Belgian DPA publishes Annual Report 2023

Staff expansion and reconstitution of the Executive Committee

With a significant increase in the number of complaints and legislative opinions to be handled by the Knowledge Center, the expansion of the DPA's staff was long awaited. According to the DPA, this recruitment will enable the DPA to fulfil its core tasks in 2024: to supervise, but also to support citizens, data controllers and public authorities in implementing privacy and personal data protection rules. The DPA is performing this mission in an increasingly complex context, with the development of issues related to artificial intelligence and a new European legal framework for the digital space in addition to the GDPR.

Change also came at the highest level within the regulator in 2023. The five-member Executive Committee of the DPA has been complete again since 26 June 2023, with the appointment of Anne-Charlotte Recker, Director of the First Line Service, and Koen Gorissen, Director of the General Secretariat.

European cooperation

The DPA actively contributed to the work of the European Data Protection Board (EDPB). Moreover, the Annual Report describes the main conferences where the DPA was represented, which allows the DPA to share its knowledge, learn, meet its European colleagues and exchange best practices with them.

Cookies

Because of increased public worry and data controllers' need for help to follow cookie rules, the DPA made cookies (and other trackers) a key focus in 2023. The DPA therefore set about creating tools to raise awareness about the use of cookies and, through the EDPB, helped to harmonise positions on cookies at the European level:

• Cookie Banner Taskforce: the EDPB published a report on the work of its "Cookie Banner Taskforce". The DPA also published a summary thereof, which lists the main take-aways, such as on pre-ticked boxes, legitimate interest and the lack of a "refuse all" button;
• Cookie Checklist: the DPA published a simple checklist that goes step-by-step through the "do's and don'ts" with cookies and other similar tracking mechanisms;
• EDPB Guidelines 2/2023: the EDPB published guidance on the scope of Article 5(3) of the ePrivacy Directive. This allows data controllers to better understand which Internet user tracking technologies are covered by this Directive;
• Enforcement Actions: in 2023, the DPA also applied the rules on cookies and other trackers in practice, particularly in its compliance monitoring tasks for data controllers; and
• Update own practices: the DPA also updated its own cookie banner on its websites.

DPO

The DPA considers the role of the DPO to be particularly important, as they are seen as a protector of citizens' personal data on the ground. In 2023, the DPA started a conversation with actors in the field to understand their challenges and offer practical solutions. Meanwhile, the Inspection Service and the Litigation Chamber kept conducting their investigations to support the independence of the DPO and the sufficient provision of resources, such as the time the DPO can spend on data protection matters and training needs.

The DPA's priority regarding the DPO was also demonstrated by the organisation of the DPO Day and the adoption of several decisions by the Litigation Chamber about the role and the position of the DPO. The DPA also stated that the DPO will remain a significant issue in the future years.

Raising awareness

In 2023, the DPA still raised awareness among its audiences, especially with the main information product "I decide", which teaches children and young people about privacy. Also, the First Line Service educated the public with legal and technical information, such as thematic sheets and FAQ, for both data subjects and data controllers.

Artificial Intelligence

The DPA has been following the advances in artificial intelligence technologies closely. It recognizes the possibilities, but it will also be careful to make sure that the principles of the GDPR are respected. The DPA thinks that particular care should be given to the higher risk of data processing with changing, self-learning parameters, called "machine learning", which has already received a lot of criticism from the Court of Justice of the European Union (CJEU).

The DPA has participated in this matter by giving opinions on draft laws and by advising the Chamber of Representatives on the "ethical and societal aspects of artificial intelligence". The DPA is also looking into complaints about chatbots.

Binding Corporate Rules (BCR)

At a time when international transfers are a contentious issue, the General Secretariat's role in adopting binding corporate rules is crucial. Out of 8 files submitted, 4 were approved in 2023. In addition, the DPA worked with the EDPB to publish the final version of Recommendations 1/2022 on the Approval Application and on the elements and principles to be included in Controller Binding Corporate Rules (Art. 47 GDPR).

Data Protection Impact Assessments (DPIA)

If a DPIA shows that processing would be high-risk without risk-reducing measures, the controller must ask the supervisory authority before processing. The Act establishing the DPA says in Art. 20 §1, 3° that the General Secretariat should give this advice. But data controllers rarely do this. So, in 2023, they only sent two matters, and the General Secretariat gave one opinion and rejected one matter.

Data breaches

Ransomware attacks hit many Belgian cities and municipalities in 2023. The DPA's ninth newsletter had a regular section called "Recommendations to prevent data breaches" that focused on this kind of data breach.

The DPA gave some useful advice in its tenth newsletter. It covered the issue of online testing environments that are not secure enough; and the handling of personal data in a paper file or to be put in one.

The EDPB published the definitive version of the updated Data Breach Notification Guidelines on 4 April 2023, after a public consultation in October 2022. The DPA was a co-reporter for these Guidelines.

The number of data breach notifications decreased slightly in 2023. There were 1,292 reports, of which 43% were related to human error and 32% to hacking, phishing or malware.

The General Secretariat dealt with 1,080 cases of data breaches in 2023. Most of these were resolved without finding any major breaches, sometimes after getting more information from the controller. In three cases, where the General Secretariat itself acted on its own accord, the Executive Committee was asked to refer them to the Inspection Service, as they involved possible data breaches that were not reported.

Mediation files

The First Line Service receives incoming complaints and mediation requests and examines their admissibility. To improve the effectiveness of procedures, since the last quarter of 2023, the service has been working to better support citizens who have filed a complaint by proposing, after analysis, mediation in the files that lend themselves to it. If the dispute is not resolved satisfactorily at the end of the mediation, dispute proceedings are initiated.

A total of 214 mediation files were overseen in 2023. The areas in which most mediation files were initiated are:

• trade practices (including direct marketing); 
• telecommunications (including cookies and social media); and 
• image processing and (security) cameras.

The result for 2023 is 132 completed mediation files, of which just under half (59) resulted in a successful outcome. However, only a minority (28) of the files were converted into a complaint and forwarded to the Litigation Chamber.

Complaints

A total of 694 complaints were received by the First Line Service. Out of these, 254 (36.5%) turned out to be inadmissible. The areas to which most complaints relate are:

• trade practices (including direct marketing);
• image processing and (security) cameras; and
• data processing within an employment context.

Like the increase in the number of mediation requests received, the number of complaints submitted to the DPA is on the rise (up 15% by 2023).

In 2023, the Knowledge Center had to deal with a rapid increase of files, leading to 611 requests for guidance. In 2023, it issued 546 opinions (including 131 in-depth opinions and 415 standard opinions) on draft laws and regulations. The Knowledge Center focused on legislative opinions, especially on topics that affect the everyday lives of citizens, as it expected to have more opportunities for recommendations from its own initiative. Some examples are a draft decree of the Walloon Government on the pricing method for smart meters, the pupil support package in the Walloon-Brussels Community, and a decree changing the organisation of education in the Flemish Region.

Based on the Act that created the DPA, the Inspection Service has many ways to investigate. The Belgian Whistleblower Act adds to these powers. The Inspection Service can investigate external reports under the whistleblower rule if they are sent directly or through the Federal Ombudsman, following a set protocol between them and the DPA. The Inspection Service also has a Charter that gets updated regularly based on new practices and insights.

The Inspection Service observes that cases become more complicated, not only in terms of content, but also in terms of procedure. The Inspection Service has received occasional feedback that the number of questions asked does not always appear to be proportionate to the file or that the questions are very general. However, the goal of the Inspection Service is not only to examine a file against the controller, but also to raise awareness. In this way, the controller is encouraged to think carefully about various aspects of its processing operations and can evaluate more accurately whether its processing operation(s) comply/complies with the GDPR or not and, if necessary, make changes.

However, the Inspection Service sees that, even though the GDPR has been applicable since 25 May 2018 (and even in force since 2016), there is still a lot of work to be done by businesses. A data controller can no longer be unaware. On the positive side, when the Inspection Service detects that the controller cooperates immediately and wants to adopt a constructive attitude by acting in a solution-oriented manner and considering the Inspection Service's remarks, the Inspection Service often closes concrete files. The concrete results achieved after the intervention of the Inspection Service lead directly to better GDPR compliance.

The Litigation Chamber sent 70 new files to the Inspection Service, with some common groups of investigation topics:

• Camera legislation: the Inspection Service notes that there are still individuals and companies unaware of the privacy impact of surveillance cameras. Local police departments are being called upon to make the determinations;
• Privacy statement: since the website should be the business card of the data controller, the Inspection Service continues to see the privacy policy and cookie statement as an important priority; and
• Direct marketing: a lot of attention was also paid to direct marketing. Here, the Inspection Service makes the comparison with an iceberg where the impact of the part above the waterline does not always seem to cause problems, but especially the less transparent part below the waterline can cause problems, as for example in the case of "data brokers".