A system for obtaining advance rulings for specific tax matters has already been in place in Belgium since the nineties. It allows natural and legal persons, under certain conditions, to obtain binding decisions for a period of maximum five years from the tax authorities, which set out how they will apply tax laws to a particular situation or transaction which is yet to produce tax effects. A recent proposal made in Belgian parliament seeks to create a similar system of 'privacy rulings'.
The Belgian DPA does not provide explicit advance decisions on privacy questions brought to it, neither is there any legal basis in the GDPR or the Belgian Privacy Act to do so. Possible informal arrangements with the DPA are never published, so that other parties cannot learn from them. It is also difficult to estimate whether or not the DPA will consider itself to be bound by such informal arrangements at a later stage.
Article 36 of the GDPR only sets out a procedure to notify the DPA in case a data protection impact assessment (DPIA) indicates that an envisaged processing would result in a high risk to the rights and freedoms of natural persons in the absence of measures taken by the controller to mitigate the risk. Within eight weeks, the DPA must respond to such request if it is of the opinion that the intended processing would infringe the GDPR. Hence, this cannot be seen as a general possibility to obtain a decision from the DPA on identified privacy issues.
The proposal to amend the Belgian act of 3 December 2017 governing the DPA would create the possibility for the DPA to issue a ruling, i.e. an advance decision on how the DPA will apply the law to a specific situation or an envisaged processing of personal data. Such ruling would bind all departments of the DPA, save for a number of exceptions, which means that they would need to respect it in the future. To be clear: such ruling would only concern specific situations, and not hypothetical questions.
A request for a Belgian 'privacy ruling' would need to include: (i) the identity of the requesting party and other involved parties, if any; (ii) a description of the activities of the requesting party; (iii) a complete description of the specific situation or the envisaged processing; and (iv) a reference to the legal or regulatory provisions based on which the decisions would need to be made. A copy of similar requests and decisions which were filed with or obtained from the DPAs of other EU member states with respect to the same subject would also need to be provided.
The DPA would need to provide a ruling within three months of receipt of the request, unless both parties would agree on a different term. An estimation of the response term would need to be provided by the DPA to the requesting party within fifteen business days of receipt of the request.
However, a ruling could be denied if the processing has already commenced or is identical to a processing which has already been the subject of an administrative appeal or judicial procedure between the Belgian state and the requesting party. Additionally, the DPA could also deny a ruling if the provisions mentioned in the effect could not be sufficiently relied on to provide it, or it would lack any legal effect if it were based on these provisions.
A ruling could be provided for a renewable period of maximum five years, unless the subject of the request would justify a longer period. It would be binding upon the DPA during that period, unless: (i) the conditions applicable to the ruling are not fulfilled; (ii) the situation or envisaged processing was incompletely or incorrectly described by the requesting party or essential elements of the processing have not been completed according to the description of the requesting party; (iii) the Belgian DPA was not the lead regulatory authority in the sense of Article 56 of the GDPR; (iv) decisions or advices are made within the framework of the consistency mechanism under Article 63 of the GDPR which apply to the situation or envisaged processing set out in the ruling; (v) changes are made to the provisions of EU treaties, EU or internal law which apply to the situation or envisaged processing; (vi) it turns out that the ruling is not in accordance with EU treaties, EU law or internal law; and (vii) binding decisions of the European Data Protection Board (EDPB) are made which apply to the situation or envisaged processing.
The ruling could also lose its binding nature as a consequence of changes to the main effects of the situation or processing which would be directly or indirectly attributable to the requesting party.
Interestingly, all rulings would be published by the DPA on an anonymous basis. While the DPA would in principle not be bound towards third parties by these decisions, they could provide valuable guidance for other parties (and possible arguments when facing enquiries by the DPA in an investigation).
The proposal refers to the initiative of 'regulatory sandboxes' launched in the UK in September 2020, which provide the opportunity for organizations to maintain a direct contact with the British DPA about innovative projects with complex data protection questions. A similar project was launched by the Norwegian DPA in 2020 to promote the development of innovative, ethical and responsible AI solutions. The French DPA launched its own sandbox initiative in February 2021 for innovative projects in the healthcare sector which make use of personal data.
These sandbox initiatives were set up to improve the implementation of privacy-by-design. In a way, a system of privacy rulings would have a similar aim, but with a wider scope. It would allow organizations, within the design stage of a future processing of personal data, to assess with the DPA whether such processing is GDPR-compliant. This system would prevent future breaches of the GDPR and increase the level of protection of data subjects' personal data throughout the EU.
It is unknown whether this proposal will make it into Belgian law. However, it provides an interesting addition to the GDPR's framework which would allow DPAs to assist organizations more proactively to comply with the GDPR, rather than doing so reactively after damage was caused.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.