2021
The Belgian DPA publishes its annual report 2020
The year 2020 was marked by an unprecedented health crisis, which also had a significant impact on data protection and the work of the Belgian Data Protection Authority. As a result of the increased awareness of citizens about the importance of protecting their data, the year 2020 saw a sharp increase in the number of complaints (+ 290.64%) and data breach notifications (+ 25.09%) received by the BE DPA and, more generally, a significant increase in the DPA's workload. In 2020, the DPA has therefore focused on the supervision of initiatives to fight the coronavirus involving data processing, while not losing sight of all the other priorities identified in its Strategic Plan 2020-2025.
Covid-19 : the biggest privacy challenge of the year
Despite limited resources, the BE DPA, faced with numerous processing operations of (often sensitive) data linked to the crisis, has spared no effort in terms of awareness-raising, in particular by creating a dedicated Covid-19 page on its website (in Dutch and French), which is regularly updated with new guidelines and frequently asked questions for citizens and controllers alike. These initiatives are perfectly in line with the BE DPA’s vision that "prevention is better than cure".
It also issued, sometimes with urgent deadlines, numerous opinions on normative texts setting up data processing operations by the State to combat the current health crisis (collection, recording and use of data, particularly health data, in the context of contact tracing, vaccination or the monitoring of compliance with testing and quarantine rules, for example). The BE DPA was also asked to give an opinion on the data protection impact assessment of the mobility index considered by the (previous) Government, as well as on the DPIA related to the Coronalert application. You can consult the list of opinions related to Covid-19 on our website available (in French or Dutch).
Finally, the BE DPA increased its vigilance, by reacting to numerous alarming initiatives such as the taking of passengers' temperatures at Brussels Airport, or a municipal initiative to impose Covid-19 tests. Several cases related to the coronavirus have been opened and are currently being examined by the Inspection Service and/or the Litigation Chamber of the DPA. In 2021, the latter published its first decision specifically related to Covid-19 ("Cameras on the Belgian coast" available in French or Dutch).
Major projects 2020
Despite all the work to be done in the context of the health crisis, the BE DPA also continued to work on its 2020-2025 priorities. For example, it published a comprehensive recommendation on data processed for direct marketing purposes, a recurring topic in information and mediation requests, but also in complaints and inspections.
The BE DPA also focused on data protection online, notably with the launch of a large-scale “pilot” investigation on the use of cookies by a series of popular Belgian media websites. The biggest fine ever imposed by the BE DPA (EUR 600,000) also concerns online privacy, as it was imposed on Google Belgium's for failing to respect a citizen's right to be forgotten*. (*This decision is currently under appeal)
In line with its missions of information sharing and awareness-raising ("simplifying and clarifying the rules"), it has taken initiatives and developed a whole series of tools, for example for children and young people (www.jedecide.be / www.ikbeslis.be), or for data protection officers (DPOs) and SMEs. It has also redesigned its website to make it as clear and accessible as possible and has reworked the communication of its First Line Service, which is in direct contact with citizens and data controllers.
Finally, in 2020 it paid great attention to its 'public authorities' priority, in particular in the context of their data processing initiatives related to Covid-19, but also in several decisions of its Litigation Chamber, which reminded various public organizations of the importance of the principles of transparency, lawfulness and data protection by default, for example, in their management of the personal data of Belgian citizens.
The year 2020 in figures
The number of complaints rose sharply in 2020, with 668 files: a growth of 290.64% compared to the number of complaint files submitted in 2019. The BE DPA also opened 89 mediation cases and processed 4123 requests for information.
In addition to general questions on the GDPR, data subject rights and privacy principles, complaints, mediation requests and information requests were mainly related to direct marketing, consumer data and surveillance cameras.
The BE DPA also received no less than 1097 notifications of data breaches in the course of 2020 (compared to 877 in 2019).
Finally, the DPA received 146 requests for opinions, a figure that decreased slightly because since August 2019, the BE DPA no longer receives requests from the Flemish Parliament and the Flemish Government, despite the fact that the BE DPA's opinion on their draft decrees or orders is required, as pointed out by the Constitutional Court and the Council of State.
The Inspection Service launched 149 investigations in 2020 (compared to 85 in 2019), which mainly related to:
- direct marketing ;
- covid-19 ;
- the functionning of cities and municipalities; and
- cameras.
In 2020, the BE DPA’s Litigation Chamber had to deal with 533 incoming cases. It issued 83 decisions, 34 of which were decisions on the merits, through which it imposed 78 sanctions, 19 of which were fines (for a total of EUR 885,000, of which EUR 57,000 were annulled by the Market Court).
The increase in time-consuming cases such as complaints, investigations or opinions reminds us that it is essential that the BE DPA obtains the means to cope with its increasing workload as soon as possible in order to keep its momentum towards a digital world where privacy is a reality for all.
More details on these figures can be found in the "2020 in figures" (French / Dutch) section of our online Annual Report (available in French or Dutch).