The Privacy, Data Protection and Cybersecurity Law Review

The Privacy, Data Protection and Cybersecurity Law Review Editor Alan Charles Raul Law Business Research

The Privacy, Data Protection and Cybersecurity Law Review The Privacy, Data Protection and Cybersecurity Law Review Reproduced with permission from Law Business Research Ltd. This article was first published in The Privacy, Data Protection and Cybersecurity Law Review - Edition 1 (published in November 2014 editor Alan Charles Raul). For further information please email Nick.Barette@lbresearch.com

The Privacy, Data Protection and Cybersecurity Law Review Editor Alan Charles Raul Law Business Research Ltd

THE LAW REVIEWS THE MERGERS AND ACQUISITIONS REVIEW THE RESTRUCTURING REVIEW THE PRIVATE COMPETITION ENFORCEMENT REVIEW THE DISPUTE RESOLUTION REVIEW THE EMPLOYMENT LAW REVIEW THE PUBLIC COMPETITION ENFORCEMENT REVIEW THE BANKING REGULATION REVIEW THE INTERNATIONAL ARBITRATION REVIEW THE MERGER CONTROL REVIEW THE TECHNOLOGY, MEDIA AND TELECOMMUNICATIONS REVIEW THE INWARD INVESTMENT AND INTERNATIONAL TAXATION REVIEW THE CORPORATE GOVERNANCE REVIEW THE CORPORATE IMMIGRATION REVIEW THE INTERNATIONAL INVESTIGATIONS REVIEW THE PROJECTS AND CONSTRUCTION REVIEW THE INTERNATIONAL CAPITAL MARKETS REVIEW THE REAL ESTATE LAW REVIEW THE PRIVATE EQUITY REVIEW THE ENERGY REGULATION AND MARKETS REVIEW THE INTELLECTUAL PROPERTY REVIEW THE ASSET MANAGEMENT REVIEW

THE PRIVATE WEALTH AND PRIVATE CLIENT REVIEW THE MINING LAW REVIEW THE EXECUTIVE REMUNERATION REVIEW THE ANTI-BRIBERY AND ANTI-CORRUPTION REVIEW THE CARTELS AND LENIENCY REVIEW THE TAX DISPUTES AND LITIGATION REVIEW THE LIFE SCIENCES LAW REVIEW THE INSURANCE AND REINSURANCE LAW REVIEW THE GOVERNMENT PROCUREMENT REVIEW THE DOMINANCE AND MONOPOLIES REVIEW THE AVIATION LAW REVIEW THE FOREIGN INVESTMENT REGULATION REVIEW THE ASSET TRACING AND RECOVERY REVIEW THE INTERNATIONAL INSOLVENCY REVIEW THE OIL AND GAS LAW REVIEW THE FRANCHISE LAW REVIEW THE PRODUCT REGULATION AND LIABILITY REVIEW THE SHIPPING LAW REVIEW THE ACQUISITION AND LEVERAGED FINANCE REVIEW THE PRIVACY, DATA PROTECTION AND CYBERSECURITY LAW REVIEW www.thelawreviews.co.uk

PUBLISHER Gideon Roberton BUSINESS DEVELOPMENT MANAGER Nick Barette SENIOR ACCOUNT MANAGERS Katherine Jablonowska, Thomas Lee, James Spearing ACCOUNT MANAGER Felicity Bown PUBLISHING COORDINATOR Lucy Brewer MARKETING ASSISTANT Dominique Destrée EDITORIAL ASSISTANT Shani Bans HEAD OF PRODUCTION AND DISTRIBUTION Adam Myers PRODUCTION EDITOR Timothy Beaver SUBEDITOR Janina Godowska MANAGING DIRECTOR Richard Davey Published in the United Kingdom by Law Business Research Ltd, London 87 Lancaster Road, London, W11 1QQ, UK 2014 Law Business Research Ltd www.thelawreviews.co.uk No photocopying: copyright licences do not apply. The information provided in this publication is general and may not apply in a specific situation, nor does it necessarily represent the views of authors firms or their clients. Legal advice should always be sought before taking any legal action based on the information provided. The publishers accept no responsibility for any acts or omissions contained herein. Although the information provided is accurate as of November 2014, be advised that this is a developing area. Enquiries concerning reproduction should be sent to Law Business Research, at the address above. Enquiries concerning editorial content should be directed to the Publisher gideon.roberton@lbresearch.com ISBN 978-1-909830-28-8 Printed in Great Britain by Encompass Print Solutions, Derbyshire Tel: 0844 2480 112

ACKNOWLEDGEMENTS The publisher acknowledges and thanks the following law firms for their learned assistance throughout the preparation of this book: ASTREA BALLAS, PELECANOS & ASSOCIATES LPC BOGSCH & PARTNERS LAW FIRM DUNAUD CLARENC COMBLES & ASSOCIÉS ELIG, ATTORNEYS-AT-LAW JONES DAY KIM & CHANG NNOVATION LLP NOERR PINHEIRO NETO ADVOGADOS SANTAMARINA Y STETA, SC SIDLEY AUSTIN LLP SYNCH ADVOKAT AB URÍA MENÉNDEZ ABOGADOS, SLP WINHELLER RECHTSANWALTSGESELLSCHAFT MBH i

CONTENTS Editor's Preface...v Alan Charles Raul Chapter 1 EUROPEAN UNION OVERVIEW...1 William Long, Géraldine Scali and Alan Charles Raul Chapter 2 APEC OVERVIEW...19 Catherine Valerio Barrad and Alan Charles Raul Chapter 3 BELGIUM...31 Steven De Schrijver and Thomas Daenens Chapter 4 BRAZIL...43 André Zonaro Giacchetta and Ciro Torres Freitas Chapter 5 CANADA...54 Shaun Brown Chapter 6 FRANCE...70 Merav Griguer Chapter 7 GERMANY...83 Jens-Marwin Koch Chapter 8 GREECE...98 George Ballas and Theodore Konstantakopoulos Chapter 9 HONG KONG...113 Yuet Ming Tham and Joanne Mok Chapter 10 HUNGARY...127 Tamás Gödölle and Péter Koczor iii

Contents Chapter 11 ITALY...142 Stefano Macchi di Cellere Chapter 12 JAPAN...156 Takahiro Nonaka Chapter 13 KOREA...170 Jin Hwan Kim, Brian Tae-Hyun Chung, Jennifer S Keh and In Hwan Lee Chapter 14 MEXICO...180 César G Cruz-Ayala and Diego Acosta-Chin Chapter 15 RUSSIA...194 Vyacheslav Khayryuzov Chapter 16 SINGAPORE...204 Yuet Ming Tham, Ijin Tan and Teena Zhang Chapter 17 SPAIN...219 Cecilia Álvarez Rigaudias and Reyes Bermejo Bosch Chapter 18 SWEDEN...230 Jim Runsten and Charlotta Emtefall Chapter 19 TURKEY...241 Gönenç Gürkaynak and İlay Yılmaz Chapter 20 UNITED KINGDOM...253 William Long and Géraldine Scali Chapter 21 UNITED STATES...268 Alan Charles Raul, Tasha D Manoranjan and Vivek Mohan Appendix 1 ABOUT THE AUTHORS...295 Appendix 2 CONTRIBUTING LAW FIRMS' CONTACT DETAILS...309 iv

EDITOR S PREFACE The first edition of The Privacy, Data Protection and Cybersecurity Law Review appears at a time of extraordinary policy change and practical challenge for this field of law and regulation. In the United States, massive data breaches have vied with Edward Snowden and foreign state-sponsored hacking to make the biggest impression on both policymakers and the public. In Europe, the right to be forgotten, the draconian new penalties proposed in the draft Data Protection Regulation and the Snowden leaks, have significantly altered the policy landscape. Moreover, the frenetic conversion of the global economy to an increasingly digital, internet-driven model is also stimulating a rapid change in privacy, data protection and cybersecurity laws and regulations. Governments are playing catch-up with technological innovation. It is reported that half the world s population will be online by 2016 and the economies of emerging nations (except, perhaps, in Africa) are being developed directly through electronic commerce rather than taking the intermediate step of industrial growth as Western economies did. Growth and change in this area is accelerating, and rapid changes in law and policy are to be expected. In France, whistle-blowing hotlines are meticulously regulated, but now, in certain key areas like financial fraud or corruption, advance authorisation for the hotlines is automatic under a 2014 legal amendment. In Singapore, 2014 saw the first enforcement matter under that country s Personal Data Protection Act imposing a financial penalty on a company that sent unsolicited telemarketing messages. In Russia, a new 2014 forced localisation law requires data about Russians to be stored on servers in-country rather than wherever the data can be most efficiently managed and processed, and jurisdictions around the world have debated enacting such proposals. Interestingly, while notice of the location of the relevant servers must be provided to the Russian data protection authority, it is not clear whether the law prohibits personal data to be simultaneously stored both in-country and in foreign servers. The European Union continues to seek to extend its model for data protection regulation around the world by deeming only countries that adopt the omnibus legislative approach of the EU to be adequate for data protection purposes. The EU model is not being universally endorsed, even outside the US and the Asia and Pacific v

Editor s Preface Economic Cooperation (APEC) economies. But nonetheless, the EU s constraints on international data transfers have substantially inhibited the ability of multinational companies to move personal data around the world efficiently for business purposes. In particular, conflicts with the US abound, exacerbated by the Snowden leaks regarding US government surveillance. One of the primary methods by which such EU US data flows are facilitated, the US EU Safe Harbor regime, has come under attack from EU parliamentarians who believe that such information will not be as carefully protected in the US and could become more susceptible to surveillance, despite the comparable surveillance authorities of EU intelligence agencies. While policy conflicts over data protection conflicts appeared to be moderating before the Snowden leaks, afterwards, officials around the world professed to be so shocked that governments were conducting surveillance against possible terrorists that they appear to have decided that US consumer companies should pay the price. Some observers believe that digital trade protection, and the desire to promote regional or national clouds, play some role in the antagonism leveled against US internet and technology companies. The fact that the US does not have an omnibus data protection law, and thus does not have a top-level privacy regulator or coordinator, means that it has been difficult for the US to explain and advocate for its approach to protecting personal information. This has allowed the EU to fill a perceived policy void by denying mutual recognition to US practices, and to impose significant extraterritorial regulatory constraints on American and other non-european businesses. Nevertheless, it cannot be denied that privacy enforcement in the US is distinctly more aggressive and punitive than anywhere else in the world, including the EU. Substantial investigations and financial recoveries have been conducted and achieved by the Federal Trade Commission (which has comprehensive jurisdiction over consumer data and business practices), 50 state attorneys general (who have even broader jurisdiction over consumer protection and business acts and practices), private class action lawyers who can bring broad legal suits in federal and state courts, and a plethora of other federal and state agencies, such as the Consumer Financial Protection Bureau, the Federal Communications Commission, the Department of Health and Human Services (for medical and health-care data), the Department of Education, the Securities and Exchange Commission and various banking and insurance agencies. In sum, there are no shortage of privacy regulators and enforcers in the US, Europe, and Asia. Enforcement in South America, as well as Africa and the Middle East appears to be developing more slowly. Trumping many other privacy concerns, however, is the spate of data breaches and hacking that have been epidemic and part of public discourse in the years following California s enactment of the first data breach notification law in 2003. While the US appears (as a consequence of mandatory reporting) to be suffering the bulk of major cyberattacks on retailers, financial institutions and companies with intellectual property worth stealing by foreign competitors or governments it is also true that the US is leading the rest of the world on data breach notification laws and laws requiring that companies adopt affirmative data security safeguards for personal information. For corporate and critical infrastructure networks and databases, the US has also led the way with a presidential executive order and the Cybersecurity Framework vi

Editor s Preface developed by the National Institute of Standards and Technology in the US Department of Commerce. The United Kingdom has also been a leader in this area, developing the UK CyberEssentials programme, which will soon include an option for companies to be certified as compliant with the programme s cybersecurity standards. The EU Parliament has also enacted cybersecurity directives, and the EU s European Network and Information Security Agency has provided extensive and expert analysis, guidance and recommendations for promoting cybersecurity for EU-based organisations. Despite attempts to implement baselines for cyber safeguards, it appears that no one is immune and no organisation is sufficiently protected to have any confidence that it can avoid being the victim of successful cyberattacks, particularly by the sophisticated hackers employed by state sponsors, organised crime, social hacktivists or determined, renegade insiders (like Snowden). Government agencies and highly resourced private companies have been unable to prevent their networks from being penetrated, and sometimes are likely to identify advanced persistent threats months after the malware has begun executing its malicious purposes. This phenomenally destructive situation cannot obtain, and presumably some more effective solutions will have to be identified, developed and implemented. What those remedies will be, however, is not at all clear as 2014 yields to 2015. In the coming year, it would seem plausible that there could be efforts at international cooperation on cybersecurity as well as cross-border enforcement against privacy violators. Enforcers in the EU, US and among the APEC economies, may increasingly agree to work together to promote the shared values embodied in the fair information practices principles that are common to most national privacy regimes. In early 2014, a step in this direction was taken when APEC and the European Union s Article 29 Working Party (on Data Protection) jointly released a framework by which international data transfers could be effectuated pursuant to the guidelines of both organisations. Challenges and conflicts will continue to be factors with respect to: assurances of privacy protection in the cloud ; common understandings of limits on and transparency of government access to personal data stored either in the cloud, or by internet companies and service providers; differences about how and when information can be collected in Europe (and perhaps some other countries) and transmitted to the US for civil discovery and law enforcement or regulatory purposes; freedom of expression for internet posts and publications; the ability of companies to market on the internet and to track and profile users online through cookies and other persistent identifiers; and the deployment of drones for commercial and governmental data acquisition purposes. The biggest looming issue of them all, however, will likely be big data. This is a highly promising practice based on data science and analytics that collects and uses enormous quantities of disparate (and often unstructured) data, and applies creative new algorithms enabled by vastly cheaper and more powerful computer power and storage. Big data can discover helpful new patterns and make useful new predictions about health problems, civic needs, commercial efficiencies, and yes, consumer interests and preferences. The potential social utility of big data has been unequivocally acknowledged by the US administration as well as by the key policymakers in the EU. But, big data challenges the existing privacy paradigm of notice and disclosure to individuals who are then free to vii

Editor s Preface make choices about how and when their data can be used and collected. Many existing and proposed applications of big data only work if the vast stores of data collected by today s companies can be maintained and analysed irrespective of purpose limitations. Such limitations may have been relevant (and disclosed) at the point of collection, but no longer address the value of the data to companies and consumers who can benefit from big data applications. Numerous highly thoughtful reports by policymakers in the US and EU have noted concerns about the possibility that unfettered big data applications could result in hidden discrimination against certain demographic groups that might be difficult to identify and correct; or could result in undue profiling of individuals that might inhibit their autonomy, limit their financial, employment, insurance or even serendipitous choices, or possibly somehow encroach on their personal privacy (to the extent that otherwise aggregate or anonymous data can be re-identified). This publication arrives at a time of enormous ferment for privacy, data protection and cybersecurity. Readers are invited to provide any suggestions for the next edition of this compendium, and we look forward to seeing how the many fascinating and consequential issues addressed here will evolve or develop in the next year. Alan Charles Raul Sidley Austin LLP Washington, DC November 2014 viii

Chapter 3 BELGIUM Steven De Schrijver and Thomas Daenens 1 I OVERVIEW The Belgian legislative and regulatory approach to privacy, data protection and cybersecurity is quite comprehensive. The most important legal provisions can be found in the following: a Article 22 of the Belgian Constitution, which provides that everyone is entitled to the protection of his or her private and family life; b the Act of 8 December 1992 on privacy protection in relation to the processing of personal data, further implemented by the Royal Decree of 13 February 2001; c Book XII (Law of the Electronic Economy) of the Code of Economic Law, as adopted by the Act of 15 December 2013; d the Act of 13 June 2005 on Electronic Communications; and e the Act of 28 November 2000 on Cybercrime. Belgium has not adopted a sectoral approach to the regulation of the protection of privacy and personal data, but has nevertheless adopted specific rules for certain cases. In addition to the Data Protection Act and the Royal Decree of 13 February 2001, a number of specific laws and rules also contain provisions on the protection of privacy and personal data, such as: a the Camera Surveillance Act of 21 March 2007, governing the installation and use of surveillance cameras; b Collective Bargaining Agreement No. 68 of 16 June 1998 concerning the camera surveillance of employees; c Collective Bargaining Agreement No. 81 of 26 April 2002 on the monitoring of electronic communications of employees; and 1 Steven De Schrijver is a partner and Thomas Daenens is a senior associate at Astrea. 31

Belgium d the Patient Rights Act of 22 August 2002 which relates, among other things, to the use of patients data and the information that patients need to receive in respect of this use. Due to a series of cyber incidents, cybersecurity has received increased attention in Belgium in recent years. A number of banks and private companies have been the subject of cyberattacks, whereby personal data was stolen and threatened to be made public, unless a ransom was paid. A large steel manufacturer was the victim of Anonymous Belgium, and both the Belgian Ministry of Foreign Affairs and the Ministry of Finance have been the subject of hacking attempts. In November 2012, the Belgian government presented its national cybersecurity strategy, which focuses, among other things, on a centralised and integrated approach to cybersecurity, the further development of a legal framework, the permanent followup of cyberthreats, the increase of the capacity to respond to cybersecurity incidents, the improvement of incident reporting, and effective prosecution and punishment of cybercrime. The previous Belgian government announced in July 2014 that it had finalised its Royal Decree on the establishment of a Cybersecurity Center, and in the new government, which was installed in October 2014, there is for the first time a deputy minister who is specifically charged with handling privacy issues. II THE YEAR IN REVIEW The most significant recent event in Belgium was the Supreme Court decision of 20 November 2013 in the criminal case against Yahoo!. This case relates, among other things, to the jurisdiction of the Belgian judicial authorities to order the disclosure of personal data by foreign communications service providers (for a more detailed discussion, see Section VI, infra). According to the Supreme Court, foreign entities offering an online service (or software) are subject to Belgian criminal law, as soon as such service of software can be used in Belgium. The Court also ruled that the Belgian Public Prosecutor has the power to enforce Belgian criminal law against such foreign entities without the intervention or assistance of the judicial authorities of the state of residence of these entities. As the Yahoo! case is currently pending again before the Supreme Court (after the Court of Appeals found Yahoo! guilty), it is too early to draw any final conclusions, but if the Supreme Court maintains its position, this may have important implications for the international system of mutual legal assistance in criminal matters. In relation to cybersecurity, the Belgian government announced on 17 July 2014 that it has finalised its Royal Decree on the establishment of a Belgian Cybersecurity Centre. The Cybersecurity Centre s tasks would be to monitor the country s cybersecurity and manage cyber incidents. It would also oversee various cybersecurity projects, formulate legislative proposals relating to cybersecurity, and issue standards and guidelines for securing public sector IT systems. One of the issues that received quite some media attention in Belgium recently was the decision of the European Court of Justice of 13 May 2014 in the case against Google Spain, where the Court ruled that Google was a data controller and could be 32

Belgium obliged to remove links to web pages published by a third party to protect an individual s right to be forgotten. In addition, the hacking of the communication infrastructure of Belgacom, Belgian s biggest telecom service provider, by foreign intelligence services, also received a lot of attention in Belgian media in 2013 and this year. III REGULATORY FRAMEWORK i Privacy and data protection legislation and standards The Belgian privacy and data protection legislation is set forth in the Act of 8 December 1992 on privacy protection in relation to the processing of personal data (the Data Protection Act). This Act was amended by the Act of 11 December 1998 with a view to implementing the provisions of the EU Data Protection Directive. Belgium has transposed the EU Data Protection Directive quite literally, so the definitions of the different concepts, such as personal data, sensitive personal data, and data controllers, are identical or very similar to the definitions used in EU law. As such, personal data means any information relating to an identified or identifiable natural person, whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his identity. Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health, sex life or judicial information. The data controller is the person which alone or jointly with others determines the purposes and means of the processing of personal data and data processors are persons that process personal data on behalf of a data controller. Under Belgian law, it is also possible for different persons or entities to act as data controller in respect of the same personal data. The Belgian enforcement agency with responsibility for privacy and data protection is the Belgian Privacy Commission (DPA). The DPA s mission includes monitoring compliance with the provisions of the Data Protection Act, but it cannot impose any administrative penalties upon individuals or organisations. Although the DPA has the authority to conduct raids and investigations, these are quite rare due to a lack of sufficient resources. The Data Protection Act provides for criminal sanctions for most provisions, including the duty to inform the data subject and the duty to file a prior notification of processing operations to the DPA. Penalties range from 600 to 600,000 and include, in specific cases, imprisonment of up to two years. The publication of the judgment may also be ordered, together with other measures that may constitute a serious threat to the data controller, such as confiscation of the support media, an order to erase the data or a prohibition on using the personal data for up to two years. There is no requirement to establish any harm or injury as a result of a breach of the Data Protection Act for the sanctions to apply, but obviously the existence of such harm or injury may have an impact on the decision of the judicial authorities whether or not to prosecute. 33

ii Belgium General obligations for data handlers Data controllers must notify the DPA of any automated data processing operation. Such notification is a mere filing and can be done by filling in an online form and submitting a signed copy thereof to the DPA. Any changes to the data processing operation must also be notified. Notification is only required for automated processing (and not for manual files) with certain limited exemptions (e.g., payroll and personnel administration, accounting and client or supplier administration). Non-sensitive personal data may be processed if the processing is: a carried out with the data subject s consent; b necessary for the performance of a contract with the data subject; c necessary for compliance with a legal obligation; d necessary in order to protect the vital interests of the data subject; e f necessary for the public interest or in the exercise of official authority; or necessary for the data controller s or recipient s legitimate interests, except where overridden by the interests of the data subject. In addition, the processing must comply with the general principles of data processing, which implies that personal data is to be: a processed fairly and lawfully; b collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; c adequate, relevant and not excessive; d accurate and, where necessary, up to date; and e kept in an identifiable form for no longer than necessary. Sensitive personal data (i.e., personal data related to racial or ethnic origin, sexual orientation, religious or political beliefs, union membership or health or judicial information) may only be processed if the processing: a is carried out with the data subject s explicit written consent; b is necessary for a legal obligation in the field of employment law; c is necessary to protect the vital interests of the data subject where the data subject is unable to give consent; d is carried out by a non-profit-seeking body and relates to members of that body or persons who have regular contact with it; e relates to data made public by the data subject; f is necessary for legal claims; or g is necessary for medical reasons. In practice, the legitimate interest condition is frequently relied upon as a ground for processing non-sensitive personal data. It should be noted, however, that the DPA finds that obtaining the unambiguous consent of the data subject is best practice and that the legitimate interest condition is only a residual ground for processing. Except with respect to the processing of sensitive personal data, where consent of the data subject must be provided in writing, Belgian law does not impose any formalities to obtain consent to process personal data. Such consent may be express or implied, 34

Belgium written or oral, provided it is freely given, specific and informed. However, as consent should be unambiguous as well, it is recommended to obtain express and written consent for evidential purposes. With respect to the processing of employees personal data, the DPA finds that such processing should be based on legal grounds other than consent, in particular the performance of a contract with the data subject, since obtaining valid consent from employees is considered difficult (if not impossible), given their subordinate relationship with the employer. As far as the data subjects right of access, correction and removal is concerned, Belgian law provides that a data controller must provide a data subject access to his or her data upon request and free of charge. The data subject has the right to have inaccurate data corrected or deleted and in certain cases, he or she may object to decisions being made about him or her based solely on automatic processing. To exercise such right, the data subject must send a dated and signed request to the data controller, who must confirm the amendment or deletion within one month to the data subject and, where possible, the third parties to whom the incorrect data was communicated. If the data are to be used for direct marketing purposes, the data subject also has the right to object, free of charge, to such processing and the data controller must inform the data subjects of such right. iii Technological innovation and privacy law Cloud computing Cloud computing raises a number of potential risks. First, there is the (potential) lack of transparency and information in relation to who controls the personal data in the cloud, where they are stored, who has access to the data, whether there are any data transfers, etc. A second issue is the responsibility and liability of the data controllers and processors. Finally, as was demonstrated recently when hackers were able to get access to celebrity photographs stored in Apple s icloud, the use of cloud services may involve risks with respect to data security. The DPA is currently preparing two documents related to cloud computing. The first one will be an advisory document regarding the risks of implementing a cloud strategy in the public services, including the federal police services and the Department of Defence, the second document will be a recommendation on the use of cloud services for private companies, which will contain an outline of the legal regime as well as guidelines for information security. It will in particular deal with the issue of server location and, related thereto, the responsibility of each of the parties involved in the process. It will most likely be in line with the EU Article 29 Working Party s Advice 05/2012 on cloud computing. Automated profiling The DPA has not yet issued any recommendation or opinion on automated profiling. It can be expected, however, that it will take a position similar to the position of the Article 29 Working Party. The Working Party adopted an advice paper on profiling on 13 May 2013, in which it stated that Article 20 of the Data Protection Regulation should be improved by including additional elements in order to provide for a balanced approach 35

Belgium on profiling and mitigate the risks for data subjects. This implies more transparency, increase of the data subjects control, more responsibility and accountability of the data controllers, as well as a balanced and case-by-case approach, taking into account the degree of intrusiveness of a specific processing type or measures on data subjects Cookies The use of cookies is regulated by Article 129 of the Act of 13 June 2005 on electronic communications, as amended by the Act of 10 July 2012. The latest amendment provides that cookies may only be used with the prior consent of the data subject (i.e., opt in rather than opt out), who must be informed of the purposes of the use of the cookies as well as his or her rights under the Data Protection Act. The consent requirement does not apply to cookies that are strictly necessary for a service requested by an individual. The user must be allowed to withdraw their consent free of charge. According to the DPA, consent may not be obtained through current browser settings. In May 2014, the DPA has issued an additional draft recommendation on the use of cookies, in which it provides further guidance regarding the type of information that needs to be provided and the manner in which consent should be obtained. According to the DPA, a general and unconditional consent for the use of cookies is not recommendable. A data subject should rather be given the possibility to accept or decline the use of each specific category of cookies. Electronic marketing Electronic marketing and advertising is regulated by the provisions of Book XII (Law of the Electronic Economy) of the Code of Economic Law, as adopted by the Act of 15 December 2013. Pursuant to Section XII.13, the use of e-mails for advertising purposes is prohibited without the prior, free, specific and informed consent of the addressee. Such consent can be revoked at any time, without any justification or any cost for the addressee. The sender must clearly inform the addressee of its right to oppose to the receipt of any future e-mail advertisements and on how to exercise such right via electronic means. The sender must also be able to prove that the addressee requested the receipt of electronic advertising. The sending of direct marketing e-mails does not require consent if they are sent to a legal entity using impersonal electronic contact details (e.g. info@company.be). The use of addresses such as john.doe@company.be, however, remains subject to the requirement for prior consent. Employee monitoring Employee monitoring is strictly regulated under Belgian law. Monitoring with surveillance cameras is subject to the provisions of Collective Bargaining Agreement No. 68 of 16 June 1998, which provides that surveillance cameras are only allowed in the workplace for specific purposes, in particular: the protection of health and safety; the protection of the company s assets; control of the production process; and control of the work performed by the employees. In the latter case, monitoring may not be permanent, but only on a temporary basis. Employees must also be adequately informed of the purposes and the timing of the monitoring. 36

Belgium With respect to monitoring of e-mails and internet use, Collective Bargaining Agreement No. 81 of 26 April 2002 imposes strict conditions. Monitoring cannot be carried out systematically and on an individual basis. A monitoring system of e-mails and internet use should be general and collective, which means that it may not enable the identification of individual employees. Only if the collective monitoring has unveiled an issue that could bring damage to the company or that could threaten the company s interests or the security of its IT infrastructure may the employer proceed to identification of the employees concerned. If the issue only relates to a violation of the internal (internet) policies or the code of conduct, identification is only allowed after the employees have been informed of the fact that irregularities have been uncovered and that identification will take place if irregularities occur again in the future. Finally, GPS monitoring in company cars is only allowed under Belgian law with respect to the use of the company car for professional reasons. Private use of the company car (i.e., journeys to and from the workplace and use during private time) cannot be monitored. IV INTERNATIONAL DATA TRANSFER Cross-border data transfers within the EEA or to countries that are considered to provide adequate data protection in accordance with EU and Belgian law are permitted. Transfers to other countries are only allowed if the transferor enters into a model data transfer agreement (based on the EU standard contractual clauses) with the recipient or if the transfer is subject to binding corporate rules. Transfers to the US are also allowed if the recipient has committed to the Safe Harbor Principles. As an exemption to the above, transfers to countries not providing adequate protection are also allowed if the transfer: a is made with the data subject s consent; b is necessary for the performance of a contract with, or in the interests of, the data subject; c is necessary or legally required on important public interest grounds or for legal claims; d is necessary to protect the vital interests of the data subject; or e is made from a public register. Copies of executed EU standard contractual clauses must be submitted to the DPA for information. The DPA will check their compliance with the standard contractual clauses and will subsequently inform the data controller whether the transfers are permitted. Data controllers need to wait for this confirmation from the DPA before initiating their international data transfers. The DPA has approved the use of binding corporate rules in Belgium. Such binding corporate rules must be ratified by an individual Royal Decree issued by the Ministry of Justice after advice from the DPA. 37

Belgium V COMPANY POLICIES AND PRACTICES Although companies are not explicitly required under Belgian law to have online privacy policies and internal employee privacy policies, in practice they need to have such policies in place. This results from the obligation, under Belgian data protection law, for data controllers to inform data subjects of the processing of their personal data (including the types of data processed, the purposes of the processing, the recipients of the data, the retention term, information on any data transfers abroad, etc.). As a result, nearly all company websites contain the required information in the form of an online privacy policy. Likewise, companies often have a separate internal privacy policy for their employees, informing the latter of the processing of their personal data for HR or other purposes. Such policy sometimes also includes rules on e-mail and internet use. Some companies include the privacy and data protection information in their work regulations. This is the document that each company must have by law and which sets out the respective rights and obligations of workers and employers. The work regulations also provide workers with information about how the company or institution employing them works and how work is organised. The appointment of a chief privacy officer is not very common in Belgium, except within large (and mostly multinational) corporations. Such corporations often also have regional privacy officers. In smaller companies, the appointment of a chief privacy officer is rare. However, given the increasing importance of privacy and data security, even smaller companies often have employees at management level that are in charge of data privacy compliance (often combined with other tasks). In this respect, it should be noted that in Belgium, unlike some other European countries, the appointment of an independent data protection officer, who is responsible for compliance and acts as the go-to person for the authorities, is not required by law. As a result of the increasing importance of data privacy and security, a substantial number of companies have conducted privacy audits in the past decade, in order to get a clear view on their data flows and security measures. Such audits have often resulted in the implementation of overall privacy compliance projects, which included the review and update of IT infrastructure, the conclusion of data transfer agreements or adoption of binding corporate rules, the review and update of existing data processing agreements with third parties, etc. In large organisations, it is considered best practice to have written information security plans. Although this is also not required by law, it proves very useful, as companies are required to fill out a list of existing security measures when they notify their data processing operations to the DPA. The DPA has also recommended that companies have appropriate information security policies in order to avoid or address data security incidents. VI DISCOVERY AND DISCLOSURE Pursuant to the Belgian Code of Criminal Procedure, the public prosecutors and the examining magistrates have the power to request the disclosure of personal data of users of electronic communications services (including telephone, e-mail and internet) in the 38

Belgium context of criminal investigations. Examining magistrates may also request technical cooperation of providers of electronic communications service providers and network operators in connection with wiretaps. The personal and territorial scope of application of these powers is currently the subject of a heated debate before the Belgian Supreme Court. In 2009, Yahoo! was prosecuted for non-compliance with the provisions of the Code of Criminal Procedure, as it had refused to disclose certain personal data related to a Yahoo! account that had been used in connection with a drug-related criminal offence. And recently, another service provider has been charged with non-compliance as a result of its lack of technical cooperation in connection with a wiretap on the communication of one of its Belgian users. The discussion in both cases deals with two issues: first, can Yahoo! (and similar service or software providers) be considered as providers of electronic communications services, and second, does the duty of cooperation set forth in the Belgian Code of Criminal Procedure apply to foreign entities that have no physical presence (no offices, infrastructure, servers, etc.) in Belgium (and if so, can it be enforced against them by the Belgian courts)? A detailed discussion of both questions is beyond the scope of this chapter, but it is interesting to note that the Supreme Court has already issued two surprising decisions in the Yahoo! case that may have far-reaching consequences. In its first decision, the Court has extended the scope of the definition of providers of electronic communications services, so that it includes not only service providers that take care of the transmission of signals and data over the electronic communications networks, but anyone offering a service that allows its customers to obtain, receive or spread information via an electronic communications network. This new definition seems problematic for multiple reasons. First, the Supreme Court disregards the very clear definition of providers of electronic communications services set forth in the Act of 13 June 2005 on electronic communications. Second, its own definition is very vague and gives courts a great margin of appreciation, which goes against the principle of legal certainty (in particular in criminal matters). However, it can be expected that in the future, the duty to disclose personal data will not only apply to traditional internet access providers and telephone companies, but also to a wide variety of online software or service providers. The second decision of the Supreme Court in the Yahoo! case is even more important from an international perspective. The Court ruled that even though Yahoo! had no physical presence in Belgium, the provisions of the Code of Criminal Procedure applied to it, as the service it offers can be used in Belgium via the internet. It also stated that the fact that the public prosecutor sent his request to disclose personal data directly to Yahoo! in the United States (without making use of the procedures set forth in the applicable treaties regarding mutual legal assistance in criminal matters), did not make such request invalid or unenforceable. This latter decision essentially implies that foreign entities offering an online service (or software) are subject to Belgian criminal law, as soon as such service of software can be used in Belgium, and that the Belgian Public Prosecutor has the power to enforce Belgian criminal law against such foreign entities without the intervention or assistance of the judicial authorities of the state of residence of these entities. Obviously, this position taken by the Supreme Court would also imply that foreign judicial authorities 39

Belgium could enforce their national criminal law against service providers located in Belgium and such without assistance from the Belgian courts. As the Yahoo! case is currently pending before the Supreme Court for the third time (after the Court of Appeals found Yahoo! guilty), it is too early to draw any final conclusions, but if the Court maintains its position, this may have important implications for the international system of mutual legal assistance in criminal matters. VII PUBLIC AND PRIVATE ENFORCEMENT i Enforcement agencies The Belgian enforcement agency with responsibility for privacy and data protection is the Belgian DPA. The DPA s mission is, among other things, to monitor compliance with the provisions of the Data Protection Act. To this end, the DPA has general power of investigation with respect to any type of processing of personal data and may file a criminal complaint with the Public Prosecutor. It may also institute a civil action before the President of the Court of First Instance. However, the DPA cannot impose any administrative penalties upon individuals or organisations. In response to complaints filed by individuals, it will try to reach a solution by mediating between the parties, but if no solution can be found, the parties will need to go to court to settle their dispute. Although the DPA has the authority to conduct raids and investigations, such are quite rare due to a lack of sufficient resources. ii Recent enforcement cases With respect to cases handled by the DPA, no information about individual complaints has been made publicly available. According to the DPA s 2013 annual report, 3,532 new files were opened, compared with 2,896 files opened in 2012. The types of requests that were most commonly handled by the Commission in 2013 related to: the processing of identification data (44 per cent); the processing of image and sound (22 per cent); the processing of financial data (9 per cent); the processing of electronic identification data (9 per cent); and processing of judicial and secret data (7 per cent). The most important enforcement case before the Belgian courts is the Yahoo! case, which has been discussed under Section VI, supra. This year, a similar enforcement case has been started against Skype. iii Private litigation Private plaintiffs may seek judicial redress before the civil courts on the basis of the general legal provisions related to tort or, in some cases, contractual liability. In addition, they may file a criminal complaint against the party that committed the privacy breach. Financial compensation is possible, to the extent that the plaintiff is able to prove the existence of damages as well as the causal link between the damage and the privacy breach. Under Belgian law, there is no system of punitive damages. Class actions were traditionally not possible under Belgian law until 1 September 2014, when a new Act on Class Actions entered into force. So far, there are no known cases of class actions lawsuits that were filed in connection with data privacy. 40

Belgium VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS Organisations based or operating outside Belgium may be subject to the Belgian data protection regime to the extent that they process personal data in Belgium. Physical presence in Belgium (either through a local legal entity or branch office, with or without employees or through the use of servers or other infrastructure located on Belgian territory), will trigger the jurisdiction of Belgian privacy and data protection law, even if the personal data that is processed in Belgium relates to foreign individuals. Foreign companies using cloud computing services for the processing of their personal client or employee data may therefore be subject to Belgian law (with respect to such processing) if the data is stored on Belgian servers. In principle, the mere provision of online services to persons in Belgium, without actual physical presence, will not trigger Belgian jurisdiction. However, as discussed under Section VI, supra, according to a recent Supreme Court decision, the Belgian judicial authorities would have jurisdiction over foreign entities providing online services or software to users in Belgium, even if they are not present in Belgium. This is certainly an issue to follow up, as it may have an important impact on the territorial scope of application of Belgian law. IX CYBERSECURITY AND DATA BREACHES As a member of the Council of Europe, Belgium entered into the Council s Convention on Cybercrime of 23 November 2001. Belgium implemented the Convention s requirements through the amendment of the Act of 28 November 2000 on cybercrime, which introduced cybercrime into the Belgian Criminal Code. With the Act of 15 May 2006, Belgium also implemented the requirements of the Additional Protocol to the Convention on Cybercrime of 28 January 2003, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems. On 17 July 2014, the Belgian government announced that it has finalised its Royal Decree on the establishment of a Cybersecurity Centre. The Cybersecurity Centre s tasks would be to monitor the country s cybersecurity and manage cyber incidents. It would also oversee various cybersecurity projects, formulate legislative proposals relating to cybersecurity, and issue standards and guidelines for securing public sector IT systems. The Cybersecurity Center is expected to be operational by the end of 2014. The Belgian Data Protection Act does not contain a general data breach notification. Article 114/1, Section 2 of the Electronic Communications Act of 13 June 2005 requires companies in the telecommunication sector to immediately (within 24 hours), notify personal data breaches to the DPA, who must transmit a copy of the notification to the Belgian Institute for Postal Services and Telecommunications. If there is a breach of personal data or privacy of individuals, the company must also notify the data subjects affected by the breach. The Belgian Data Protection Act does not, however, provide for a general data breach notification. In 2013 the DPA has been confronted by a series of data security incidents of which it only became aware after those incidents were published in the media. Unable to change the legislation itself (which, of course, would require legislative intervention), the DPA issued a recommendation upon its own initiative, stating that 41