Belgian DPA publishes Annual Report of 2021 as well as priorities for 2023

On 16 November 2022, the Belgian Data Protection Authority (the DPA) released its long awaited Annual Report of 2021. It is a voluminous report of more than 55 pages. Below we summarise for you the main points of this Annual Report. 

The report highlights the DPA’s major activities from last year, naming 2021 as the year the number of cases burst at the seams. It was a true record year in terms of workload for the DPA. The number of incoming files increased dramatically, with 279 requests for advice (+87.25% over 2020) and almost triple the amount of complaints compared to 2020. The large difference from previous years is largely explained by a rain of complaints about 1 specific data breach at the social network Facebook (1,120 complaints). The DPA also received 142 mediation requests (+67.06% over 2020) and processed 4,207 information requests (+2.43%). 

“Look before you leap”, with these wise words, brand new President Cédrine Morlière began the introduction to the report, in which she emphasised the importance of the data protection impact assessment (DPIA).

The DPA's focus in 2021 was on several key themes, which were also included in the DPA's 5-year strategic plan, including:

• direct marketing: the First Line Service received a large number of information requests, mediation requests and complaints regarding the processing of personal data related to direct marketing activities. Numerous decisions by the Litigation Chamber followed logically, but the DPA also actively engaged in contacting companies regarding their direct marketing practices. The DPA specifically addressed practices of data brokers and companies with affiliate marketing activities;
• sensitive data: the DPA published a recommendation on biometric data setting out the principles and paying particular attention to the legal basis, noting that there is a shortcoming in Belgian law;
• the DPO: the DPA aims to support DPOs as allies and provides practical tools to accomplish their mission. In total, there were 7,041 DPOs registered at the end of 2021. 1,788 of them registered in 2021; and
• children and teenagers: informing minors about data protection was explicitly included in the DPA's duties prescribed by law, making it considered a priority by the DPA. Despite the many successful projects launched by the DPA, the DPA also hopes to receive more operating funds to pursue this objective in future years.

Dealing with data breaches continued to be a major focus for the DPA in 2021. The DPA opened 1,435 data breach files, up from 1,054 in 2020 (+36.15%). It also opened 35 monitoring files, compared to 30 in 2020 (+16.67%). Almost half of the data breach notifications concerned human errors, and almost a quarter involved phishing, hacking or malware. Moreover, the DPA also acted more proactively, in part by identifying potentially unreported data breaches. Concerning awareness, the DPA contributed to the new EU practical guidelines with examples of data breaches.

In 2021, several important developments occurred in the area of international data transfers. To help controllers and processors in the EU determine whether a processing operation constitutes an international transfer and to achieve a common understanding of the concept of international transfer, the DPA within the EDPB contributed to the publication of Guidance 05/2021 and Recommendations 01/2020. Following the European Commission's decisions on the adequacy of the level of data protection in the United Kingdom and the Republic of Korea and the publication of new standard contractual clauses (SCCs), the DPA has regularly updated its website to provide data controllers and processors with comprehensive and up-to-date information on this topic. The DPA has also assisted controllers and processors in the application and approval of instruments for transfers, with the General Secretariat approving six binding corporate rules in accordance with the consistency mechanism provided for in Article 63 of the GDPR, and took a decision approving an administrative arrangement between the Public Company Accounting Oversight Board (PCOAB) and the College of Supervision of Company Auditors / Collège de Supervision des Réviseurs d'Entreprise (CTR-CSR) in accordance with Article 4(3)(b) of the GDPR.

The Knowledge Centre received nearly 50% more requests for advice in 2021 as in 2020. In addition to opinions on measures related to the fight against COVID-19, the Knowledge Centre had to express its opinion on various topics such as the retention of metadata on telecommunications, public statistics or the expanded access to the banking data of Belgians. The key advices are included and further explained in the Annual Report.

Neither did the Inspection Service stand still in 2021. However, the ongoing Covid-19 situation threw a spanner in the works and caused regular adjustments to the objectives set by the Inspection Service. Investigative actions of a site visit and/or interrogation proved to have particular potential in terms of efficiency and speed of investigation compared to the traditional way of questioning through sending out letters and emails. In total, the Inspection Service conducted 142 investigations in 2021 compared to 152 in 2020 (-6.58%), most of them on the initiative of the Litigation Chamber. 

Finally, the DPA carried out a lot of work in the field of enforcement in 2021. The Litigation Chamber paid great attention to the consistent performance of its duties and further developed its methodology. The Litigation Chamber's mission was threefold:

• to provide an effective and accessible procedure, which would take into account basic procedural safeguards; 
• contributing to a consistent interpretation of the GDPR in its rulings; and
• dealing with cross-border cases within the European Union.

However, due to the large volume of complaints, the Litigation Chamber was forced to prioritise, in part by issuing a dismissal policy. The Litigation Chamber was also confronted with a number of "mass complaints" (thematic files involving a large number of data controllers) and files that are urgent because of the public interest, such as Covid-related complaints. In total, the Litigation Chamber issued 143 decisions in 2021 compared to 83 in 2020 (+72.29%). The total amount of fines imposed through these decisions was EUR 301,000. 

10 new appeals were filed in 2021 against decisions of the Litigation Chamber. In 2021, the Market Court ruled in 15 ongoing appeals, in which 12 final decisions and 3 interlocutory decisions were rendered and in which 9 decisions were overruled – in whole or in part. In its case law, the Market Court sets high procedural requirements for the functioning of the Litigation Chamber. In the majority of cases, annulment decisions were also issued in 2021 on procedural grounds, but in some cases, however, the Market Court substituted its own substantive assessment for that of the Litigation Chamber.

On the occasion of its budget request for the year 2023, the newly appointed Executive Committee of the DPA communicated to the House of Representatives the major priorities for the coming year.

In carrying out its duties, the DPA tries to strike a balance between, on the one hand, good information on the applicable rules (prevention/awareness-raising) and, on the other hand, enforcement (supervision/sanctions). Accordingly, the DPA has chosen to list priorities for all its bodies together. Subject to sufficient resources - a criticism also addressed in the Annual Report of 2021 - the following will be the DPA's main priorities in 2023:

• cookies: since a harmonised position at the European level on this issue is currently lacking, the DPA will strive to make its position on cookies even more explicit; 
• the DPO: given that the DPO is the DPA's ally on the ground, the DPA will continue to support this crucial role, both in terms of preventive actions (in particular, by emphasizing the DPO's role in exercising the rights of complainants), and in terms of supervision (for example, the Inspection Service will examine the place of the DPO in organisations under investigation);
• smart cities: the DPA would also like to develop prevention actions and engage in dialogue with local actors in the field of so-called ‘smart cities’ (e.g. intelligent transport); and
• youth awareness: the DPA would like to continue the successful awareness-raising project "I decide" (“ik beslis”/ “je decide”), targeting young people on the one hand and parents and teachers on the other.

In addition to these common points for all DPA bodies, priorities specific to certain bodies may also be identified in the coming year, especially based on recurring requests for information or complaints. For example, the Inspection Service and the Litigation Chamber will continue to investigate and, if necessary, sanction data brokers who often process personal data on a very large scale.

It is therefore our expectation that many companies will face this active regulator, be it in proceedings before the Litigation Chamber, investigations by the Inspection Service, or questions posed to or by the DPA. In any case, Lydian closely follows the developments of the DPA so that it can assist its clients in case they come into contact with the DPA.