Six months of GDPR enforcement in Belgium: first statistics by the Belgian DPA

After several of our neighboring countries had previously released statistics for the first six months of GDPR supervision, the Belgian Data Protection Authority has now also issued a first status update six months after the GDPR became applicable. Some interesting statistics relate to the number of reports of data leaks and complaints received.

Slower start, but getting up to speed…

It took a little longer in Belgium than in the neighboring countries, but the Belgian Data Protection Authority now also seems to be getting up to speed.

In the Netherlands, the first systematic inspections in various sectors already started at the beginning of the summer, and hundreds of companies and organizations have since been screened by the Autoriteit Persoonsgegevens. The same goes for France and Germany. This has led to a large number of warnings and sanctions. Until recently, Belgium was lacking behind, and that was regarded by some professionals as a little worrying, since the lack of controls and clear guidelines from the Belgian government caused legal uncertainty and, in a sense, unequal competition for companies who follow the rules compared to those who don’t.

This was a somewhat unfortunate situation, which certainly was not due to a lack dedication and good intentions of the GBA, but undoubtedly to the sometimes somewhat complex organizational and administrative reality in Belgium. Among other things, the fact that the members of the new Belgian Data Protection Authority have yet to be appointed by the Belgian parliament, is causing a considerable delay.

Fortunately, things are moving now and as soon as the DPA is fully operational, it will undoubtedly expand its activities in advice, control and sanctioning. This week the DPA already made the first figures in connection with its first activities public.

Data leaks

In the first six months since 25 May, the Belgian Data Protection Authority has been informed of 317 data leaks. In comparison, only 13 data breaches were reported last year, but at that time there was obviously no obligation to report.

It should be noted that at present there seems to be little active follow-up on the part of the Data Protection Authority following the reporting of a data breach. Several affected companies report that they receive little or no feedback from the DPA that could help them to assess whether their report met all the requirements, whether the measures taken are sufficient in the DPA’s eyes and whether they can expect any further action ( fines) from the DPA.

The top five sectors that report data breaches are: 1) healthcare, 2) insurance, 3) government services and defense, 4) telecom and 5) financial services.

Compared to our neighboring countries, the observation is that elsewhere in Europe governments are far more reactive, both in the administrative follow-up of reported data leaks and in the imposition of sanctions in cases where the data leak is a consequence of a lack of GDPR  compliance by the company or organization concerned.

In our view, it is in the interests of all data controllers and data processors that active follow-up of data leaks should take place in the near future and that both the number and the nature of the reported data leaks should be made public, together with the decisions taken by the DPA regarding further follow-up towards the companies and organizations involved, so that all controllers and processors can better assess their obligations in the context of reporting and following up data leaks at the DPA.

Complaints

The Authority reports to have received 148 complaints in the past six months. That amounts to almost one complaint per day.

Here too, it is clear that these figures are still much lower than in our neighboring countries. From France there are monthly reports of 500 complaints since May 2018, in the Netherlands even 750. In both cases, the number of complaints in relation to the number of residents is much higher than the Belgian statistics.

A possible reason for this could be that the government has communicated much more actively about the GDPR in the neighboring countries, which could lead to citizens being better informed about their rights and making complaints easier or more frequent.

It is expected that the number of complaints will only increase in the future. After all, citizens will increasingly find their way to the GBA, partly because controllers in their privacy policy must explicitly mention the contact details of the DPA and because the DPA itself will be able to work at full speed.

Other figures

Some other released figures that are also remarkable, show that the GBA was notified in the first six months of:

  • 3599 information requests (compared to 2145 requests for information in 2017)
  • 137 requests for advice (compared to 44 requests for information in 2017)
  • 2551 notifications of the appointment of a DPO (compared to 989 before May 2018)

First investigations announced

Along with the publication of the above figures, the GBA has announced that it has started the first inspections. Sactions are not yet expected in the first instance, the GBA had already announced in advance that they initially wanted to work in a consultative and warning way. Unlike in other EU member states, therefore, no GDPR fines have yet been issued.

In comparison:

Since the summer, hundreds of systematical inspections have been carried out in the Netherlands at companies from industries like travel, catering, communication, construction, industry, retail and distribution, in government departments, in banks and insurance companies and in hospitals and health care providers. This has led, amongst others things to a penalty of 48,000 euros imposed on a bank that did not timely provide its customers with a copy of the personal data it processed.

In France, several hundred official checks were also carried out in various sectors. The French CNIL has in 2018 based on complaints from the past 3 sectors specifically in the focus: HR and personnel data, the real estate sector and all kinds of payment apps for public car parks (which apparently gave rise to quite a few complaints in 2017). In France, as in Germany and the UK, dozens of fines have been imposed since May, ranging from 10,000 to 500,000 euros..  Usually these are offenses that date from before 25 May and that are settled under the old law, but in any case they are indicative of the intentions of the governments in our neighboring countries when it comes to monitoring and sanctioning of GDPR violations. …

More information about the situation in Belgium, in our neighboring countries and in the rest of the world can be found in the presentation we recently gave at the Privacy Café of the Data Protection Institute. You can view our slides by clicking on the image below:

20181113 Privacy Café DPI

Questions about data protection and GDPR in Belgium, Europe and the rest of the world?

Please feel free to contact our team at info@siriuslegal.be or +32 2 721 13 00