Skip to main content

Fraud Awareness Week

Share this page

The Belgian legislator adopted a new Act for the regulation of private investigations on 8 May 2024. 

This Act replaces the Act of 19 July 1991 regulating private detectives. Indeed, the current Act needed an update, because of developments in legislation, such as the data protection legislation, and because of changed possibilities regarding private investigation and the evolution of investigative techniques in general. 

As the Act should soon be published in the Belgian State Gazette and thereafter enter into force, the International Fraud Awareness Week is a good time to summarize and highlight the Act’s main topics, as well as to focus on the suggested next steps: 

  • The definition of private investigation and the scope of the private investigation Act
  • The impact on the course of private investigations and on the composition of the investigation team
  • Importance of GDPR for investigative activities
  • The probative value of the investigation report

What is private investigation?

Private investigations as defined by the Act are carried out by a physical person by order of a principal (such as, for instance, an employer) and refer to the activity of collecting information by processing information on physical persons or legal entities or concerning the facts committed by them. The purpose of the investigation is to provide the principal with the information gathered to safeguard his/her interests in the context of an actual or potential conflict or in order to trace missing persons or lost or stolen property. 

The Act has a broad scope of application: It does not only apply to companies with private investigation activities, but also to internal services for private investigation within companies. Such internal service refers to any service that is organized by a physical person or legal entity for its own benefit for the structural performance of private investigation activities or any service that presents itself as such. The term “structural” indicates that the activity must be embedded in the assignment of at least one employee. An internal service for private investigation could be a fraud cell of an insurance company or an in-house investigation department of a logistics service provider. 

Certain activities are explicitly excluded from the concept of private investigation, such as the professional activities of a lawyer, notary, journalist, etc. and the activity of claim settlement in the insurance industry, insofar as it is carried out without conducting fraud investigations. Another interesting example of what is not considered as a private investigation are the activities carried out in the fulfilment of legal obligations, like investigations conducted by a prevention advisor following a formal request for psychosocial intervention or the handling of complaints introduced through a whistleblowing channel. 

Whether or not a certain activity falls inside the scope of this Act, will probably be subject of debate and (future) case law. For example, how broad is the exception regarding investigations under the whistleblowing channel? The question arises whether private investigations which are the result of a notification through the whistleblowing channel are entirely excluded  from the rules set out in the Act, or whether those rules apply to certain stages of that investigation. Moreover, in practice many companies have introduced a whistleblowing policy with a wide scope of application, allowing whistleblowers to report on matters that fall outside the scope of the Whistleblowing Act. What is the impact of the broad scope of the whistleblowing policy on the (in)applicability of the new Act to such investigations.

Do HR departments fall within scope of the Act on private investigations?

Whether an HR department that occasionally conducts an investigation, falls within the scope of the Act is debated. 

For example, imagine an investigation is conducted by an HR manager to assess a potential termination for serious cause of an employee suspected of theft. Often only interviews are conducted, along with stock checks and potentially CCTV footage is checked. The investigation is led by an employee of the HR department: there is in that case no structural “internal service” in place. The Act excludes HR departments conducting an “incident investigation” in relation to one of its employees from the obligation of having an identification card or from being part of a licensed company or internal service. The Act also explicitly states that all other provisions of the Act still apply. 

The reference to “incident investigations” somehow confuses the scope of the legislation:

One interpretation of this specific exception for “incident investigations” could be that all HR investigations principally fall within scope of the Act, regardless of whether structural private investigation activities are usually carried out. If the private investigation is limited to the investigation of an incident in relation to one of its employees, there is no need to obtain an identification card or to have a license, but overall the Act will apply. This interpretation thus assumes that HR departments as a principle fall within the scope of the Act. 

Another interpretation, which is brought forward by public officials who were closely involved in the drafting of this Act, could be that although it is not clear from the wording of the Act, HR departments/investigations are excluded from its scope. They would only fall within the scope of the Act if they have “structural” investigation activities and thus if they qualify as a “structural” internal service. Many “incident investigations”, conducted from time to time by an HR department, will likely not reach the required threshold to qualify as “structural”. 

Game changer for private investigations?

The Act entails a lot of new rules for private investigative activities and will therefore have a significant impact on the private investigation sector. 

New or extended formalities include: a mandatory license, identification card, investigation file, assignment register, policy (for employers), investigation report and reporting obligation, etc. 

Not all formalities apply to all companies. If for instance an HR-department of a company is merely investigating an incident in relation to one of its employees, there is no need to have an identification card or to be part of a licensed company or internal service for private investigation. 

Apart from the formalities, the Act also creates a new framework for certain investigative activities such as conducting interviews, consultation of non-publicly automated files containing personal data and carrying out observations. For example, certain information must be disclosed to the interviewee prior to the start of the interview, the interviewee can be assisted by a person of their choice during an interview and an interview report, containing a list of information, should be drafted.

Composition of the investigation team

The Act has created a required profile for certain people involved in a private investigation, such as persons in charge of a company or an internal service, persons who are not in charge, but either are part of the board of directors, or exercise control over a company, contractors (i.e. the physical persons who accept the assignment on behalf of the company or the internal service), private investigators (i.e. the physical persons who carry out activities of private investigation) and persons with access to the (content of) reports of the private investigators or who may obtain knowledge of the personal data of those involved or any other person involved in a private investigation. 

This required profile might have some influence on the future composition of an investigation team.

Some examples of these personal conditions are related to age, a clean criminal record (albeit there are some exceptions), nationality, etc. 

Next to these personal conditions, there are also some integrity requirements. Integrity, loyalty and discretion are key characteristics of the perfect profile, as well as respect for fundamental rights and democratic values. 

More generally, it is recommended to think carefully about the composition of an investigation team. If the law foresees a deadline within which a decision has to be made to take action (e.g. to impose a sanction upon an employee, in case of a dismissal for cause of an employee or in case of the termination of a trade agent), it is recommended to only inform the competent persons after completing the investigation, once all the facts have sufficiently been identified, and not to involve them in the investigation. Therefore, when composing an investigation team, one should always bear in mind not to involve persons who can legally represent the principal and who are competent to impose a sanction, dismiss or otherwise terminate a work relationship. These persons should only be informed of the results from the investigation once it is finished. Otherwise, questions could arise afterwards at what point in time (during the investigation) the competent person had gained sufficient knowledge to take a decision. 

Transparency of private investigations

As stated above, the Act focuses on the rules set out in the GDPR and the protection of privacy of the person involved and other identifiable parties. The general rules on privacy, including the principles of legality, transparency, legitimate interest and proportionality, therefore apply to private investigations, unless the Act provides specific, restrictive, or additional rules or exceptions. 

Employers who order private investigations at work in relation to one of their employees, will only be able to do so in a valid way insofar a policy is put in place on the rules regarding the private investigation and the authorization to execute such investigation. This important new formality will determine the entire investigation’s validity as this requirement is prescribed under penalty of nullity. This new rule will not enter into force immediately as a transitory period is provided.

Wrap up of the private investigation

No later than one month after the last investigative act, a written investigation report needs to be drafted. If the principal decides to use the information in the final report, he/she informs the contractor, who accepted the assignment, at the latest within 30 days after receiving the report. The contractor needs to inform the person concerned (i.e. subject of the investigation) and other identifiable parties of whom personal data was processed on the identity and contact details of the data processor, the nature and purpose of the processing, start and end date of the private investigation, rights to review, complete, correct or remove incorrect personal data. The principal is not allowed to use this information for as long as the person concerned or identifiable parties were not informed and therefore able to exercise their right to review, complete, correct or remove incorrect personal data.

If the private investigator or the contractor receives an investigation assignment regarding facts which qualify as offences or which will clearly result in offences or if they discover any offences during the assignment, they are obliged to report this in writing to the prosecutor and/or to the investigating judge. This requirement only applies if the facts are clear and if the investigator or the contractor knew or should have known that these facts constitute criminal offences, for example theft or violence. The prosecutor or investigating judge can subsequently order the suspension or discontinuation of the private investigation.

Probative value and importance of compliance

If companies do not comply with the Act, administrative sanctions could be imposed. Other sanctions, such as criminal penalties for hacking, similarly remain relevant.

Moreover, the nullity sanction is not to be overlooked. The sanction of nullity is indeed provided in the Act for some rules and obligations (such as not having a policy on private investigation as an employer). If evidence has been collected in breach of these rules and obligations prescribed under penalty of nullity, any probative value of the investigative acts concerned is excluded upfront. In case of non-compliance with other provisions of the Act, not prescribed under penalty of nullity, the Antigone rule applies: the collected evidence can be relied upon before a court unless the reliability of the evidence has been adversely affected by the committed illegality or if the use of the evidence would violate the right to a fair trial of the person concerned. The Act stipulates that it is up to the courts to whom findings of a private investigation are submitted to decide on the probative value of those findings.

Even for HR departments, it is highly recommended to consider the rules and guidelines provided by the Act as a good practice when conducting an interview or drafting an investigation report, etc. Moreover, it should be checked whether a company has all required policies in place to check CCTV footage, monitor email communication, use a track-and-trace system on a company car, etc. in compliance with the GDPR and other legislation. It cannot be ruled out that courts will rule in a more severe way and exclude findings of private investigations that do not respect these rules.

Next steps: how to prepare?

As mentioned above, the Act has not entered into force yet. It is expected that the Act will be published in the Belgian State Gazette and enter into force over the coming weeks. 

The legislator took, to some extent, the significant impact of the Act into account by providing some transitional provisions. For instance, and subject to compliance with certain conditions, companies or internal services carrying out private investigations will be given a 6-month period to apply for a license after the Act enters into force. Without the proper training and an identification card, employees of these companies or internal services are allowed to conduct their activities for an 18-month period. Principals/employers wishing to carry out a private investigation concerning an employee, will enjoy a 2-year period to draft or adopt their policy on private investigation in the workplace.

This does not mean that today no preparation or action can be taken as an organization. As fraud incidents and other (criminal) incidents are sadly taking place, organizations need to be able to deal with these facts once they occur. 

In preparation of this new Act, we recommend the following guidelines for organizations and HR-services:

  1. Take preparatory actions and verify your data storage and retention policies, as well as other policies in relation to the control of CCTV footage, electronic online communication, etc. and make sure that the relevant policies of the organization meet the regulatory requirements and allow to collect and analyze data that might need to be investigated. 
     
  2. Prepare a policy (as an employer/principal) on private investigations, as well as the modalities, and make sure the policy is aligned with the policies considered in the previous bullet point. If a company would ever consider or would need a private investigation, either conducted by an external company or an internal service, the internal policy on private investigations is an absolute requirement to start the investigation. Employers have two years’ time to implement such policy, but we recommend to start in due time. We have a template available which can be used as a work tool for organizations to create their own policy. Moreover, most rules set out in the Act will apply as of the 10th calendar day following publication in the Belgian State Gazette. That means that as of that moment in time, investigation methods (such as interviews), investigation reports, etc., need to comply with the Act.
     
  3. Think about a clear timeline in relation to the timing and duration of the investigation, access to relevant information (hard copy documents, other information sources, etc.), reporting, etc.
     
  4. Think about the composition of a proper investigation team, that can potentially meet the personal and integrity requirements.
     
  5. If needed (e.g. if your organization has an internal service) apply for a permit in due time.

Authors