On 25 November 2009, the European Union adopted a revised regulatory framework for the European telecommunication sector, consisting of one Regulation and two Directives (together the "EU Framework"). These Directives were due to be implemented in the EU Member States before 25 May 2011.
However, the Belgian parliament has only recently adopted a law implementing the EU Framework into Belgian law (Law of 21 June 2012 introducing various provisions regarding electronic communications, hereafter the "Law"). Once published and entered into force, the new Law will effect numerous changes. We look at how the Law implements two key provisions of the EU Framework under Belgian law, namely the data breach notification and the so-called EU cookie rule.
Personal Data Breach Notification
The ePrivacy Directive already obliges providers of electronic communication services to implement appropriate technical and organisational protection measures to safeguard the security of their services (see Article 4(1)). The EU Framework goes a step further and obliges providers to notify "personal data breaches", both to the competent national authority and to the individuals concerned by the breach. While notification to the regulator is required in all situations of breach, notification to individuals is required only when the breach is likely to adversely affect their personal data or privacy, but not when the regulator is satisfied that appropriate technological protection measures have been implemented (see Article 4(3)).
The Law implements the notification regime by inserting a new Article 114/1 par. 3 in the law on electronic communications (Law of 13 June 2005 regarding electronic communications or "e-Communications Law"). Under the new rule, the notification must be made to the Belgian Institute for Postal Services and Telecommunications (the "BIPT"), the supervisory body of the electronic communications sector.
Although the Law transposes almost verbatim the provision of the EU Framework, it does contain a small but significant difference, namely that in the EU Framework a notification is triggered by a personal data breach, while under the Law, any "endangering of the security of an electronic communication service with respect to personal data" suffices to trigger the need for a notification. It is unclear how this provision would operate in practice but it is arguably wider and therefore could trigger the notification in a wider range of situations.
The Cookie Rule
Another heavily debated provision of the EU Framework is the so-called "cookie rule". The storing of, or gaining access to, information on the terminal equipment of a subscriber, or user, is only allowed if they have been properly informed and have given their consent (Article 5(3) ePrivacy Directive, as amended by the EU Framework).
This provision regulates a range of technology including the use of cookies installed by website operators on the computers of users – often without their knowledge. The key issue is how to obtain that consent. The ePrivacy Directive suggests website operators may eventually be able to rely on the browser settings of the user, which may or may not prohibit the use of cookies. However, most Members States have concluded that current browser settings are not sufficient to demonstrate such consent, not least because the default setting is to allow cookies.
The Law implements the cookie rule under Belgian law in Article 129 of the e-Communications Law. In doing so, it largely follows the text proposed by the EU Framework. However, it distinguishes more specifically the two conditions required, i.e. (a) clear and specific information regarding the purposes of the data processing and the rights of the individual based on the Belgian legislation protecting personal data, and (b) the obtaining of the individual's consent after the above information has been provided.
The Law also emphasises that the data controller must allow users to withdraw their consent free of charge. It specifies that compliance with the above requirements does not exempt the website operator from applying the other relevant provisions of Belgian legislation protecting personal data.
As in most other Member States, the Law does not consider how consent from users should be obtained and so it will be up to the regulators to issue relevant guidance. A first indication of the Belgian position is that, during its review of the draft bill, the regulator in charge of data protection indicated that consent may not be obtained through current browser settings (Privacy Commission Opinion 10/2012 of 21 March 2012 regarding the draft bill).
Conclusion
The Law demonstrates that, as in other Member States, the implementation of the EU Framework into local law is resulting in diverging positions. Although the Law does not specify how consent should be obtained with respect to cookies, Belgium seems inclined to follow a hard line and refuse current browser settings as a proper expression of consent. This is likely to negatively impact electronic business unless a more pragmatic approach is developed by the operators and accepted by the regulator.
This article first appeared in Global Business Magazine.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
