A bit of context
The world we live in is growing ever more complex and so is the regulatory landscape. Companies and businesses are subject to multiple layers of rules and finding one’s way across these technicalities can be both burdensome and expensive. At the same time, regulatory breaches can lead to harsh consequences.
In the recent years, this has been especially true in the data protection field, where the General Data Protection Regulation (EU) 2016/679 (“GDPR”) has been a small revolution.
This revolution has come with the appointment of an army of data protection officers and the setting up of specialised teams within many law firms and consultancies.
Nonetheless, data protection regulations remain complex and many companies find it difficult to navigate them.
Privacy rulings as a response to uncertainty?
On 4 March 2021, a member of the Federal Parliament filed a law proposal to create a so-called “privacy ruling” mechanism (available here).
A privacy ruling would be a decision by the Belgian Data Protection Authority (“DPA”) on how it would apply data protection law to a given set of circumstances.
The idea is to transpose what already exists in the tax field – where taxpayers can submit a contemplated transaction to the Federal Office for Advance Tax Rulings – to the data protection field.
The author of the law proposal suggests that this would increase legal certainty for data processors.
How would this work?
In a nutshell, the DPA would be the competent authority to issue privacy rulings.
Privacy rulings should in principle be rendered within three months as from the filing of the ruling request, but the DPA and the ruling applicant could agree on another timeframe.
Privacy rulings could only be issued with respect to a set of circumstances or a transaction which have not yet materialise. Events and transactions which have already occurred are not admissible.
Furthermore, the DPA could refuse to issue a privacy ruling if “granting a privacy ruling would be inappropriate or ineffective due to the nature of the legal or regulatory provisions raised in the application”. It is a bit unclear what this broad exception could cover in practice.
Privacy rulings could be binding for a period of up to five years – unless a longer period of time is found justifiable and is specifically motivated in the DPA’s decision. In all cases, the period of validity could be renewed.
Finally, privacy rulings would be published anonymously (that would be the least a data protection authority could do) to provide legal certainty and create some sort of case law for other possible applicants.
Is this compliant with the EU regulatory framework?
Hard to say but the question is worth asking.
Article 36 of the GDPR already sets forth a system of prior consultation, but this has nothing to do with the contemplated “privacy ruling” mechanism. Under this provision, data controllers must consult their supervisory authority prior to processing data where their data protection impact assessment indicates that such processing would result in a high risk in the absence of mitigation measures.
The contemplated privacy ruling mechanism would go much further as it would allow data processors to submit a wide range of questions to the DPA and obtain a binding answer from the authority.
Technically, Article 58.6 of the GDPR allows Member States to grant their respective data protection authorities additional powers to those foreseen in the GDPR. This provision could be a valid ground for the broadening of the DPA’s competences to issue privacy rulings.
However, there are obvious threats to the contemplated mechanism.
Firstly, the rulings could bind the Belgian DPA but not authorities from other Member States or EU institutions.
Secondly, the GDPR is an EU-wide regulation with direct effect in all Member States. It could be amended at any time and prove a privacy ruling wrong or at least outdated.
These threats have been identified in the law proposal. Amongst other exceptions, it states that privacy rulings are binding for the DPA unless (i) it appears that the Belgian DPA was not the lead supervisory authority (Art. 56 GDPR), (ii) another view is adopted in the framework of the consistency mechanism by other data protection authorities and the EU Commission (Art. 63 GDPR), or (iii) in the case of amendments to EU law.
These exceptions are a mere acknowledgement of what would happen anyway. In practice, they might make a Belgian privacy ruling mechanism less appealing than what is meant to be.
The law proposal will be discussed in the Federal Parliament and will either be rejected or adopted, possibly after various amendments.
We will keep you posted.
For any question or guidance, please contact our Digital Finance Team
+32 (0)2 543 70 80