1. Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
A] The following key laws/regulations apply at European Union level:
(i) Data Protection & Privacy
- Charter of Fundamental Rights of the European Union ("EU Charter"), which includes the right to privacy (Article 8) and is directly applicable in all EU Member States.
- E-Privacy Directive 2002/58 ("E-Privacy Directive"), which harmonises the provisions of the EU Member States to ensure an equivalent level of protection of the right to privacy and the processing of personal data in the electronic communication sector. As an EU Directive, it is not directly applicable, but needs to be transposed into Member State law.
- General Data Protection Regulation 2016/679 ("GDPR"). The GDPR is the overarching EU legislation designed to safeguard the rights and privacy of individuals in the processing of their personal data, while also facilitating the free movement of such data. In Belgium, the GDPR has direct effect, empowering individuals to directly invoke and rely on its provisions. The authority responsible for its enforcement is the Belgian Data Protection Authority (Autorité de protection des données/Gegevensbeschermingsautoriteit).
- Police Data Directive 2016/680 ("Police Data Directive"). The Police Data Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. As an EU Directive, it is not directly applicable, but needs to be transposed into Member State law.
(ii) Cybersecurity
- Network and Information Security Directive 2016/1148 ("NIS-1"). The purpose of NIS-1 is to strengthen and streamline cybersecurity and the resistance against cyber threats across the EU by imposing a minimum level of information security for network and information systems for operators of essential services, which are considered crucial for economy and society. As an EU Directive, it is not directly applicable, but needs to be transposed into Member State law.
- Cybersecurity Act 2019/881 ("CSA"). With a view to increase cybersecurity in the EU, the CSA establishes a common European framework for cybersecurity certification of ICT products, services, and processes, and reinforces the role of the European Union Agency for Cybersecurity (ENISA), by granting it enhanced responsibilities in the area of cybersecurity certification.
Note: At the level of the Council of Europe (not an EU body), the European Convention on Human Rights ("ECHR"), which includes the right to respect for private and family life (Article 8), applies and is being enforced by the European Court of Human Rights. Additionally, consideration should be given to Convention 108, an international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information. Convention 108 is seen as the "mother" of the EU's GDPR. It was modernised in 2018 (Convention 108+).
B] The following key national laws/regulations apply at Belgian level:
(i) Data Protection & Privacy
- The Constitution is the foundation on which the political and legal organisation of Belgium is based. Its provisions include the fundamental rights and freedoms of Belgian citizens. Among its dispositions, figures the right to respect for private and family life (Article 22).
- Code of Economic Law, which contains certain provisions on direct marketing in its Book VI and is supplemented in this respect by the Royal Decree of 4 April 2003 regulating the sending of advertising by e-mail.
- Law of 21 March 2007 on the use of camera surveillance, which regulates the use of CCTV in public and private areas. The authority responsible for its enforcement is the Belgian Data Protection Authority.
- Law of 3 December 2017 on the establishment of the Belgian Data Protection Authority, which establishes the legal status, composition, tasks and powers of the Belgian data protection regulator. This law was recently updated in (2023 and 2024) to reform the internal composition of the regulator and to allow third parties to appeal enforcement decisions.
- Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data (the "Belgian Data Protection Act"), which contains the national transposition of the Police Data Directive and some provisions of the E-Privacy Directive (notably cookie rules). It also supplements the GDPR by incorporating national choices and derogations allowed by the GDPR. The authority responsible for its enforcement is the Belgian Data Protection Authority.
(ii) Cybersecurity
- Law of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security ("NIS Act"), which is the Belgian transposition of NIS-1. The authority responsible for its enforcement is the Belgian Centre for Cybersecurity (Centre pour la Cybersécurité Belgique/ Centrum voor Cybersecurity België).
- Law of 20 July 2022 on the cybersecurity certification of information and communications technologies and designating a national cybersecurity certification authority. This law provides the Belgian framework for the implementation of the CSA and is supplemented by a Royal Decree of 16 October 2022.
Note: Additional laws and regulations apply at sector-specific level (e.g., for the financial sector, consumer credit, the telecom sector, healthcare etc.) and to certain processing by public bodies. Also the topic of employee privacy is regulated separately, by several Collective Labour Agreements (e.g., regarding electronic monitoring of employees).
To view the full article, click here.
Originally published by The Legal 500.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.