence of the State on ODA “because the state may have an interest in data protection not being respected“, Elise Degrave tells us. And to specify that the subject is very meaningful in the current context:”it’s been several months since we can see how the state is putting pressure to flout data protection rules […] on the grounds of being efficient and fast“.
Last February on our antennas, the co-director of the ODA, Alexandra Jaspar was worried about “sensitive data about people“collected by the State during the coronavirus crisis. Data stored in databases without their use being tagged, she explained and “we are not told with sufficient precision who or which state authority may use this data. Why ? And how long can she keep them?“.
All these reasons explain why there cannot be public representatives within the supervisory authority and this is also reflected in Belgian law. “The fact that Frank Roben is on ODA is as big as a house […] It’s huge as an offense“, explains the professor at the Faculty of Law of the University of Namur, who does not understand why Parliament is doing nothing. “He is both the one who sets up the treatment (on the administration side) and the one who will say that it is legal to set up this treatment.. Judge and party, controller / inspected“.
Note also that the complaint filed concerns the Data Protection Authority in Belgium and the appointment of four external members also exercising public mandates. Two members of the APD knowledge center, also heads of public administration, resigned amid criticism of the Authority’s independence last February. Rest Frank Robben who is also general administrator of the Banque Carrefour de la Sécurité sociale (BCSS), of the eHealth platform, boss of the Smals, and principal draftsman of the decisions of the Committee of security of information (CSI). He too had recently passed on our antennas where he had refuted any form of conflict of interest. The last being Bart Preneel, He is professor of computer security and cryptology at KU Leuven (Katholieke Universiteit Leuven), is also part of the management team of the Coronalert application. These two men are also members of the Knowledge Center of the APD.
For Didier Reynders, this is not a debate on a particular person, but of course the role of each organ. “If there is a body responsible for monitoring data protection, it must be completely independent from any other body dependent on the government, directly or indirectly.“.
Clarification that we are talking here about the filing of an anonymous complaint with Didier Reynders, the commissioner in charge of the application of the RGPD, but that there is a second one, always anonymous concerning this time. the Information Security Committee (CSI), the IT arm of the State, but also other organizations.