Comments on the EU Data Protection Directive
The Belgian Perspective
Centre de Recherches Informatiques et Droit,
2.3 Data Protection Principles Obligations of the Controller
2.5 Data Subject's Rights
This is a refereed article.
Date of Publication: 7 May 1996
Citation: Louveaux S (1996) 'Comments on the EU Data Protection Directive - The Belgian Perspective', 1996 (2) The Journal of Information Law and Technology (JILT). <http://elj.warwick.ac.uk/elj/jilt/dp/2louveau/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_2/louveaux/>
At present, the main legal instrument for the protection of personal data in Belgium is the Data Protection Act dated 8th December 1992. The principles laid down in this act have been further developed by several royal decrees some of which are in the course of adoption at the present time.
The EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Directive) of the 24th of October 1995, compels the Member States to take the necessary measures in order to comply with the provisions of the Directive within three years of its adoption (article 32). Work has already begun in Belgium so as to modify the existing Act in accordance with the Directive.
The Belgian law applies to automatic processing of personal data and to manual files compiled and stored in a logical manner enabling systematic consultation ('fichier' as opposed to 'dossier' which is not structured). There is no indication, however, as to the criteria which must be used in order to consult the manual files (some files structured by reference to the date of entry of the data, for example, will be covered by the law even though they do not permit any systematic consultation in relation to specific individuals). Nor is there any indication that a file may be decentralised geographically and yet still be accessible. The Directive is more precise in that it specifies that a 'personal filing system' covers any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis' (article 2 (c)). The specific criteria is only criteria relating to individuals, so as to permit easy access to the personal data (name, address, ...).
Processing of personal data, according to the Belgian law covers any operation or set of operations carried out wholly or partly with automatic means and relating to the recording or storing of personal data, as well as to the modification, erasing, consultation, or dissemination of such data. Even though the concept of processing has been widely interpreted so as to include the communication of personal data, it does not cover the collection of personal data. The Directive adopts a wider definition of 'processing of personal data', the mentioning of specific operations being only of exemplary nature ('such as' the collection, recording, organisation, ...). The concept therefore covers any operation carried out on personal data, including the mere collection of such data.
The Belgian law applies to manual files withheld on the Belgian territory and to any processing of personal data directly accessible on the Belgian territory by means which are proper to the processing itself, even if the data is processed outside Belgium. The scope of the law is therefore based on a geographic basis. In the context of global information networks with vast and fragmented data resources, the criteria results in the application of the Belgian law to a vast number of processing operations throughout the world providing these are accessible in Belgium. The Directive adopts in this respect a much more functional criteria, by centring the application of the law to any processing of personal data by a controller established on the territory of a Member State. The criteria is therefore based on the localisation of the controller rather than that of the processing of the data.
The exemptions to the provisions laid down by the Directive are more restrictive than those provided in the Belgian law. Only the processing of personal data in the course of a purely personal or household activity or processing in the course of an activity which falls outside the scope of Community law (such as public security, defence, State security,...) may be exempted. (Exemptions and derogations to certain provisions of the Directive may also be provided for in order to guarantee the freedom of expression). The Belgian law will therefore need to be modified so as to limit its exemptions to cover only the processing of personal data for purely personal activities and the processing of personal data in the context of police activities.
Chapter II of the Directive lays down general rules on the lawfulness of the processing of personal data. These are to be equally found in the Belgian law, although the Directive goes further in its definition of the concepts.
According to article 6 of the Directive, personal data must be processed 'fairly and lawfully'. Fair processing implies a maximum of transparency. Personal data concerning an individual may not be processed without his knowledge or for an unknown purpose. Lawful processing implies the respect of the national provisions adopted pursuant to the Directive. Although not expressly stated in the Belgian law the principle of fair and lawful processing is implicit.
The Directive lays down an explicit limitation to the length of time data may be stored in a way which permit identification of data subjects. This may not extend for longer than is necessary for the purposes for which the data were collected or for which they were further processed. In this respect, the Belgian law does not provide for a positive obligation to be respected by the controller but does, however, enable the data subject to request that data be deleted or forbid the use of certain data if kept for a period longer than necessary (the effective respect of this principle rests with the data subject rather than with the controller).
According to the Directive, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. This same principle is to be found in the Belgian law, but only in relation to the processing in itself and not to the collection of the data : personal data must be processed for specified and legitimate purpose (article 5). The Directive therefore provides for a stricter application of the principle of legitimate processing.
The determination and legitimacy of the purpose for which the data is processed is the cornerstone of the protection established under Belgian law. There is however no indication in the law as to what constitutes a legitimate purpose. The Commission de la Vie PrivŽe (Belgian data protection authority) has found that processing of personal data is legitimate if the interests of the data subject in respect to his personal privacy are weighed up against the interest of the controller in processing the data. This is presumed when the purpose of the processing is determined by the law. The Directive goes much further than the Belgian Act in the determination of legitimate processing, by specifying precise criteria for making data processing legitimate (article 7). The 'balance of interests' criterion as retained by the Belgian authority is only one of a series of criteria for rendering the processing legitimate.
The compatibility principle stated in the Directive, specifies data must not be used in a way incompatible with the purposes for which the data was collected. According to the Belgian law (article 5) the compatibility principle only implies that personal data must not be used in a way which is incompatible with the purpose for which the data are processed (this is far wider than the principle of the Directive which refers to the collection of the data and not to the processing). There is no indication in the Belgian law as to what constitutes a 'compatible' purpose. The appreciation rests with the data protection authority. The Directive, on the other hand, preempts the question of compatibility in the case of further processing of the data for historical, statistical or scientific purposes, which are not considered as incompatible, providing the Member States provide adequate safeguards.
Both the Directive and the Belgian Act provide for special safeguards with regard to the processing of special categories of data capable by their very nature of infringing fundamental freedoms or privacy. Unlike the Belgian law, the Directive does not make a distinction between the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning sex life on the one hand, and data concerning health on the other.
The principle underlying both texts is one prohibition of processing of such data. The Belgian law lays down for exemptions to this prohibition by way of legislative measures or decrees or allows for the processing of such data within the framework of certain safeguards (unless expressly provided for by law or with the explicit consent of the data subject, data relating to an individual's health may only be processed under the supervision and responsibility of a medical practitioner). There is however no precision as to the purposes for which the data may be processed (it goes without saying that the purpose must be legitimate). Article 8 of the Directive, on the other hand, determines the exact purposes for which sensitive data may be processed without the explicit consent of the data subject (processing necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law, processing necessary to protect the vital interests of the data subject or of another person where the data subject is incapable physically or legally of giving his consent, ...).
The Directive provides in Article 9 that Member States may provide for derogations and exemptions to certain provisions of the Directive for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression. Such exemption must be limited to measures necessary to reconcile the right to privacy with the rules governing the freedom of expression. The Belgian law does not provide for any such exemptions or derogations and will possibly therefore need to do so in order to comply with the Directive.
Both the Directive and the Belgian Act require transparency in the processing of personal data and provide for the obligation of the controller to give information to the data subject either at the time of collection of the data or when the data is first recorded. The Directive goes much further in the content of the information which must be given. The data subject must not only be informed of the identity of the controller, of the purposes of the processing, but equally, of further information such as of the categories of data concerned, the recipients or categories of recipients and whether replies to questions are obligatory or voluntary. This further information must only be given in so far as it is necessary to guarantee 'fair' processing of the data having regard to the specific circumstances in which the data are processed. The processing of particularly sensitive data or the processing of personal data in complex networks may require this information to be given.
The right of access to personal data as specified in the Directive is far broader than that provided for under the Belgian law. Indeed, article 12 of the Directive enables the data subject to obtain from the controller not only the confirmation as to whether data relating to him are being processed and communication of such data in an intelligible form, but equally knowledge of the logic involved in any automatic processing of data concerning him, at least in cases of automatic processing of his data. He may also obtain, where available, information as to the source of the data. The Directive also provides for wide exemptions to the right of access and rectification (article 13), exemptions which are not permitted according to Belgian law.
Save where otherwise provided by national legislation, the Directive grants the data subject with a right to object to the processing of personal data on compelling legitimate grounds relating to his particular situation (article 14). This right is granted unconditionally in the context of the processing of personal data for direct marketing purposes. The data subject has no general right to object to the processing of personal data under Belgian law. He may only require the suppression or prohibit the use of certain data if incomplete or inaccurate or if the data is stored for a longer period than that authorised (article 12.a).
The Directive grants the data subject with the right not to be subject to a decision which produces legal effects concerning him or which significantly affects him and which is based solely on an automated decision of personal data intended to evaluate certain personal aspects relating to him such as his performance at work, creditworthiness, ... (article 15). This provision aims at avoiding the adoption of adverse decisions without any human intervention. Seeing as Belgian legislation does not provide for any such right, the law will need to be modified accordingly.